f3c8c03a23b7a068a19624ff315850f95d0c7df4ee979c6819545300d9ed7899

Analysis

max time kernel
9366s
max time network
128s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
28/02/2023, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[A4-TL]
Size

252KB
MD5

bd872b0c4e26a915777a2745ceb03e01
SHA1

8cfd4e2cbae240bbd7903cf325afe50888705ccb
SHA256

f3c8c03a23b7a068a19624ff315850f95d0c7df4ee979c6819545300d9ed7899
SHA512

79e097212b39bf97a3d9f686aca3d3f0af4d6a71097aae2739742359087c2fa8740d833dc7f8bc20bc41be595e3ead64c1a78184161c509f0c6ab24fc1786f50
SSDEEP

6144:6V1Tvhr0NasK1i06F+GgQTCzB12I7Bxgmp5rwh6qkRpxPa:MVINasPb+G/212sjgmDwh6qkR/a

Score

9^/10

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 8 IoCs

Hijack Execution Flow

T1574

description	ioc
/bin/cp	/bin/cp
/bin/date	/bin/date
/bin/mv	/bin/mv
/bin/login	/bin/login
/sbin/dhclient	/sbin/dhclient
/bin/bash	/bin/bash
/sbin/agetty	/sbin/agetty
/bin/dash	/bin/dash

Write file to user bin folder 1 TTPs 11 IoCs

Hijack Execution Flow

T1574

description	ioc
/usr/sbin/sshd	/usr/sbin/sshd
/usr/sbin/agent	/usr/sbin/agent
/usr/bin/dirname	/usr/bin/dirname
/usr/bin/dpkg	/usr/bin/dpkg
/usr/bin/flock	/usr/bin/flock
/usr/bin/basename	/usr/bin/basename
/usr/bin/apt-get	/usr/bin/apt-get
/usr/bin/dbus-daemon	/usr/bin/dbus-daemon
/usr/sbin/cron	/usr/sbin/cron
/usr/sbin/rsyslogd	/usr/sbin/rsyslogd
/usr/bin/apt-config	/usr/bin/apt-config

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/243/maps	/proc/243/maps	Process not Found
/proc/473/cmdline	/proc/473/cmdline	Process not Found
/proc/134/cmdline	/proc/134/cmdline	[A4-TL]
/proc/417/cmdline	/proc/417/cmdline	Process not Found
/proc/485/maps	/proc/485/maps	Process not Found
/proc/26/cmdline	/proc/26/cmdline	[A4-TL]
/proc/234/cmdline	/proc/234/cmdline	[A4-TL]
/proc/20/cmdline	/proc/20/cmdline	Process not Found
/proc/103/maps	/proc/103/maps	Process not Found
/proc/414/cmdline	/proc/414/cmdline	Process not Found
/proc/433/maps	/proc/433/maps	Process not Found
/proc/24/cmdline	/proc/24/cmdline	[A4-TL]
/proc/3/maps	/proc/3/maps	Process not Found
/proc/8/maps	/proc/8/maps	Process not Found
/proc/11/cmdline	/proc/11/cmdline	Process not Found
/proc/328/maps	/proc/328/maps	Process not Found
/proc/392/cmdline	/proc/392/cmdline	Process not Found
/proc/413/maps	/proc/413/maps	Process not Found
/proc/444/cmdline	/proc/444/cmdline	Process not Found
/proc/482/cmdline	/proc/482/cmdline	Process not Found
/proc/492/maps	/proc/492/maps	Process not Found
/proc/285/maps	/proc/285/maps	Process not Found
/proc/385/maps	/proc/385/maps	Process not Found
/proc/395/cmdline	/proc/395/cmdline	Process not Found
/proc/469/maps	/proc/469/maps	Process not Found
/proc/12/cmdline	/proc/12/cmdline	[A4-TL]
/proc/17/cmdline	/proc/17/cmdline	[A4-TL]
/proc/378/maps	/proc/378/maps	Process not Found
/proc/436/maps	/proc/436/maps	Process not Found
/proc/453/maps	/proc/453/maps	Process not Found
/proc/18/cmdline	/proc/18/cmdline	[A4-TL]
/proc/103/cmdline	/proc/103/cmdline	[A4-TL]
/proc/17/maps	/proc/17/maps	Process not Found
/proc/367/cmdline	/proc/367/cmdline	Process not Found
/proc/377/maps	/proc/377/maps	Process not Found
/proc/377/cmdline	/proc/377/cmdline	Process not Found
/proc/486/maps	/proc/486/maps	Process not Found
/proc/488/cmdline	/proc/488/cmdline	Process not Found
/proc/499/cmdline	/proc/499/cmdline	Process not Found
/proc/20/maps	/proc/20/maps	Process not Found
/proc/472/cmdline	/proc/472/cmdline	Process not Found
/proc/479/maps	/proc/479/maps	Process not Found
/proc/8/cmdline	/proc/8/cmdline	[A4-TL]
/proc/2/maps	/proc/2/maps	Process not Found
/proc/425/maps	/proc/425/maps	Process not Found
/proc/472/maps	/proc/472/maps	Process not Found
/proc/7/maps	/proc/7/maps	Process not Found
/proc/388/cmdline	/proc/388/cmdline	Process not Found
/proc/405/cmdline	/proc/405/cmdline	Process not Found
/proc/25/maps	/proc/25/maps	Process not Found
/proc/401/maps	/proc/401/maps	Process not Found
/proc/409/cmdline	/proc/409/cmdline	Process not Found
/proc/435/maps	/proc/435/maps	Process not Found
/proc/453/cmdline	/proc/453/cmdline	Process not Found
/proc/43/cmdline	/proc/43/cmdline	[A4-TL]
/proc/23/cmdline	/proc/23/cmdline	Process not Found
/proc/24/maps	/proc/24/maps	Process not Found
/proc/234/cmdline	/proc/234/cmdline	Process not Found
/proc/411/cmdline	/proc/411/cmdline	Process not Found
/proc/	/proc/	[A4-TL]
/proc/4/cmdline	/proc/4/cmdline	[A4-TL]
/proc/449/maps	/proc/449/maps	Process not Found
/proc/390/cmdline	/proc/390/cmdline	Process not Found
/proc/398/cmdline	/proc/398/cmdline	Process not Found

/tmp/[A4-TL]
"/tmp/[A4-TL]"
1⤵
- Reads runtime system information
PID:369

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads