c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099 | Triage

Analysis

max time kernel
0s
max time network
103s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27-03-2023 09:33

Sharing

Report Analysis Logs

General

Target

Killbash.x
Size

338KB
MD5

7622b6a703b61b767a8f15fe24801ff8
SHA1

d987be4df6349f1ed7934b4e0154ce743bce863d
SHA256

95fb9e93efec22c8426f3d557a0c353ff63aa323f42180ecacdf9cd7cfe4c5aa
SHA512

e950f0eb8b971980342f889b36b2794b883925879e6a8105c1179e9b99492006f324f0aeedc62f77ed7ca8a0cf13c99eb7b6a2e38f4e6bd41e511ac38143fa00
SSDEEP

6144:wFE15RyBAwujPOjS7624nLqFLof5cAw+l0qbRQ2Aj4qewO3TjC45:jllGSWlnLIoRcAw+lFbSsve45

Score

7^/10

persistence

Malware Config

Signatures

Modifies init.d 1 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

Boot or Logon Autostart Execution

description	ioc	Process
/etc/init.d/Me8ing.conf	/etc/init.d/Me8ing.conf	cat
/etc/init.d/Me8ing.conf	/etc/init.d/Me8ing.conf	cat

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

Boot or Logon Autostart Execution

description	ioc	Process
/etc/rc.local	/etc/rc.local	sed

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	pkill
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	pkill

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	killall
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	pkill
/proc/filesystems	/proc/filesystems	killall
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	pkill
/proc/filesystems	/proc/filesystems	sed

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/Killbash.x	/tmp/Killbash.x	rm

/tmp/Killbash.x
/tmp/Killbash.x
1⤵
PID:580

/bin/sh
/tmp/Killbash.x -c "exec '/tmp/Killbash.x' \"\$@\"" /tmp/Killbash.x
1⤵
PID:580

/tmp/Killbash.x
/tmp/Killbash.x
1⤵
PID:580

/bin/sh
/tmp/Killbash.x -c " #!/bin/sh Config=\"/etc/init.d/Me8ing.conf\" tempfile=`cat \$Config | awk '{print \$1}'` filetemp=\"/usr/bin/\$tempfile\" filename=`date +%s%N | md5sum | head -c 10` filepath=\"/usr/bin/\$filename\" tempbash=`cat \$Config | awk '{print \$2}'` bashtemp=\"/usr/bin/\$tempbash\" bashname=`date +%s%N | md5sum | head -c 10` bashpath=\"/usr/bin/\$bashname\" lockr -i \$bashtemp;rm -f \$bashtemp;killall \$tempbash;pkill \$tempbash lockr -i \$filetemp;rm -f \$filetemp;killall \$tempfile;pkill \$tempfile lockr -i /etc/rc.local;sed -i \"s|\$bashtemp start||\" /etc/rc.local rm -f \$0 exit" /tmp/Killbash.x
1⤵
PID:580
- /bin/rm
  rm -f /usr/bin/
  2⤵
  PID:595
- /usr/bin/killall
  killall
  2⤵
  - Reads runtime system information
  PID:596
- /usr/bin/pkill
  pkill
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:597
- /bin/rm
  rm -f /usr/bin/
  2⤵
  PID:598
- /usr/bin/killall
  killall
  2⤵
  - Reads runtime system information
  PID:599
- /usr/bin/pkill
  pkill
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:600
- /bin/sed
  sed -i "s|/usr/bin/ start||" /etc/rc.local
  2⤵
  - Modifies rc script
  - Reads runtime system information
  PID:601
- /bin/rm
  rm -f /tmp/Killbash.x
  2⤵
  - Writes file to tmp directory
  PID:602

/bin/cat
cat /etc/init.d/Me8ing.conf
1⤵
- Modifies init.d
PID:582

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:583

/bin/date
date "+%s%N"
1⤵
PID:585

/usr/bin/head
head -c 10
1⤵
PID:587

/usr/bin/md5sum
md5sum
1⤵
PID:586

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:590

/bin/cat
cat /etc/init.d/Me8ing.conf
1⤵
- Modifies init.d
PID:589

/bin/date
date "+%s%N"
1⤵
PID:592

/usr/bin/head
head -c 10
1⤵
PID:594

/usr/bin/md5sum
md5sum
1⤵
PID:593

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Privilege Escalation

Boot or Logon Autostart Execution

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads