b16935619829aee2c245cead7a71b59dbe9b7992c313d71c558049fd48833e4e

Analysis

max time kernel
0s
max time network
153s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
03-02-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b26042b91b316ac627c937856d8b4fc.elf
Size

1.0MB
MD5

2b26042b91b316ac627c937856d8b4fc
SHA1

815325a46b8d87ed0e3bb21cc84fff36f6346fd4
SHA256

b16935619829aee2c245cead7a71b59dbe9b7992c313d71c558049fd48833e4e
SHA512

fdc54b7c98cd678a5c2ebbe55a90533005fc26d55e969971c5ebb73a192cb0c10bcbec61ce69fb28221459e533b44556c788b8c361c37fc41b20d145b825b07f
SSDEEP

24576:RsqZhvnhHXuhshNjm3Bp6gDgR16lwzBWa4wwS49TrHg29XE/PCroyUkNR9:PhvnhHXuhshNjK8AlGWaoXroyUk

Score

7^/10

persistence

Malware Config

Signatures

Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sed

description ioc process

/etc/init.d/boot.local /etc/init.d/boot.local sed
Modifies rc script 1 TTPs 4 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sedsedsedsed

description ioc process

/etc/rc.local /etc/rc.local sed
/etc/rc.local /etc/rc.local sed
/etc/rc.local /etc/rc.local sed
/etc/rc.d/rc.local /etc/rc.d/rc.local sed

description	ioc	process
/etc/init.d/boot.local	/etc/init.d/boot.local	sed

description	ioc	process
/etc/rc.local	/etc/rc.local	sed
/etc/rc.local	/etc/rc.local	sed
/etc/rc.local	/etc/rc.local	sed
/etc/rc.d/rc.local	/etc/rc.d/rc.local	sed

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

Processes:

sedsedsedsedsedmvsed

description	ioc	process
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	mv
/proc/filesystems	/proc/filesystems	sed

/tmp/2b26042b91b316ac627c937856d8b4fc.elf
/tmp/2b26042b91b316ac627c937856d8b4fc.elf
1⤵
PID:580

/bin/sh
sh -c "chmod +x /etc/rc.local"
2⤵
PID:581

/bin/chmod
chmod +x /etc/rc.local
3⤵
PID:582

/bin/sh
sh -c "mv /tmp/2b26042b91b316ac627c937856d8b4fc.elf /etc/2b26042b91b316ac627c937856d8b4fc.elf"
2⤵
PID:583

/bin/mv
mv /tmp/2b26042b91b316ac627c937856d8b4fc.elf /etc/2b26042b91b316ac627c937856d8b4fc.elf
3⤵
- Reads runtime system information
PID:584

/bin/sh
sh -c "cd /etc;chmod 777 2b26042b91b316ac627c937856d8b4fc.elf"
2⤵
PID:585

/bin/chmod
chmod 777 2b26042b91b316ac627c937856d8b4fc.elf
3⤵
PID:586

/bin/sh
sh -c "sed -i -e '/exit/d' /etc/rc.local"
2⤵
PID:587

/bin/sed
sed -i -e /exit/d /etc/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:588

/bin/sh
sh -c "sed -i -e '/^ | | \$/d' /etc/rc.local"
2⤵
PID:589

/bin/sed
sed -i -e "/^ | | \$/d" /etc/rc.local
3⤵
- Reads runtime system information
PID:590

/bin/sh
sh -c "sed -i -e '/2b26042b91b316ac627c937856d8b4fc.elf/d' /etc/rc.local"
2⤵
PID:591

/bin/sed
sed -i -e /2b26042b91b316ac627c937856d8b4fc.elf/d /etc/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:592

/bin/sh
sh -c "sed -i -e '2 i/etc/2b26042b91b316ac627c937856d8b4fc.elf reboot' /etc/rc.local"
2⤵
PID:593

/bin/sed
sed -i -e "2 i/etc/2b26042b91b316ac627c937856d8b4fc.elf reboot" /etc/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:594

/bin/sh
sh -c "sed -i -e '2 i/etc/2b26042b91b316ac627c937856d8b4fc.elf start' /etc/rc.d/rc.local"
2⤵
PID:595

/bin/sed
sed -i -e "2 i/etc/2b26042b91b316ac627c937856d8b4fc.elf start" /etc/rc.d/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:596

/bin/sh
sh -c "sed -i -e '2 i/etc/2b26042b91b316ac627c937856d8b4fc.elf start' /etc/init.d/boot.local"
2⤵
PID:597

/bin/sed
sed -i -e "2 i/etc/2b26042b91b316ac627c937856d8b4fc.elf start" /etc/init.d/boot.local
3⤵
- Modifies init.d
- Reads runtime system information
PID:598

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads