Analysis
-
max time kernel
0s -
max time network
143s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-03-2023 07:38
Behavioral task
behavioral1
Sample
1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86
-
Size
9.3MB
-
MD5
ba1249d19585248cb075855e46ea6bf4
-
SHA1
957c96e0d9cecb69173ebb5201e26d065fa3a930
-
SHA256
1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4
-
SHA512
2c7d00825a42e6bc7e58203716b02b230c2074c921dc0709180b77d815b805f1ff75782fd402834bcd72ef51d2157ca42d7e9d1b66c70a82875ae18750197b79
-
SSDEEP
98304:ssUKYzUZKDNadpngODEO0StEzc6buuLVtMv5aywH6/wfsjmZ:ssUjFDNad8BDbHMBazLB
Malware Config
Signatures
-
Processes:
update-rc.dupdate-rc.ddescription ioc process /etc/init.d/sshf /etc/init.d/sshf update-rc.d /etc/init.d/sshf /etc/init.d/sshf update-rc.d -
Modifies rc script 1 TTPs 7 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
update-rc.ddescription ioc process /etc/rc6.d/ /etc/rc6.d/ update-rc.d /etc/rc1.d/ /etc/rc1.d/ update-rc.d /etc/rc0.d/ /etc/rc0.d/ update-rc.d /etc/rc5.d/ /etc/rc5.d/ update-rc.d /etc/rc4.d/ /etc/rc4.d/ update-rc.d /etc/rc3.d/ /etc/rc3.d/ update-rc.d /etc/rc2.d/ /etc/rc2.d/ update-rc.d -
Write file to user bin folder 1 TTPs 3 IoCs
Processes:
update-rc.dupdate-rc.d1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86description ioc process /usr/sbin/update-rc.d /usr/sbin/update-rc.d update-rc.d /usr/sbin/update-rc.d /usr/sbin/update-rc.d update-rc.d /usr/bin/sshf /usr/bin/sshf 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86 -
Creates .desktop file 1 TTPs 1 IoCs
Linux desktops like GNOME require .desktop files to register applications. Sometimes abused by malware for persistence.
Processes:
1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86description ioc process .config/ssh.service/sshf.desktop .config/ssh.service/sshf.desktop 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86 -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86description ioc process /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /sys/kernel/mm/transparent_hugepage/hpage_pmd_size 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86 -
Reads runtime system information 12 IoCs
Reads data from /proc virtual filesystem.
Processes:
systemctlsystemctldescription ioc process /proc/filesystems /proc/filesystems systemctl /proc/cmdline /proc/cmdline systemctl /proc/self/stat /proc/self/stat systemctl /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease systemctl /proc/1/sched /proc/1/sched systemctl /proc/cmdline /proc/cmdline systemctl /proc/1/environ /proc/1/environ systemctl /proc/1/sched /proc/1/sched systemctl /proc/filesystems /proc/filesystems systemctl /proc/1/environ /proc/1/environ systemctl /proc/self/stat /proc/self/stat systemctl /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease systemctl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86description ioc process /tmp/1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86 /tmp/1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86
Processes
-
/tmp/1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86/tmp/1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x861⤵
- Write file to user bin folder
- Creates .desktop file
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/usr/bin/getoptgetopt -o r: --long root: -- enable sshf1⤵
-
/usr/bin/basenamebasename /usr/sbin/service1⤵
-
/bin/systemctlsystemctl --quiet is-active multi-user.target1⤵
- Reads runtime system information
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d sshf defaults1⤵
- Modifies init.d
- Modifies rc script
- Write file to user bin folder
-
/usr/local/sbin/systemctlsystemctl daemon-reload2⤵
-
/usr/local/bin/systemctlsystemctl daemon-reload2⤵
-
/usr/sbin/systemctlsystemctl daemon-reload2⤵
-
/usr/bin/systemctlsystemctl daemon-reload2⤵
-
/sbin/systemctlsystemctl daemon-reload2⤵
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d sshf enable1⤵
- Modifies init.d
- Write file to user bin folder