d817131a06e282101d1da0a44df9b273f2c65bd0f4dd7cd9ef8e74ed49ce57e4

Analysis

max time kernel
6s
max time network
8s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-05-2023 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

socks.out
Size

6KB
MD5

345b602eef289ed62c556690a99038a2
SHA1

7dd9def613ae3aa30f66326cb9ad724431ac69de
SHA256

5da486c1d5024f144333032ffbeae9f8e6de951f6633791861055564952ee779
SHA512

1066d90edecea83f1773169a0d7d6a0635904ff284c83d0ca9fc04751b967795b2e68ffb636350dc7697e05298ce0e82af0dad23e27a05843af07a094491e0b9
SSDEEP

96:GRSSjU6eW+vxLCFCOE7JV4Gix/5UB/bEbZ4hrClAcrOX/YLHZHPst/8+CyA:G/+MMOEgGo/5GE99k

Score

7^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.lgbhNX crontab
Executes dropped EXE 1 IoCs

Processes:

socks5.sh

pid process

600 socks5.sh
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

sed

description ioc process

File opened for reading /proc/filesystems sed
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

socks.out

description ioc process

File opened for modification /tmp/socks5.sh socks.out

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.lgbhNX	crontab

pid	process
600	socks5.sh

description	ioc	process
File opened for reading	/proc/filesystems	sed

description	ioc	process
File opened for modification	/tmp/socks5.sh	socks.out

/tmp/socks.out
/tmp/socks.out
1⤵
- Writes file to tmp directory
PID:599

/tmp/socks5.sh
/tmp/socks5.sh
2⤵
- Executes dropped EXE
PID:600

crontab
crontab -
3⤵
- Creates/modifies Cron job
PID:602

cat
cat /dev/fd/63 /dev/fd/62
3⤵
PID:601

sed
sed /socks5_backconnect666/d /dev/fd/62
1⤵
- Reads runtime system information
PID:606

crontab
crontab -l
1⤵
PID:607

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/socks5.sh
Filesize
175B

MD5
c713e566e25fce6da2854e042f47f6e8

SHA1
8b90244d2bbd5ad452b47439b9f13ba2c2a8cd7d

SHA256
5a1fb39fd13d1af10900fe08459b64dd621d84a4797eb3c8b8949f90b947b9de

SHA512
92375b0a8afec222a2959fb3960a6acb733d08bba0a4524559610717627538768eba9ac55c98563033f74e350269c905ca447f58cdec5e33116548af9548b00f

Download Submit
/var/spool/cron/crontabs/tmp.lgbhNX
Filesize
252B

MD5
1bff4e80305059644468b6bac3e17f15

SHA1
b69797c171273625f49dc6bf80cb461a901e3997

SHA256
a4be96d8853e7e873d38c6e2ac7af59ab4d1af5148e4211cbe0737c310cb81d4

SHA512
9b17ee9c177a0abcaf60c7db09b975554e0a8abbbb97e7da66eeb741f71a2a959f5f0da336c7b107a2be2039aefad446bf665599398dd2bbc32561f2174212c4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads