aa5a2810a7a8c4f18b0817ee58477c8b950d2c45148b134cb3b12fe1e21e118b

Analysis

max time kernel
9366s
max time network
127s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
28-02-2023 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[A6]
Size

252KB
MD5

55d19e7b6fe8fcec768e520c08fe94ba
SHA1

c1abbd0f5fb5b7be229394f1860977e0df282638
SHA256

aa5a2810a7a8c4f18b0817ee58477c8b950d2c45148b134cb3b12fe1e21e118b
SHA512

4c8ef61329f38946894ffa6bcec42592726475309871523823a4a50f9e91155e2283198e36e9de0ebc6147d67a3c9f5d726d347efca3a8fee6fb459ba46137f5
SSDEEP

6144:xV1Tvhr0NasK1i06F+GgQTCjZ12YRgmp5rwh6qkRpxPa:BVINasPb+G/S12YRgmDwh6qkR/a

Score

9^/10

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 9 IoCs

Hijack Execution Flow

T1574

description	ioc
/sbin/dhclient	/sbin/dhclient
/bin/cp	/bin/cp
/bin/rm	/bin/rm
/bin/mv	/bin/mv
/bin/login	/bin/login
/bin/bash	/bin/bash
/sbin/agetty	/sbin/agetty
/bin/dash	/bin/dash
/bin/date	/bin/date

Write file to user bin folder 1 TTPs 11 IoCs

Hijack Execution Flow

T1574

description	ioc
/usr/bin/dbus-daemon	/usr/bin/dbus-daemon
/usr/bin/apt-config	/usr/bin/apt-config
/usr/bin/basename	/usr/bin/basename
/usr/bin/cmp	/usr/bin/cmp
/usr/bin/apt-get	/usr/bin/apt-get
/usr/sbin/cron	/usr/sbin/cron
/usr/sbin/rsyslogd	/usr/sbin/rsyslogd
/usr/sbin/sshd	/usr/sbin/sshd
/usr/sbin/agent	/usr/sbin/agent
/usr/bin/dpkg	/usr/bin/dpkg
/usr/bin/flock	/usr/bin/flock

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/3/cmdline	/proc/3/cmdline	Process not Found
/proc/360/cmdline	/proc/360/cmdline	Process not Found
/proc/414/maps	/proc/414/maps	Process not Found
/proc/447/cmdline	/proc/447/cmdline	Process not Found
/proc/470/cmdline	/proc/470/cmdline	Process not Found
/proc/387/cmdline	/proc/387/cmdline	Process not Found
/proc/413/cmdline	/proc/413/cmdline	Process not Found
/proc/417/cmdline	/proc/417/cmdline	Process not Found
/proc/10/cmdline	/proc/10/cmdline	[A6]
/proc/27/cmdline	/proc/27/cmdline	[A6]
/proc/12/cmdline	/proc/12/cmdline	[A6]
/proc/149/maps	/proc/149/maps	Process not Found
/proc/415/maps	/proc/415/maps	Process not Found
/proc/470/maps	/proc/470/maps	Process not Found
/proc/430/cmdline	/proc/430/cmdline	Process not Found
/proc/12/maps	/proc/12/maps	Process not Found
/proc/247/maps	/proc/247/maps	Process not Found
/proc/392/cmdline	/proc/392/cmdline	Process not Found
/proc/402/cmdline	/proc/402/cmdline	Process not Found
/proc/396/cmdline	/proc/396/cmdline	Process not Found
/proc/464/cmdline	/proc/464/cmdline	Process not Found
/proc/374/cmdline	/proc/374/cmdline	Process not Found
/proc/403/maps	/proc/403/maps	Process not Found
/proc/6/cmdline	/proc/6/cmdline	Process not Found
/proc/8/maps	/proc/8/maps	Process not Found
/proc/27/maps	/proc/27/maps	Process not Found
/proc/320/cmdline	/proc/320/cmdline	Process not Found
/proc/375/maps	/proc/375/maps	Process not Found
/proc/475/maps	/proc/475/maps	Process not Found
/proc/13/cmdline	/proc/13/cmdline	Process not Found
/proc/382/cmdline	/proc/382/cmdline	Process not Found
/proc/389/maps	/proc/389/maps	Process not Found
/proc/397/cmdline	/proc/397/cmdline	Process not Found
/proc/408/maps	/proc/408/maps	Process not Found
/proc/412/maps	/proc/412/maps	Process not Found
/proc/379/maps	/proc/379/maps	Process not Found
/proc/388/maps	/proc/388/maps	Process not Found
/proc/457/cmdline	/proc/457/cmdline	Process not Found
/proc/16/cmdline	/proc/16/cmdline	[A6]
/proc/109/cmdline	/proc/109/cmdline	[A6]
/proc/249/cmdline	/proc/249/cmdline	Process not Found
/proc/445/maps	/proc/445/maps	Process not Found
/proc/447/maps	/proc/447/maps	Process not Found
/proc/29/cmdline	/proc/29/cmdline	[A6]
/proc/5/cmdline	/proc/5/cmdline	Process not Found
/proc/283/maps	/proc/283/maps	Process not Found
/proc/458/cmdline	/proc/458/cmdline	Process not Found
/proc/19/maps	/proc/19/maps	Process not Found
/proc/224/cmdline	/proc/224/cmdline	Process not Found
/proc/398/maps	/proc/398/maps	Process not Found
/proc/408/cmdline	/proc/408/cmdline	Process not Found
/proc/446/cmdline	/proc/446/cmdline	Process not Found
/proc/487/maps	/proc/487/maps	Process not Found
/proc/25/cmdline	/proc/25/cmdline	[A6]
/proc/374/maps	/proc/374/maps	Process not Found
/proc/411/cmdline	/proc/411/cmdline	Process not Found
/proc/429/maps	/proc/429/maps	Process not Found
/proc/442/cmdline	/proc/442/cmdline	Process not Found
/proc/443/maps	/proc/443/maps	Process not Found
/proc/4/cmdline	/proc/4/cmdline	[A6]
/proc/380/cmdline	/proc/380/cmdline	Process not Found
/proc/391/cmdline	/proc/391/cmdline	Process not Found
/proc/397/maps	/proc/397/maps	Process not Found
/proc/373/maps	/proc/373/maps	Process not Found

/tmp/[A6]
"/tmp/[A6]"
1⤵
- Reads runtime system information
PID:363

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads