c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Analysis

max time kernel
0s
max time network
103s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27-03-2023 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Killbash.x
Size

338KB
MD5

7622b6a703b61b767a8f15fe24801ff8
SHA1

d987be4df6349f1ed7934b4e0154ce743bce863d
SHA256

95fb9e93efec22c8426f3d557a0c353ff63aa323f42180ecacdf9cd7cfe4c5aa
SHA512

e950f0eb8b971980342f889b36b2794b883925879e6a8105c1179e9b99492006f324f0aeedc62f77ed7ca8a0cf13c99eb7b6a2e38f4e6bd41e511ac38143fa00
SSDEEP

6144:wFE15RyBAwujPOjS7624nLqFLof5cAw+l0qbRQ2Aj4qewO3TjC45:jllGSWlnLIoRcAw+lFbSsve45

Score

7^/10

persistence

Malware Config

Signatures

Modifies init.d 1 TTPs 2 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

catcat

description ioc process

/etc/init.d/Me8ing.conf /etc/init.d/Me8ing.conf cat
/etc/init.d/Me8ing.conf /etc/init.d/Me8ing.conf cat
Modifies rc script 1 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sed

description ioc process

/etc/rc.local /etc/rc.local sed

description	ioc	process
/etc/init.d/Me8ing.conf	/etc/init.d/Me8ing.conf	cat
/etc/init.d/Me8ing.conf	/etc/init.d/Me8ing.conf	cat

description	ioc	process
/etc/rc.local	/etc/rc.local	sed

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

pkillpkill

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	pkill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	pkill

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

Processes:

killallpkillkillallpkillsed

description	ioc	process
/proc/filesystems	/proc/filesystems	killall
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	pkill
/proc/filesystems	/proc/filesystems	killall
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	pkill
/proc/filesystems	/proc/filesystems	sed

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

rm

description ioc process

/tmp/Killbash.x /tmp/Killbash.x rm

description	ioc	process
/tmp/Killbash.x	/tmp/Killbash.x	rm

/tmp/Killbash.x
/tmp/Killbash.x
1⤵
PID:580

/bin/sh
/tmp/Killbash.x -c "exec '/tmp/Killbash.x' \"\$@\"" /tmp/Killbash.x
1⤵
PID:580

/tmp/Killbash.x
/tmp/Killbash.x
1⤵
PID:580

/bin/sh
/tmp/Killbash.x -c " #!/bin/sh Config=\"/etc/init.d/Me8ing.conf\" tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" lockr -i \$bashtemp;rm -f \$bashtemp;killall \$tempbash;pkill \$tempbash lockr -i \$filetemp;rm -f \$filetemp;killall \$tempfile;pkill \$tempfile lockr -i /etc/rc.local;sed -i \"s|\$bashtemp start||\" /etc/rc.local rm -f \$0 exit" /tmp/Killbash.x
1⤵
PID:580

/bin/rm
rm -f /usr/bin/
2⤵
PID:595

/usr/bin/killall
killall
2⤵
- Reads runtime system information
PID:596

/usr/bin/pkill
pkill
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:597

/bin/rm
rm -f /usr/bin/
2⤵
PID:598

/usr/bin/killall
killall
2⤵
- Reads runtime system information
PID:599

/usr/bin/pkill
pkill
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:600

/bin/sed
sed -i "s|/usr/bin/ start||" /etc/rc.local
2⤵
- Modifies rc script
- Reads runtime system information
PID:601

/bin/rm
rm -f /tmp/Killbash.x
2⤵
- Writes file to tmp directory
PID:602

/bin/cat
cat /etc/init.d/Me8ing.conf
1⤵
- Modifies init.d
PID:582

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:583

/bin/date
date "+%s%N"
1⤵
PID:585

/usr/bin/head
head -c 10
1⤵
PID:587

/usr/bin/md5sum
md5sum
1⤵
PID:586

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:590

/bin/cat
cat /etc/init.d/Me8ing.conf
1⤵
- Modifies init.d
PID:589

/bin/date
date "+%s%N"
1⤵
PID:592

/usr/bin/head
head -c 10
1⤵
PID:594

/usr/bin/md5sum
md5sum
1⤵
PID:593

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads