4be5eb2191071fdf496ff4df7a570d03dc9114190df1614c0a18465a48a8079d

Analysis

max time kernel
4802s
max time network
101s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
06/01/2023, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/c/go
Size

398B
MD5

1553384ee57751af771a9389b7393b93
SHA1

e33a67fde9cf13c077da652fbdec07957fff2372
SHA256

98dffdabf9caf512c8c9090e8c9b77a04d6ce31bbd13afe4f09668a4f2eacc2f
SHA512

d406796ebae8bf724f7c18371ba6d86ef491ad0745dd64d0eaaffee9daca3954d9429c8c4e87c404338b839b47a30a6791ef25663239e4a5f0ea5113fa9b6b49

Score

5^/10

Malware Config

Signatures

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/.rsync/c/go	/tmp/.rsync/c/go	go
/tmp/	/tmp/	go
/tmp/t*	/tmp/t*	rm
/tmp/t*	/tmp/t*	rm
/tmp/t*	/tmp/t*	rm
/tmp/t*	/tmp/t*	rm
/tmp/t*	/tmp/t*	rm
/tmp/t*	/tmp/t*	rm
/tmp/t*	/tmp/t*	rm
/tmp/t*	/tmp/t*	rm
/tmp/t*	/tmp/t*	rm

/tmp/.rsync/c/go
/tmp/.rsync/c/go
1⤵
- Writes file to tmp directory
PID:582
- /bin/uname
  uname -m
  2⤵
  PID:584
- /usr/bin/touch
  touch v
  2⤵
  PID:585
- /bin/rm
  rm -rf p
  2⤵
  PID:586
- /bin/rm
  rm -rf ip
  2⤵
  PID:587
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:588
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:589
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:590
- /bin/sleep
  sleep 24s
  2⤵
  PID:591
- /usr/bin/timeout
  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
  2⤵
  PID:712
- - ./tsm
    ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
    3⤵
    PID:713
- /bin/sleep
  sleep 3
  2⤵
  PID:714
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:715
- /bin/rm
  rm -rf ip
  2⤵
  PID:716
- /bin/rm
  rm -rf p
  2⤵
  PID:717
- /bin/rm
  rm -rf .out
  2⤵
  PID:718
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  - Writes file to tmp directory
  PID:719
- /usr/bin/touch
  touch v
  2⤵
  PID:720
- /bin/rm
  rm -rf p
  2⤵
  PID:721
- /bin/rm
  rm -rf ip
  2⤵
  PID:722
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:723
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:724
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:725
- /bin/sleep
  sleep 11s
  2⤵
  PID:726
- /usr/bin/timeout
  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
  2⤵
  PID:727
- - ./tsm
    ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
    3⤵
    PID:728
- /bin/sleep
  sleep 3
  2⤵
  PID:729
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:730
- /bin/rm
  rm -rf ip
  2⤵
  PID:731
- /bin/rm
  rm -rf p
  2⤵
  PID:732
- /bin/rm
  rm -rf .out
  2⤵
  PID:733
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  - Writes file to tmp directory
  PID:734
- /usr/bin/touch
  touch v
  2⤵
  PID:735
- /bin/rm
  rm -rf p
  2⤵
  PID:736
- /bin/rm
  rm -rf ip
  2⤵
  PID:737
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:738
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:739
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:740
- /bin/sleep
  sleep 4s
  2⤵
  PID:741
- /usr/bin/timeout
  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
  2⤵
  PID:742
- - ./tsm
    ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
    3⤵
    PID:743
- /bin/sleep
  sleep 3
  2⤵
  PID:744
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:745
- /bin/rm
  rm -rf ip
  2⤵
  PID:746
- /bin/rm
  rm -rf p
  2⤵
  PID:747
- /bin/rm
  rm -rf .out
  2⤵
  PID:748
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  - Writes file to tmp directory
  PID:749
- /usr/bin/touch
  touch v
  2⤵
  PID:750
- /bin/rm
  rm -rf p
  2⤵
  PID:751
- /bin/rm
  rm -rf ip
  2⤵
  PID:752
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:753
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:754
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:755
- /bin/sleep
  sleep 2s
  2⤵
  PID:756
- /usr/bin/timeout
  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
  2⤵
  PID:757
- - ./tsm
    ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
    3⤵
    PID:758
- /bin/sleep
  sleep 3
  2⤵
  PID:759
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:760
- /bin/rm
  rm -rf ip
  2⤵
  PID:761
- /bin/rm
  rm -rf p
  2⤵
  PID:762
- /bin/rm
  rm -rf .out
  2⤵
  PID:763
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  - Writes file to tmp directory
  PID:764
- /usr/bin/touch
  touch v
  2⤵
  PID:765
- /bin/rm
  rm -rf p
  2⤵
  PID:766
- /bin/rm
  rm -rf ip
  2⤵
  PID:767
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:768
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:769
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:770
- /bin/sleep
  sleep 27s
  2⤵
  PID:771
- /usr/bin/timeout
  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
  2⤵
  PID:775
- - ./tsm
    ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
    3⤵
    PID:776
- /bin/sleep
  sleep 3
  2⤵
  PID:777
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:778
- /bin/rm
  rm -rf ip
  2⤵
  PID:779
- /bin/rm
  rm -rf p
  2⤵
  PID:780
- /bin/rm
  rm -rf .out
  2⤵
  PID:781
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  - Writes file to tmp directory
  PID:782
- /usr/bin/touch
  touch v
  2⤵
  PID:783
- /bin/rm
  rm -rf p
  2⤵
  PID:784
- /bin/rm
  rm -rf ip
  2⤵
  PID:785
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:786
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:787
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:788
- /bin/sleep
  sleep 10s
  2⤵
  PID:789
- /usr/bin/timeout
  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
  2⤵
  PID:790
- - ./tsm
    ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
    3⤵
    PID:791
- /bin/sleep
  sleep 3
  2⤵
  PID:792
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:793
- /bin/rm
  rm -rf ip
  2⤵
  PID:794
- /bin/rm
  rm -rf p
  2⤵
  PID:795
- /bin/rm
  rm -rf .out
  2⤵
  PID:796
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  - Writes file to tmp directory
  PID:797
- /usr/bin/touch
  touch v
  2⤵
  PID:798
- /bin/rm
  rm -rf p
  2⤵
  PID:799
- /bin/rm
  rm -rf ip
  2⤵
  PID:800
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:801
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:802
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:803
- /bin/sleep
  sleep 2s
  2⤵
  PID:804
- /usr/bin/timeout
  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
  2⤵
  PID:805
- - ./tsm
    ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
    3⤵
    PID:806
- /bin/sleep
  sleep 3
  2⤵
  PID:807
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:808
- /bin/rm
  rm -rf ip
  2⤵
  PID:809
- /bin/rm
  rm -rf p
  2⤵
  PID:810
- /bin/rm
  rm -rf .out
  2⤵
  PID:811
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  - Writes file to tmp directory
  PID:812
- /usr/bin/touch
  touch v
  2⤵
  PID:813
- /bin/rm
  rm -rf p
  2⤵
  PID:814
- /bin/rm
  rm -rf ip
  2⤵
  PID:815
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:816
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:817
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:818
- /bin/sleep
  sleep 18s
  2⤵
  PID:819
- /usr/bin/timeout
  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
  2⤵
  PID:820
- - ./tsm
    ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
    3⤵
    PID:821
- /bin/sleep
  sleep 3
  2⤵
  PID:822
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:823
- /bin/rm
  rm -rf ip
  2⤵
  PID:824
- /bin/rm
  rm -rf p
  2⤵
  PID:825
- /bin/rm
  rm -rf .out
  2⤵
  PID:826
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  - Writes file to tmp directory
  PID:827
- /usr/bin/touch
  touch v
  2⤵
  PID:828
- /bin/rm
  rm -rf p
  2⤵
  PID:829
- /bin/rm
  rm -rf ip
  2⤵
  PID:830
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:831
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:832
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:833
- /bin/sleep
  sleep 1s
  2⤵
  PID:834
- /usr/bin/timeout
  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
  2⤵
  PID:835
- - ./tsm
    ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
    3⤵
    PID:836
- /bin/sleep
  sleep 3
  2⤵
  PID:837
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:838
- /bin/rm
  rm -rf ip
  2⤵
  PID:839
- /bin/rm
  rm -rf p
  2⤵
  PID:840
- /bin/rm
  rm -rf .out
  2⤵
  PID:841
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  - Writes file to tmp directory
  PID:842
- /usr/bin/touch
  touch v
  2⤵
  PID:843
- /bin/rm
  rm -rf p
  2⤵
  PID:844
- /bin/rm
  rm -rf ip
  2⤵
  PID:845
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:846
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:847
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:848

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads