1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4

Analysis

max time kernel
0s
max time network
143s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-03-2023 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86
Size

9.3MB
MD5

ba1249d19585248cb075855e46ea6bf4
SHA1

957c96e0d9cecb69173ebb5201e26d065fa3a930
SHA256

1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4
SHA512

2c7d00825a42e6bc7e58203716b02b230c2074c921dc0709180b77d815b805f1ff75782fd402834bcd72ef51d2157ca42d7e9d1b66c70a82875ae18750197b79
SSDEEP

98304:ssUKYzUZKDNadpngODEO0StEzc6buuLVtMv5aywH6/wfsjmZ:ssUjFDNad8BDbHMBazLB

Score

7^/10

persistence

Malware Config

Signatures

Modifies init.d 1 TTPs 2 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

update-rc.dupdate-rc.d

description ioc process

/etc/init.d/sshf /etc/init.d/sshf update-rc.d
/etc/init.d/sshf /etc/init.d/sshf update-rc.d

description	ioc	process
/etc/init.d/sshf	/etc/init.d/sshf	update-rc.d
/etc/init.d/sshf	/etc/init.d/sshf	update-rc.d

Modifies rc script 1 TTPs 7 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

update-rc.d

description	ioc	process
/etc/rc6.d/	/etc/rc6.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc3.d/	/etc/rc3.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d

Write file to user bin folder 1 TTPs 3 IoCs

Hijack Execution Flow

T1574

Processes:

update-rc.dupdate-rc.d1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86

description	ioc	process
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d
/usr/bin/sshf	/usr/bin/sshf	1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86

Creates .desktop file 1 TTPs 1 IoCs

Linux desktops like GNOME require .desktop files to register applications. Sometimes abused by malware for persistence.

persistence

User Execution

T1204

Processes:

1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86

description	ioc	process
.config/ssh.service/sshf.desktop	.config/ssh.service/sshf.desktop	1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86

description	ioc	process
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsystemctl

description	ioc	process
/proc/filesystems	/proc/filesystems	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/filesystems	/proc/filesystems	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86

description	ioc	process
/tmp/1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86	/tmp/1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86	1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86

/tmp/1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86
/tmp/1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4_x86
1⤵
- Write file to user bin folder
- Creates .desktop file
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:571

/usr/bin/getopt
getopt -o r: --long root: -- enable sshf
1⤵
PID:586

/usr/bin/basename
basename /usr/sbin/service
1⤵
PID:587

/bin/systemctl
systemctl --quiet is-active multi-user.target
1⤵
- Reads runtime system information
PID:589

/usr/sbin/update-rc.d
/usr/sbin/update-rc.d sshf defaults
1⤵
- Modifies init.d
- Modifies rc script
- Write file to user bin folder
PID:588

/usr/local/sbin/systemctl
systemctl daemon-reload
2⤵
PID:590

/usr/local/bin/systemctl
systemctl daemon-reload
2⤵
PID:590

/usr/sbin/systemctl
systemctl daemon-reload
2⤵
PID:590

/usr/bin/systemctl
systemctl daemon-reload
2⤵
PID:590

/sbin/systemctl
systemctl daemon-reload
2⤵
PID:590

/bin/systemctl
systemctl daemon-reload
2⤵
- Reads runtime system information
PID:590

/usr/sbin/update-rc.d
/usr/sbin/update-rc.d sshf enable
1⤵
- Modifies init.d
- Write file to user bin folder
PID:606

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

User Execution

T1204

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads