1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2

Analysis

max time kernel
0s
max time network
58s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
28-02-2023 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin
Size

1.0MB
MD5

49883e391077e681878d7128e4dbf757
SHA1

85c121c37f96a9ffae3ee4cd6c9116d5c1c43338
SHA256

1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2
SHA512

82b78c52bfec3e402a398a192cd41408f11de430186327a4a61013d98f1228d8740ebb1f189806dbda429121de1db860c0676ef207c7230b8b2d864d15002afb
SSDEEP

24576:RsqZhvnhHXuhshNjm3Bp6gDgR16lwzBWa4wwS49TrHg29XE/PNroyUkNR9:PhvnhHXuhshNjK8AlGWaoYroyUk

Score

7^/10

persistence

Malware Config

Signatures

Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sed

description ioc process

/etc/init.d/boot.local /etc/init.d/boot.local sed
Modifies rc script 1 TTPs 4 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sedsedsedsed

description ioc process

/etc/rc.local /etc/rc.local sed
/etc/rc.local /etc/rc.local sed
/etc/rc.local /etc/rc.local sed
/etc/rc.d/rc.local /etc/rc.d/rc.local sed

description	ioc	process
/etc/init.d/boot.local	/etc/init.d/boot.local	sed

description	ioc	process
/etc/rc.local	/etc/rc.local	sed
/etc/rc.local	/etc/rc.local	sed
/etc/rc.local	/etc/rc.local	sed
/etc/rc.d/rc.local	/etc/rc.d/rc.local	sed

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

Processes:

sedmvsedsedsedsedsed

description	ioc	process
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	mv
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed

/tmp/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin
/tmp/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin
1⤵
PID:581

/bin/sh
sh -c "chmod +x /etc/rc.local"
2⤵
PID:582

/bin/chmod
chmod +x /etc/rc.local
3⤵
PID:583

/bin/sh
sh -c "mv /tmp/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin /etc/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin"
2⤵
PID:584

/bin/mv
mv /tmp/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin /etc/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin
3⤵
- Reads runtime system information
PID:585

/bin/sh
sh -c "cd /etc;chmod 777 1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin"
2⤵
PID:586

/bin/chmod
chmod 777 1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin
3⤵
PID:587

/bin/sh
sh -c "sed -i -e '/exit/d' /etc/rc.local"
2⤵
PID:588

/bin/sed
sed -i -e /exit/d /etc/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:589

/bin/sh
sh -c "sed -i -e '/^ | | \$/d' /etc/rc.local"
2⤵
PID:590

/bin/sed
sed -i -e "/^ | | \$/d" /etc/rc.local
3⤵
- Reads runtime system information
PID:591

/bin/sh
sh -c "sed -i -e '/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin/d' /etc/rc.local"
2⤵
PID:592

/bin/sed
sed -i -e /1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin/d /etc/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:593

/bin/sh
sh -c "sed -i -e '2 i/etc/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin reboot' /etc/rc.local"
2⤵
PID:594

/bin/sed
sed -i -e "2 i/etc/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin reboot" /etc/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:595

/bin/sh
sh -c "sed -i -e '2 i/etc/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin start' /etc/rc.d/rc.local"
2⤵
PID:596

/bin/sed
sed -i -e "2 i/etc/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin start" /etc/rc.d/rc.local
3⤵
- Modifies rc script
- Reads runtime system information
PID:597

/bin/sh
sh -c "sed -i -e '2 i/etc/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin start' /etc/init.d/boot.local"
2⤵
PID:598

/bin/sed
sed -i -e "2 i/etc/1015b9aef1f749dfc31eb33528c4a4169035b6d73542e068b617965d3e948ef2.bin start" /etc/init.d/boot.local
3⤵
- Modifies init.d
- Reads runtime system information
PID:599

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads