Overview

overview

9

Static

static

1

e603944ace...bf2f05

ubuntu-18.04-amd64

9

e603944ace...bf2f05

debian-9-armhf

9

e603944ace...bf2f05

debian-9-mips

9

e603944ace...bf2f05

debian-9-mipsel

9

Analysis

  • max time kernel
    0s
  • max time network
    103s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    05-02-2023 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e603944aceb5c0885a8627de12f36b159bbf2f05

  • Size

    3KB

  • MD5

    d0d36f169f1458806053aae482af5010

  • SHA1

    e603944aceb5c0885a8627de12f36b159bbf2f05

  • SHA256

    10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459

  • SHA512

    982abe39731d8cc852c25650740ff73975c10d19027eccf610401260e2f508334f1de656f8dd332fa698dccc9f7d3bda610c8b9e84d276036a6e9408d826229a

Score
9/10

Malware Config

Signatures

  • Writes file to system bin folder 1 TTPs 1 IoCs
  • Reads CPU attributes 1 TTPs 2 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/e603944aceb5c0885a8627de12f36b159bbf2f05
    /tmp/e603944aceb5c0885a8627de12f36b159bbf2f05
    1⤵
    • Writes file to tmp directory
    PID:577
    • /bin/chmod
      chmod +x /tmp//encrypt
      2⤵
        PID:588
      • /usr/bin/find
        find /usr/lib/vmware -type f -name index.html
        2⤵
          PID:593
        • /bin/mv
          mv /etc/motd /etc/motd1
          2⤵
            PID:594
          • /bin/find
            /bin/find / -name "*.log" -exec /bin/rm -rf "{}" ";"
            2⤵
              PID:595
            • /bin/rm
              /bin/rm -f /store/packages/vmtools.py
              2⤵
                PID:605
              • /bin/touch
                /bin/touch -r /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/endpoints.conf
                2⤵
                  PID:606
                • /bin/touch
                  /bin/touch -r /etc/vmware/rhttpproxy/config.xml /bin/hostd-probe.sh
                  2⤵
                    PID:607
                  • /bin/touch
                    /bin/touch -r /etc/vmware/rhttpproxy/config.xml /etc/rc.local.d/local.sh
                    2⤵
                      PID:608
                    • /bin/rm
                      /bin/rm -f /tmp/encrypt /tmp/nohup.out /tmp/index.html /tmp/motd /tmp/public.pem /tmp/archieve.zip
                      2⤵
                      • Writes file to tmp directory
                      PID:613
                    • /bin/sh
                      /bin/sh /bin/auto-backup.sh
                      2⤵
                      • Writes file to system bin folder
                      PID:614
                    • /bin/rm
                      /bin/rm -- /tmp/e603944aceb5c0885a8627de12f36b159bbf2f05
                      2⤵
                      • Writes file to tmp directory
                      PID:615
                    • /etc/init.d/SSH
                      /etc/init.d/SSH start
                      2⤵
                        PID:616
                    • /bin/grep
                      grep "Config File"
                      1⤵
                        PID:582
                      • /usr/bin/awk
                        awk "{print \$3}"
                        1⤵
                          PID:583
                        • /usr/bin/awk
                          awk "{print \$2}"
                          1⤵
                            PID:587
                          • /bin/grep
                            grep vmx
                            1⤵
                              PID:586
                            • /bin/ps
                              ps
                              1⤵
                              • Reads CPU attributes
                              • Reads runtime system information
                              PID:585
                            • /bin/grep
                              grep /vmfs/volumes/
                              1⤵
                                PID:591
                              • /usr/bin/awk
                                awk "-F " "{print \$2}"
                                1⤵
                                  PID:592
                                • /bin/ps
                                  /bin/ps
                                  1⤵
                                  • Reads CPU attributes
                                  • Reads runtime system information
                                  PID:597
                                • /bin/grep
                                  /bin/grep encrypt
                                  1⤵
                                    PID:598
                                  • /bin/grep
                                    /bin/grep -v grep
                                    1⤵
                                      PID:599
                                    • /bin/wc
                                      /bin/wc -l
                                      1⤵
                                        PID:600
                                      • /bin/vmware
                                        /bin/vmware -l
                                        1⤵
                                          PID:602
                                        • /bin/grep
                                          /bin/grep " 7."
                                          1⤵
                                            PID:603
                                          • /bin/wc
                                            /bin/wc -l
                                            1⤵
                                              PID:604

                                            Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads