91405b574b920cdd1fb2dcb40db7a364dec4e6de62114db9aff00d366fc62c1f

Analysis

max time kernel
14s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221125-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
04/06/2023, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rn02s62s
Size

4KB
MD5

8c2a55f8e277609968700c8938910c62
SHA1

a764a3e0877b8f81bc6e5d385ba0eacdf37e849e
SHA256

91405b574b920cdd1fb2dcb40db7a364dec4e6de62114db9aff00d366fc62c1f
SHA512

b586b6e89ebdc4badabef96960a8a3e15817b2020243796087a4cfeb3e413ae7637d8f4049f869ce4272895f981c59d99d99b65dd962f56fbacb97788dd4b902
SSDEEP

96:r/SasasaPaUhdauaya8a42ayRYFilsapmBtMwrPZRTYnBi:DSr18NhdFvZwpOlMwrnknBi

Score

7^/10

persistence

Malware Config

Signatures

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc	Process
File opened for modification	/etc/hosts	rn02s62s

Attempts to change immutable files 17 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
679	chattr
702	chattr
670	chattr
696	chattr
701	chattr
703	chattr
724	xargs
656	chattr
668	chattr
680	chattr
681	chattr
706	chattr
671	chattr
698	chattr
700	chattr
704	chattr
705	chattr

Creates/modifies Cron job 1 TTPs 5 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/root	rn02s62s
File opened for modification	/var/spool/cron/crontabs/root	rn02s62s
File opened for modification	/etc/cron.d/root	rn02s62s
File opened for modification	/var/spool/cron/crontabs/tmp.fBNNnL	crontab
File opened for modification	/etc/crontab	rn02s62s

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 19 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/78/cmdline	pgrep
File opened for reading	/proc/11/status	pgrep
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/26/cmdline	pgrep
File opened for reading	/proc/346/status	pkill
File opened for reading	/proc/155/status	pgrep
File opened for reading	/proc/82/cmdline	ps
File opened for reading	/proc/156/cmdline	ps
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/367/stat	ps
File opened for reading	/proc/80/stat	ps
File opened for reading	/proc/161/cmdline	pgrep
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/8/status	pgrep
File opened for reading	/proc/172/cmdline	pkill
File opened for reading	/proc/607/cmdline	pkill
File opened for reading	/proc/719/status	pkill
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/36/cmdline	ps
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/195/cmdline	pkill
File opened for reading	/proc/290/cmdline	pgrep
File opened for reading	/proc/654/status	pgrep
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/79/cmdline	killall
File opened for reading	/proc/626/stat	killall
File opened for reading	/proc/155/cmdline	pgrep
File opened for reading	/proc/84/status	pkill
File opened for reading	/proc/172/status	pkill
File opened for reading	/proc/345/status	ps
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/351/cmdline	killall
File opened for reading	/proc/605/cmdline	pgrep
File opened for reading	/proc/22/status	pkill
File opened for reading	/proc/610/status	ps
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/162/stat	killall
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/163/stat	killall
File opened for reading	/proc/162/cmdline	pgrep
File opened for reading	/proc/431/cmdline	pkill
File opened for reading	/proc/2/status	pkill
File opened for reading	/proc/28/status	pkill
File opened for reading	/proc/195/stat	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/585/cmdline	pkill
File opened for reading	/proc/8/status	pkill
File opened for reading	/proc/162/cmdline	pkill
File opened for reading	/proc/290/status	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/447/stat	killall
File opened for reading	/proc/11/status	pgrep
File opened for reading	/proc/170/cmdline	pgrep
File opened for reading	/proc/165/status	pkill
File opened for reading	/proc/131/cmdline	pkill
File opened for reading	/proc/194/stat	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/166/stat	killall
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/1/status	pgrep
File opened for reading	/proc/24/status	pgrep

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/nohup.out	nohup

/tmp/rn02s62s
/tmp/rn02s62s
1⤵
- Modifies hosts file
- Creates/modifies Cron job
PID:610
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:611
- /bin/grep
  grep -v grep
  2⤵
  PID:612
- /bin/grep
  grep givemexyz
  2⤵
  PID:613
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:614
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:615
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:616
- /bin/grep
  grep -v grep
  2⤵
  PID:617
- /bin/grep
  grep dbuse
  2⤵
  PID:618
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:619
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:620
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:621
- /bin/grep
  grep -v grep
  2⤵
  PID:622
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:623
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:624
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:625
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:630
- /bin/grep
  grep -v grep
  2⤵
  PID:631
- /bin/grep
  grep javaupDates
  2⤵
  PID:632
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:633
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:634
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:635
- /bin/grep
  grep -v grep
  2⤵
  PID:636
- /bin/grep
  grep kinsing
  2⤵
  PID:637
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:638
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:639
- /usr/bin/killall
  killall /tmp/netplan_56i8m3z8 /tmp/rn02s62s /tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-resolved.service-pWZ0bR /tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-timedated.service-1yeLgm /tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-timesyncd.service-7gvVEr
  2⤵
  - Reads runtime system information
  PID:640
- /usr/bin/killall
  killall /tmp/. /tmp/.. /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix
  2⤵
  - Reads runtime system information
  PID:641
- /usr/bin/killall
  killall /var/tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-resolved.service-Vw0UX3 /var/tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-timedated.service-Y3AxO7 /var/tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-timesyncd.service-7qm7pE
  2⤵
  PID:642
- /usr/bin/killall
  killall /var/tmp/. /var/tmp/..
  2⤵
  - Reads runtime system information
  PID:643
- /usr/bin/pgrep
  pgrep JavaUpdate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:644
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:645
- /usr/bin/pgrep
  pgrep kinsing
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:646
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:647
- /usr/bin/pgrep
  pgrep donate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:648
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:649
- /usr/bin/pgrep
  pgrep kdevtmpfsi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:650
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:651
- /usr/bin/pgrep
  pgrep sysupdate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:652
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:653
- /usr/bin/pgrep
  pgrep mysqlserver
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:654
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:655
- /usr/bin/chattr
  chattr -ia /var/spool/cron/root
  2⤵
  - Attempts to change immutable files
  PID:656
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:657
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:658
- /bin/grep
  grep -v grep
  2⤵
  PID:660
- /bin/grep
  grep -e yqyKkX1i
  2⤵
  PID:659
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:662
- /bin/rm
  rm -f /tmp/netplan_56i8m3z8 /tmp/rn02s62s /tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-resolved.service-pWZ0bR /tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-timedated.service-1yeLgm /tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-timesyncd.service-7gvVEr
  2⤵
  PID:664
- /bin/rm
  rm -f /tmp/.sola
  2⤵
  PID:665
- /usr/bin/whoami
  whoami
  2⤵
  PID:666
- /usr/bin/whoami
  whoami
  2⤵
  PID:667
- /usr/bin/chattr
  chattr -ia /etc/cron.d/popularity-contest
  2⤵
  - Attempts to change immutable files
  PID:668
- /bin/rm
  rm -rf /etc/cron.d/popularity-contest
  2⤵
  PID:669
- /usr/bin/chattr
  chattr -i /var/spool/cron/crontabs/root
  2⤵
  - Attempts to change immutable files
  PID:670
- /usr/bin/chattr
  chattr -i /usr/local/bin/dns
  2⤵
  - Attempts to change immutable files
  PID:671
- /bin/rm
  rm -f /etc/cron.hourly/oanacroner
  2⤵
  PID:672
- /bin/rm
  rm -f /etc/cron.hourly/oanacrona
  2⤵
  PID:673
- /bin/rm
  rm -f /etc/cron.daily/oanacroner
  2⤵
  PID:674
- /bin/rm
  rm -f /etc/cron.daily/oanacrona
  2⤵
  PID:675
- /bin/rm
  rm -f /etc/cron.monthly/oanacroner
  2⤵
  PID:676
- /bin/rm
  rm -f /usr/local/bin/dns
  2⤵
  PID:677
- /bin/rm
  rm -f /etc/update.sh
  2⤵
  PID:678
- /usr/bin/chattr
  chattr -ia /etc/hosts
  2⤵
  - Attempts to change immutable files
  PID:679
- /usr/bin/chattr
  chattr +ia /etc/hosts
  2⤵
  - Attempts to change immutable files
  PID:680
- /usr/bin/chattr
  chattr -i /etc/sysupdate
  2⤵
  - Attempts to change immutable files
  PID:681
- /bin/rm
  rm -f /etc/sysupdate
  2⤵
  PID:682
- /bin/rm
  rm -f /etc/config.json
  2⤵
  PID:683
- /bin/rm
  rm -f /var/tmp/kworkerds
  2⤵
  PID:684
- /bin/rm
  rm -f /usr/bin/.systemcero
  2⤵
  PID:685
- /bin/rm
  rm -f /usr/bin/cloudupdate
  2⤵
  PID:686
- /bin/rm
  rm -f /usr/bin/diskmanagerd
  2⤵
  PID:687
- /bin/rm
  rm -f /lib/libterminfo.so
  2⤵
  PID:688
- /bin/rm
  rm -f /bin/httpsntp
  2⤵
  PID:689
- /bin/rm
  rm -f /bin/ftpsntp
  2⤵
  PID:690
- /bin/rm
  rm -f /var/tmp/jspserv
  2⤵
  PID:691
- /bin/rm
  rm -f /usr/sbin/cron
  2⤵
  PID:692
- /bin/rm
  rm -f "/usr/bin/kinsing*"
  2⤵
  PID:693
- /bin/rm
  rm -f "/etc/cron.d/kinsing*"
  2⤵
  PID:694
- /bin/rm
  rm -f /usr/bin/node
  2⤵
  PID:695
- /usr/bin/chattr
  chattr -isa /var/spool/cron/crontabs
  2⤵
  - Attempts to change immutable files
  PID:696
- /bin/rm
  rm -rf /var/spool/cron/crontabs
  2⤵
  PID:697
- /usr/bin/chattr
  chattr +isa /tmp/xms
  2⤵
  - Attempts to change immutable files
  PID:698
- /bin/rm
  rm -f /var/tmp/kinsing
  2⤵
  PID:699
- /usr/bin/chattr
  chattr -ia /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:700
- /usr/bin/chattr
  chattr +ia /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:701
- /usr/bin/chattr
  chattr -ia /var/spool/cron/root
  2⤵
  - Attempts to change immutable files
  PID:702
- /usr/bin/chattr
  chattr -ia /var/spool/cron/crontabs/root
  2⤵
  - Attempts to change immutable files
  PID:703
- /usr/bin/chattr
  chattr +ia /var/spool/cron/root
  2⤵
  - Attempts to change immutable files
  PID:704
- /usr/bin/chattr
  chattr +ia /etc/cron.d/root
  2⤵
  - Attempts to change immutable files
  PID:705
- /usr/bin/chattr
  chattr +ia /var/spool/cron/crontabs/root
  2⤵
  - Attempts to change immutable files
  PID:706
- /bin/chmod
  chmod +777 /tmp/netplan_56i8m3z8 /tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-resolved.service-pWZ0bR /tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-timedated.service-1yeLgm /tmp/systemd-private-55eb8a076e7946e8bb4487cccd75ecba-systemd-timesyncd.service-7gvVEr
  2⤵
  PID:707
- /usr/bin/pkill
  pkill networkservice
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:708
- /usr/bin/pkill
  pkill networkser+
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:709
- /usr/bin/pkill
  pkill watchbog
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:710
- /usr/bin/pkill
  pkill xmrig
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:711
- /bin/rm
  rm -rf /tmp/.solr
  2⤵
  PID:712
- /bin/mkdir
  mkdir /tmp/.solr
  2⤵
  PID:713
- /usr/bin/pkill
  pkill solr.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:718
- /usr/bin/pkill
  pkill solrd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:719
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:720
- /bin/grep
  grep -v grep
  2⤵
  PID:721
- /bin/grep
  grep -v "java\\|redis\\|mongod\\|mysql\\|oracle\\|tomcat\\|grep\\|postgres\\|confluence\\|awk\\|aux\\|sh"
  2⤵
  PID:722
- /usr/bin/awk
  awk "{if(\$3>60.0) print \$2}"
  2⤵
  PID:723
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:724
- /bin/rm
  rm -rf /tmp/.solr
  2⤵
  PID:725
- /bin/mkdir
  mkdir /tmp/.solr
  2⤵
  PID:726
- /bin/chmod
  chmod +rwx /tmp/.solr
  2⤵
  PID:727
- /bin/chmod
  chmod +x /tmp/.solr/genshin
  2⤵
  PID:728
- /bin/chmod
  chmod +x /tmp/.solr/solrd
  2⤵
  PID:729
- /bin/chmod
  chmod +x /tmp/.solr/solr.sh
  2⤵
  PID:730
- /usr/bin/nohup
  nohup /tmp/.solr/solr.sh
  2⤵
  - Writes file to tmp directory
  PID:731
- /tmp/.solr/solr.sh
  /tmp/.solr/solr.sh
  2⤵
  PID:731
- /bin/sleep
  sleep 10
  2⤵
  PID:733
- /bin/rm
  rm -f /tmp/.solr/solr.sh
  2⤵
  PID:734

/usr/bin/crontab
crontab -l
1⤵
PID:663

/bin/ps
ps auxf
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:715

/bin/grep
grep solrd
1⤵
PID:716

/usr/bin/awk
awk "{if(\$3>=60.0) print \$2}"
1⤵
PID:717

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.d/root

Filesize
68B

MD5
8bf6ad9373d18b02ae1733c77dcb6c91

SHA1
514c746868b5d76fd86fcff21df9df9bbcf2e0ce

SHA256
7d8ca20b3ad068be18a39bfdd7f83aa4d204f82a8685b4d97629df41347e38c7

SHA512
369193515ef6e5283f8c0bb30ab5f94e1338199741dc35e8e907f6baf392eadbcb520d717841e0383f2ed54f5a23d59c253838534203540bc2d92f536dd149a9

Download Submit
/var/spool/cron/crontabs/tmp.fBNNnL

Filesize
237B

MD5
02da5f7e6ae33876eeb0aa62b732f9b1

SHA1
83b6def1375502e7448b0fe129f0e725a894f7db

SHA256
707f0c82e665c39fe4f14503e594ff39a66a6b77fa25c5923f4d01e3b20aa322

SHA512
dfcfd814b24bebb78ccd5bfee28d70e42bad198aead9f470584542665389b6981d6446358705a6d9664be19193768ce004f2edaf41cb74ee152d0a990ba06b7c

Download Submit
/var/spool/cron/root

Filesize
65B

MD5
4d78eb545b718e5a0484861bd1b13423

SHA1
b4a06045ced16b09a89e173e72df23cfe6e1beee

SHA256
f916366f7602bcc8a70bf2580287eaf27b34122dbe1dc86c0176aa1169a834d3

SHA512
8b483a623ccfd728de22c5ae51e59714ea40cb0b9909637a92df6ee761630ab199403a32d29fb76721b8d6229426af7e3801f6b9c3cf25335721eae1e97f76f1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads