911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d | Triage

Analysis

max time kernel
0s
max time network
133s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
06/12/2022, 22:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d
Size

511B
MD5

dda07a9d2590f798266d983b9cc7d3c4
SHA1

6114c1515462d2abe091dc3e3465a77be2a77739
SHA256

911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d
SHA512

0fa3de1b8a8b683121c7d6aab1822e957a82e0ba232952e28ac401d3a9e0e1d0328745e2b969352a3ffaf19f4251d0a5d26a3b63c5eb5728b1aecb3945879a70

Score

5^/10

Malware Config

Signatures

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	ls
/proc/filesystems	/proc/filesystems	ls
/proc/filesystems	/proc/filesystems	ls
/proc/filesystems	/proc/filesystems	ls

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d	/tmp/911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d	911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d

/tmp/911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d
/tmp/911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d
1⤵
- Writes file to tmp directory
PID:590

/bin/ls
ls -1 911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d
1⤵
- Reads runtime system information
PID:593

/bin/grep
grep -v vpasswd
1⤵
PID:594

/home/vpopmail/bin/vuserinfo
/home/vpopmail/bin/vuserinfo "911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d@911679b36ecb8019ad2788e030a877638c98dae6cc0c3f2f97954e0ae32ef96d"
1⤵
PID:596

/bin/grep
grep "clear passwd"
1⤵
PID:597

/usr/bin/awk
awk "{ print \$3 }"
1⤵
PID:598

/bin/ls
ls -1 netplan_c8_s_w74
1⤵
- Reads runtime system information
PID:600

/bin/grep
grep -v vpasswd
1⤵
PID:601

/bin/ls
ls -1 systemd-private-b2cecdeac35b449985c3b5bd711ee7ac-systemd-resolved.service-P9Ayi0
1⤵
- Reads runtime system information
PID:603

/bin/grep
grep -v vpasswd
1⤵
PID:604

/home/vpopmail/bin/vuserinfo
/home/vpopmail/bin/vuserinfo "tmp@systemd-private-b2cecdeac35b449985c3b5bd711ee7ac-systemd-resolved.service-P9Ayi0"
1⤵
PID:606

/bin/grep
grep "clear passwd"
1⤵
PID:611

/usr/bin/awk
awk "{ print \$3 }"
1⤵
PID:612

/bin/ls
ls -1 systemd-private-b2cecdeac35b449985c3b5bd711ee7ac-systemd-timesyncd.service-wYt5Yz
1⤵
- Reads runtime system information
PID:614

/bin/grep
grep -v vpasswd
1⤵
PID:615

/home/vpopmail/bin/vuserinfo
/home/vpopmail/bin/vuserinfo "tmp@systemd-private-b2cecdeac35b449985c3b5bd711ee7ac-systemd-timesyncd.service-wYt5Yz"
1⤵
PID:617

/bin/grep
grep "clear passwd"
1⤵
PID:618

/usr/bin/awk
awk "{ print \$3 }"
1⤵
PID:619

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads