0bb78df6c8e049c7a33d2656555e15388a59ee96bde6f221ac5494b959cd60eb

Analysis

max time kernel
154s
max time network
102s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-05-2023 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

server.out
Size

15KB
MD5

4e0a5548d669fb559fc9557c29d1300d
SHA1

20c475d06b77ea4078db08814acebc6c9d8a47ca
SHA256

b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4
SHA512

7f128a3110bea36b22a3f784b991f0a4b44f2c01a5df837ac0badb3742f8da742f0bd971fa492829db413c9f69b6dd8c64ec6934b33da4ef11d0025522878dbb
SSDEEP

192:GflaEbxJEYalA9qF9Aig5B7PNTa8EBiB6hygBCyftVm5cmF4tGEApxn:3UClA9kxg/FTyUM4gBCyftV2342px

Score

7^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.rPSzjx crontab
Executes dropped EXE 1 IoCs

Processes:

socks5.sh

pid process

576 socks5.sh
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

sed

description ioc process

File opened for reading /proc/filesystems sed
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

server.out

description ioc process

File opened for modification /tmp/socks5.sh server.out

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.rPSzjx	crontab

pid	process
576	socks5.sh

description	ioc	process
File opened for reading	/proc/filesystems	sed

description	ioc	process
File opened for modification	/tmp/socks5.sh	server.out

/tmp/server.out
/tmp/server.out
1⤵
- Writes file to tmp directory
PID:575

/tmp/socks5.sh
/tmp/socks5.sh
2⤵
- Executes dropped EXE
PID:576

crontab
crontab -
3⤵
- Creates/modifies Cron job
PID:578

rm
rm -rf /tmp/socks5.sh
3⤵
PID:580

cat
cat /dev/fd/63 /dev/fd/62
3⤵
PID:577

sed
sed /socks5_backconnect777/d /dev/fd/62
1⤵
- Reads runtime system information
PID:583

crontab
crontab -l
1⤵
PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/socks5.sh

Filesize
200B

MD5
c7633fc3d5c9fd11a808d417f3c20fe9

SHA1
a3fca1a5cd8619e1eecc532b42dd5ec3a68ae2f7

SHA256
6c4668b770274cf679f6a8781c11d9df3b766325ee19b03ba780192e3a313493

SHA512
369c7be63ac24f3a94516671f1d8d4e61b1f2df4af59eee0c034d069c787d41c7e60321be0f31226a4fc047f606fcf22ce3ae8566b5918d75da36c7e1e1382c7

Download Submit
/var/spool/cron/crontabs/tmp.rPSzjx

Filesize
253B

MD5
2ccb7c92315681d496385384c7f998c4

SHA1
5b2baff7c4a9fd8e7ee3857932ded50060e997e3

SHA256
d36ef9d046aa46e8966784b7cb4ee7cf00778215de50a9830cca8c9375449912

SHA512
27366cb20280d394a3837bfc54fd2c41f20883cdbb9080599b57283e4efe2210c61116440ff0b9a217adcf8ce8298dd1f47347449c826a8f2dbc483952a400cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads