Overview

overview

9

Static

static

.rsync/c/go

ubuntu-18.04-amd64

5

.rsync/c/go

debian-9-armhf

5

.rsync/c/go

debian-9-mips

5

.rsync/c/go

debian-9-mipsel

5

.rsync/c/l...c.so.6

ubuntu-18.04-amd64

.rsync/c/l...l.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...s.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...s.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...d.so.0

ubuntu-18.04-amd64

.rsync/c/l....23.so

ubuntu-18.04-amd64

1

.rsync/c/l...v.so.2

ubuntu-18.04-amd64

1

.rsync/c/lib/32/tsm

ubuntu-18.04-amd64

1

.rsync/c/l...c.so.6

ubuntu-18.04-amd64

1

.rsync/c/l...l.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...s.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...s.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...d.so.0

ubuntu-18.04-amd64

1

.rsync/c/l....23.so

ubuntu-18.04-amd64

1

.rsync/c/l...v.so.2

ubuntu-18.04-amd64

1

.rsync/c/lib/64/tsm

ubuntu-18.04-amd64

1

.rsync/c/run

ubuntu-18.04-amd64

9

.rsync/c/run

debian-9-armhf

9

.rsync/c/run

debian-9-mips

9

.rsync/c/run

debian-9-mipsel

9

.rsync/c/slow

ubuntu-18.04-amd64

5

.rsync/c/slow

debian-9-armhf

5

.rsync/c/slow

debian-9-mips

5

.rsync/c/slow

debian-9-mipsel

5

.rsync/c/tsm

ubuntu-18.04-amd64

5

.rsync/c/tsm

debian-9-armhf

5

.rsync/c/tsm

debian-9-mips

5

.rsync/c/tsm

debian-9-mipsel

5

Analysis

  • max time kernel
    4804s
  • max time network
    134s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221111-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    06-01-2023 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .rsync/c/go

  • Size

    398B

  • MD5

    1553384ee57751af771a9389b7393b93

  • SHA1

    e33a67fde9cf13c077da652fbdec07957fff2372

  • SHA256

    98dffdabf9caf512c8c9090e8c9b77a04d6ce31bbd13afe4f09668a4f2eacc2f

  • SHA512

    d406796ebae8bf724f7c18371ba6d86ef491ad0745dd64d0eaaffee9daca3954d9429c8c4e87c404338b839b47a30a6791ef25663239e4a5f0ea5113fa9b6b49

Score
5/10

Malware Config

Signatures

  • Writes file to tmp directory 10 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.rsync/c/go
    /tmp/.rsync/c/go
    1⤵
    • Writes file to tmp directory
    PID:603
    • /bin/uname
      uname -m
      2⤵
        PID:605
      • /usr/bin/touch
        touch v
        2⤵
          PID:606
        • /bin/rm
          rm -rf p
          2⤵
            PID:607
          • /bin/rm
            rm -rf ip
            2⤵
              PID:608
            • /bin/rm
              rm -rf "xtr*"
              2⤵
                PID:609
              • /bin/rm
                rm -rf a "a.*"
                2⤵
                  PID:610
                • /bin/rm
                  rm -rf b "b.*"
                  2⤵
                    PID:611
                  • /bin/sleep
                    sleep 14s
                    2⤵
                      PID:612
                    • /usr/bin/timeout
                      timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                      2⤵
                        PID:618
                        • ./tsm
                          ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                          3⤵
                            PID:619
                        • /bin/sleep
                          sleep 3
                          2⤵
                            PID:620
                          • /bin/rm
                            rm -rf "xtr*"
                            2⤵
                              PID:621
                            • /bin/rm
                              rm -rf ip
                              2⤵
                                PID:622
                              • /bin/rm
                                rm -rf p
                                2⤵
                                  PID:623
                                • /bin/rm
                                  rm -rf .out
                                  2⤵
                                    PID:624
                                  • /bin/rm
                                    rm -rf "/tmp/t*"
                                    2⤵
                                    • Writes file to tmp directory
                                    PID:625
                                  • /usr/bin/touch
                                    touch v
                                    2⤵
                                      PID:626
                                    • /bin/rm
                                      rm -rf p
                                      2⤵
                                        PID:627
                                      • /bin/rm
                                        rm -rf ip
                                        2⤵
                                          PID:628
                                        • /bin/rm
                                          rm -rf "xtr*"
                                          2⤵
                                            PID:629
                                          • /bin/rm
                                            rm -rf a "a.*"
                                            2⤵
                                              PID:630
                                            • /bin/rm
                                              rm -rf b "b.*"
                                              2⤵
                                                PID:631
                                              • /bin/sleep
                                                sleep 18s
                                                2⤵
                                                  PID:632
                                                • /usr/bin/timeout
                                                  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                  2⤵
                                                    PID:633
                                                    • ./tsm
                                                      ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                      3⤵
                                                        PID:634
                                                    • /bin/sleep
                                                      sleep 3
                                                      2⤵
                                                        PID:635
                                                      • /bin/rm
                                                        rm -rf "xtr*"
                                                        2⤵
                                                          PID:636
                                                        • /bin/rm
                                                          rm -rf ip
                                                          2⤵
                                                            PID:637
                                                          • /bin/rm
                                                            rm -rf p
                                                            2⤵
                                                              PID:638
                                                            • /bin/rm
                                                              rm -rf .out
                                                              2⤵
                                                                PID:639
                                                              • /bin/rm
                                                                rm -rf "/tmp/t*"
                                                                2⤵
                                                                • Writes file to tmp directory
                                                                PID:640
                                                              • /usr/bin/touch
                                                                touch v
                                                                2⤵
                                                                  PID:641
                                                                • /bin/rm
                                                                  rm -rf p
                                                                  2⤵
                                                                    PID:642
                                                                  • /bin/rm
                                                                    rm -rf ip
                                                                    2⤵
                                                                      PID:643
                                                                    • /bin/rm
                                                                      rm -rf "xtr*"
                                                                      2⤵
                                                                        PID:644
                                                                      • /bin/rm
                                                                        rm -rf a "a.*"
                                                                        2⤵
                                                                          PID:645
                                                                        • /bin/rm
                                                                          rm -rf b "b.*"
                                                                          2⤵
                                                                            PID:646
                                                                          • /bin/sleep
                                                                            sleep 3s
                                                                            2⤵
                                                                              PID:647
                                                                            • /usr/bin/timeout
                                                                              timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                              2⤵
                                                                                PID:648
                                                                                • ./tsm
                                                                                  ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                  3⤵
                                                                                    PID:649
                                                                                • /bin/sleep
                                                                                  sleep 3
                                                                                  2⤵
                                                                                    PID:650
                                                                                  • /bin/rm
                                                                                    rm -rf "xtr*"
                                                                                    2⤵
                                                                                      PID:651
                                                                                    • /bin/rm
                                                                                      rm -rf ip
                                                                                      2⤵
                                                                                        PID:652
                                                                                      • /bin/rm
                                                                                        rm -rf p
                                                                                        2⤵
                                                                                          PID:653
                                                                                        • /bin/rm
                                                                                          rm -rf .out
                                                                                          2⤵
                                                                                            PID:654
                                                                                          • /bin/rm
                                                                                            rm -rf "/tmp/t*"
                                                                                            2⤵
                                                                                            • Writes file to tmp directory
                                                                                            PID:655
                                                                                          • /usr/bin/touch
                                                                                            touch v
                                                                                            2⤵
                                                                                              PID:656
                                                                                            • /bin/rm
                                                                                              rm -rf p
                                                                                              2⤵
                                                                                                PID:657
                                                                                              • /bin/rm
                                                                                                rm -rf ip
                                                                                                2⤵
                                                                                                  PID:658
                                                                                                • /bin/rm
                                                                                                  rm -rf "xtr*"
                                                                                                  2⤵
                                                                                                    PID:659
                                                                                                  • /bin/rm
                                                                                                    rm -rf a "a.*"
                                                                                                    2⤵
                                                                                                      PID:660
                                                                                                    • /bin/rm
                                                                                                      rm -rf b "b.*"
                                                                                                      2⤵
                                                                                                        PID:661
                                                                                                      • /bin/sleep
                                                                                                        sleep 15s
                                                                                                        2⤵
                                                                                                          PID:662
                                                                                                        • /usr/bin/timeout
                                                                                                          timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                          2⤵
                                                                                                            PID:663
                                                                                                            • ./tsm
                                                                                                              ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                              3⤵
                                                                                                                PID:664
                                                                                                            • /bin/sleep
                                                                                                              sleep 3
                                                                                                              2⤵
                                                                                                                PID:665
                                                                                                              • /bin/rm
                                                                                                                rm -rf "xtr*"
                                                                                                                2⤵
                                                                                                                  PID:666
                                                                                                                • /bin/rm
                                                                                                                  rm -rf ip
                                                                                                                  2⤵
                                                                                                                    PID:667
                                                                                                                  • /bin/rm
                                                                                                                    rm -rf p
                                                                                                                    2⤵
                                                                                                                      PID:668
                                                                                                                    • /bin/rm
                                                                                                                      rm -rf .out
                                                                                                                      2⤵
                                                                                                                        PID:669
                                                                                                                      • /bin/rm
                                                                                                                        rm -rf "/tmp/t*"
                                                                                                                        2⤵
                                                                                                                        • Writes file to tmp directory
                                                                                                                        PID:670
                                                                                                                      • /usr/bin/touch
                                                                                                                        touch v
                                                                                                                        2⤵
                                                                                                                          PID:671
                                                                                                                        • /bin/rm
                                                                                                                          rm -rf p
                                                                                                                          2⤵
                                                                                                                            PID:672
                                                                                                                          • /bin/rm
                                                                                                                            rm -rf ip
                                                                                                                            2⤵
                                                                                                                              PID:673
                                                                                                                            • /bin/rm
                                                                                                                              rm -rf "xtr*"
                                                                                                                              2⤵
                                                                                                                                PID:674
                                                                                                                              • /bin/rm
                                                                                                                                rm -rf a "a.*"
                                                                                                                                2⤵
                                                                                                                                  PID:675
                                                                                                                                • /bin/rm
                                                                                                                                  rm -rf b "b.*"
                                                                                                                                  2⤵
                                                                                                                                    PID:676
                                                                                                                                  • /bin/sleep
                                                                                                                                    sleep 14s
                                                                                                                                    2⤵
                                                                                                                                      PID:677
                                                                                                                                    • /usr/bin/timeout
                                                                                                                                      timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                                                      2⤵
                                                                                                                                        PID:678
                                                                                                                                        • ./tsm
                                                                                                                                          ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                                                          3⤵
                                                                                                                                            PID:679
                                                                                                                                        • /bin/sleep
                                                                                                                                          sleep 3
                                                                                                                                          2⤵
                                                                                                                                            PID:680
                                                                                                                                          • /bin/rm
                                                                                                                                            rm -rf "xtr*"
                                                                                                                                            2⤵
                                                                                                                                              PID:681
                                                                                                                                            • /bin/rm
                                                                                                                                              rm -rf ip
                                                                                                                                              2⤵
                                                                                                                                                PID:682
                                                                                                                                              • /bin/rm
                                                                                                                                                rm -rf p
                                                                                                                                                2⤵
                                                                                                                                                  PID:683
                                                                                                                                                • /bin/rm
                                                                                                                                                  rm -rf .out
                                                                                                                                                  2⤵
                                                                                                                                                    PID:684
                                                                                                                                                  • /bin/rm
                                                                                                                                                    rm -rf "/tmp/t*"
                                                                                                                                                    2⤵
                                                                                                                                                    • Writes file to tmp directory
                                                                                                                                                    PID:685
                                                                                                                                                  • /usr/bin/touch
                                                                                                                                                    touch v
                                                                                                                                                    2⤵
                                                                                                                                                      PID:686
                                                                                                                                                    • /bin/rm
                                                                                                                                                      rm -rf p
                                                                                                                                                      2⤵
                                                                                                                                                        PID:687
                                                                                                                                                      • /bin/rm
                                                                                                                                                        rm -rf ip
                                                                                                                                                        2⤵
                                                                                                                                                          PID:688
                                                                                                                                                        • /bin/rm
                                                                                                                                                          rm -rf "xtr*"
                                                                                                                                                          2⤵
                                                                                                                                                            PID:689
                                                                                                                                                          • /bin/rm
                                                                                                                                                            rm -rf a "a.*"
                                                                                                                                                            2⤵
                                                                                                                                                              PID:690
                                                                                                                                                            • /bin/rm
                                                                                                                                                              rm -rf b "b.*"
                                                                                                                                                              2⤵
                                                                                                                                                                PID:691
                                                                                                                                                              • /bin/sleep
                                                                                                                                                                sleep 26s
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:692
                                                                                                                                                                • /usr/bin/timeout
                                                                                                                                                                  timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:808
                                                                                                                                                                    • ./tsm
                                                                                                                                                                      ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:809
                                                                                                                                                                    • /bin/sleep
                                                                                                                                                                      sleep 3
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:810
                                                                                                                                                                      • /bin/rm
                                                                                                                                                                        rm -rf "xtr*"
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:811
                                                                                                                                                                        • /bin/rm
                                                                                                                                                                          rm -rf ip
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:812
                                                                                                                                                                          • /bin/rm
                                                                                                                                                                            rm -rf p
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:813
                                                                                                                                                                            • /bin/rm
                                                                                                                                                                              rm -rf .out
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:814
                                                                                                                                                                              • /bin/rm
                                                                                                                                                                                rm -rf "/tmp/t*"
                                                                                                                                                                                2⤵
                                                                                                                                                                                • Writes file to tmp directory
                                                                                                                                                                                PID:815
                                                                                                                                                                              • /usr/bin/touch
                                                                                                                                                                                touch v
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:816
                                                                                                                                                                                • /bin/rm
                                                                                                                                                                                  rm -rf p
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:817
                                                                                                                                                                                  • /bin/rm
                                                                                                                                                                                    rm -rf ip
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:818
                                                                                                                                                                                    • /bin/rm
                                                                                                                                                                                      rm -rf "xtr*"
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:819
                                                                                                                                                                                      • /bin/rm
                                                                                                                                                                                        rm -rf a "a.*"
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:820
                                                                                                                                                                                        • /bin/rm
                                                                                                                                                                                          rm -rf b "b.*"
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:821
                                                                                                                                                                                          • /bin/sleep
                                                                                                                                                                                            sleep 7s
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:822
                                                                                                                                                                                            • /usr/bin/timeout
                                                                                                                                                                                              timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:823
                                                                                                                                                                                                • ./tsm
                                                                                                                                                                                                  ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                    PID:824
                                                                                                                                                                                                • /bin/sleep
                                                                                                                                                                                                  sleep 3
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:825
                                                                                                                                                                                                  • /bin/rm
                                                                                                                                                                                                    rm -rf "xtr*"
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:826
                                                                                                                                                                                                    • /bin/rm
                                                                                                                                                                                                      rm -rf ip
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:827
                                                                                                                                                                                                      • /bin/rm
                                                                                                                                                                                                        rm -rf p
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:828
                                                                                                                                                                                                        • /bin/rm
                                                                                                                                                                                                          rm -rf .out
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:829
                                                                                                                                                                                                          • /bin/rm
                                                                                                                                                                                                            rm -rf "/tmp/t*"
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Writes file to tmp directory
                                                                                                                                                                                                            PID:830
                                                                                                                                                                                                          • /usr/bin/touch
                                                                                                                                                                                                            touch v
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:831
                                                                                                                                                                                                            • /bin/rm
                                                                                                                                                                                                              rm -rf p
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:832
                                                                                                                                                                                                              • /bin/rm
                                                                                                                                                                                                                rm -rf ip
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:833
                                                                                                                                                                                                                • /bin/rm
                                                                                                                                                                                                                  rm -rf "xtr*"
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:834
                                                                                                                                                                                                                  • /bin/rm
                                                                                                                                                                                                                    rm -rf a "a.*"
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:835
                                                                                                                                                                                                                    • /bin/rm
                                                                                                                                                                                                                      rm -rf b "b.*"
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:836
                                                                                                                                                                                                                      • /bin/sleep
                                                                                                                                                                                                                        sleep 17s
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:837
                                                                                                                                                                                                                        • /usr/bin/timeout
                                                                                                                                                                                                                          timeout 24h ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:838
                                                                                                                                                                                                                            • ./tsm
                                                                                                                                                                                                                              ./tsm -t 505 -f 1 -s 12 -S 8 -p 0 -d 1 p ip
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:839
                                                                                                                                                                                                                            • /bin/sleep
                                                                                                                                                                                                                              sleep 3
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:840
                                                                                                                                                                                                                              • /bin/rm
                                                                                                                                                                                                                                rm -rf "xtr*"
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:841
                                                                                                                                                                                                                                • /bin/rm
                                                                                                                                                                                                                                  rm -rf ip
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:842
                                                                                                                                                                                                                                  • /bin/rm
                                                                                                                                                                                                                                    rm -rf p
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:843
                                                                                                                                                                                                                                    • /bin/rm
                                                                                                                                                                                                                                      rm -rf .out
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:844
                                                                                                                                                                                                                                      • /bin/rm
                                                                                                                                                                                                                                        rm -rf "/tmp/t*"
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • Writes file to tmp directory
                                                                                                                                                                                                                                        PID:845
                                                                                                                                                                                                                                      • /usr/bin/touch
                                                                                                                                                                                                                                        touch v
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:846
                                                                                                                                                                                                                                        • /bin/rm
                                                                                                                                                                                                                                          rm -rf p
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:847
                                                                                                                                                                                                                                          • /bin/rm
                                                                                                                                                                                                                                            rm -rf ip
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:848
                                                                                                                                                                                                                                            • /bin/rm
                                                                                                                                                                                                                                              rm -rf "xtr*"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:849
                                                                                                                                                                                                                                              • /bin/rm
                                                                                                                                                                                                                                                rm -rf a "a.*"
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:850
                                                                                                                                                                                                                                                • /bin/rm
                                                                                                                                                                                                                                                  rm -rf b "b.*"
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:851

                                                                                                                                                                                                                                                Network

                                                                                                                                                                                                                                                MITRE ATT&CK Matrix

                                                                                                                                                                                                                                                Replay Monitor

                                                                                                                                                                                                                                                Loading Replay Monitor...

                                                                                                                                                                                                                                                Downloads