170e3e987e99867d8b4115b4a2d9dea074acb56383744d469a28c5611adeba22 | Triage

Analysis

max time kernel
0s
max time network
134s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/12/2022, 00:19

Sharing

Report Analysis Logs

General

Target

.rsync/a/tors/start.sh
Size

733B
MD5

91ba15e0dfef41311cdd45856f269e81
SHA1

94a04b5a70f06fda0f575b4d580ccec57f7ae911
SHA256

132a88ce5e5aab3c8512b58eff54fea2f95c8eb3443cc7aa946599db57b86d88
SHA512

ba8f38d67c230a319e5fd1b76275589ff595c1569774eb10d3353775d7b4faeecca193becd1ee87d533f79020c1f4a93fd2be8eb3fa1d01d9f89efd3aa2be387

Score

7^/10

Malware Config

Signatures

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

description	ioc	Process
/usr/bin/which	/usr/bin/which	which

Reads runtime system information 30 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	mkdir

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/.rsync/a/tors/start.sh	/tmp/.rsync/a/tors/start.sh	start.sh

/tmp/.rsync/a/tors/start.sh
/tmp/.rsync/a/tors/start.sh
1⤵
- Writes file to tmp directory
PID:599
- /usr/bin/dirname
  /usr/bin/dirname /tmp/.rsync/a/tors/start.sh
  2⤵
  PID:602
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:604
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor1/
  2⤵
  - Reads runtime system information
  PID:605
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor1/
  2⤵
  PID:606
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:607
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc1 --RunAsDaemon 1
  2⤵
  PID:608
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:609
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor2/
  2⤵
  - Reads runtime system information
  PID:610
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor2/
  2⤵
  PID:611
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:612
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc2 --RunAsDaemon 1
  2⤵
  PID:613
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:614
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor3/
  2⤵
  - Reads runtime system information
  PID:615
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor3/
  2⤵
  PID:616
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:617
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc3 --RunAsDaemon 1
  2⤵
  PID:618
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:619
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor4/
  2⤵
  - Reads runtime system information
  PID:620
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor4/
  2⤵
  PID:621
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:622
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc4 --RunAsDaemon 1
  2⤵
  PID:623
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:624
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor5/
  2⤵
  - Reads runtime system information
  PID:625
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor5/
  2⤵
  PID:626
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:627
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc5 --RunAsDaemon 1
  2⤵
  PID:628
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:629
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor6/
  2⤵
  - Reads runtime system information
  PID:634
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor6/
  2⤵
  PID:635
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:636
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc6 --RunAsDaemon 1
  2⤵
  PID:637
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:638
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor7/
  2⤵
  - Reads runtime system information
  PID:639
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor7/
  2⤵
  PID:640
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:641
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc7 --RunAsDaemon 1
  2⤵
  PID:642
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:643
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor8/
  2⤵
  - Reads runtime system information
  PID:644
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor8/
  2⤵
  PID:645
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:646
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc8 --RunAsDaemon 1
  2⤵
  PID:647
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:648
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor9/
  2⤵
  - Reads runtime system information
  PID:649
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor9/
  2⤵
  PID:650
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:651
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc9 --RunAsDaemon 1
  2⤵
  PID:652
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/
  2⤵
  - Reads runtime system information
  PID:653
- /bin/mkdir
  mkdir -p /tmp/.rsync/a/tors/libtor/tor10/
  2⤵
  - Reads runtime system information
  PID:654
- /bin/chmod
  chmod 0700 /tmp/.rsync/a/tors/libtor/tor10/
  2⤵
  PID:655
- /bin/mkdir
  mkdir -p etctor/tor/
  2⤵
  - Reads runtime system information
  PID:656
- ./bin/tor
  ./bin/tor -f etctor/tor/torrc10 --RunAsDaemon 1
  2⤵
  PID:657

/usr/bin/which
which dirname
1⤵
- Write file to user bin folder
PID:601

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

Privilege Escalation

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads