d314764ec9a516ae7f3288277c329e80f74ad113b16716a24293839d98ed0f21

Analysis

max time kernel
6s
platform
debian-9_armhf
resource
debian9-armhf-20230831-en
resource tags

arch:armhfimage:debian9-armhf-20230831-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
09-10-2023 12:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

t0
Size

80KB
MD5

09d55ee3160f3859c48176053920c0e9
SHA1

a7c0819465601021dbba4b0b884ce053cfb94b9e
SHA256

2c44909d5919e50e0e1d35f20b34c8bd64089104ef7cfe82f6257c1ebbf4d832
SHA512

629a1432a87f07dd890625e75cce2c34fb63c9e3a57782b3f560c052999fae9c537a12e96147be8103f9c119b086e3ceffd02f326856eac0e663c146344c6006
SSDEEP

1536:WW3J6b2FfV0tVl+eHwbIsEXyW6uh5wxM4e3S2RPoRL3WUTn7cdicMcZgBOa8Mkrq:uiFd0x+8TXewmxM4e2RjnDchGoaArZ8

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/root	bash
File opened for modification	/etc/crontab	bash

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pgrep

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/4/status	pgrep
File opened for reading	/proc/6/status	pgrep
File opened for reading	/proc/6/cmdline	pgrep
File opened for reading	/proc/108/cmdline	pgrep
File opened for reading	/proc/280/cmdline	pgrep
File opened for reading	/proc/363/cmdline	pgrep
File opened for reading	/proc/11/status	pgrep
File opened for reading	/proc/41/status	pgrep
File opened for reading	/proc/271/status	pgrep
File opened for reading	/proc/366/cmdline	pgrep
File opened for reading	/proc/12/status	pgrep
File opened for reading	/proc/41/cmdline	pgrep
File opened for reading	/proc/131/status	pgrep
File opened for reading	/proc/163/cmdline	pgrep
File opened for reading	/proc/286/status	pgrep
File opened for reading	/proc/379/cmdline	pgrep
File opened for reading	/proc/21/status	pgrep
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/147/cmdline	pgrep
File opened for reading	/proc/313/status	pgrep
File opened for reading	/proc/229/cmdline	pgrep
File opened for reading	/proc/322/status	pgrep
File opened for reading	/proc/362/status	pgrep
File opened for reading	/proc/368/status	pgrep
File opened for reading	/proc/11/cmdline	pgrep
File opened for reading	/proc/20/status	pgrep
File opened for reading	/proc/107/cmdline	pgrep
File opened for reading	/proc/229/status	pgrep
File opened for reading	/proc/370/status	pgrep
File opened for reading	/proc/371/status	pgrep
File opened for reading	/proc/3/cmdline	pgrep
File opened for reading	/proc/16/status	pgrep
File opened for reading	/proc/24/cmdline	pgrep
File opened for reading	/proc/27/status	pgrep
File opened for reading	/proc/323/cmdline	pgrep
File opened for reading	/proc/5/cmdline	pgrep
File opened for reading	/proc/10/cmdline	pgrep
File opened for reading	/proc/14/cmdline	pgrep
File opened for reading	/proc/24/status	pgrep
File opened for reading	/proc/42/status	pgrep
File opened for reading	/proc/163/status	pgrep
File opened for reading	/proc/230/cmdline	pgrep
File opened for reading	/proc/313/cmdline	pgrep
File opened for reading	/proc/364/status	pgrep
File opened for reading	/proc/2/cmdline	pgrep
File opened for reading	/proc/16/cmdline	pgrep
File opened for reading	/proc/147/status	pgrep
File opened for reading	/proc/280/status	pgrep
File opened for reading	/proc/371/cmdline	pgrep
File opened for reading	/proc/108/status	pgrep
File opened for reading	/proc/318/cmdline	pgrep
File opened for reading	/proc/28/cmdline	pgrep
File opened for reading	/proc/43/status	pgrep
File opened for reading	/proc/213/status	pgrep
File opened for reading	/proc/370/cmdline	pgrep
File opened for reading	/proc/7/status	pgrep
File opened for reading	/proc/26/status	pgrep
File opened for reading	/proc/29/status	pgrep
File opened for reading	/proc/4/cmdline	pgrep
File opened for reading	/proc/17/cmdline	pgrep
File opened for reading	/proc/18/status	pgrep
File opened for reading	/proc/232/cmdline	pgrep
File opened for reading	/proc/271/cmdline	pgrep
File opened for reading	/proc/10/status	pgrep

/tmp/t0
/tmp/t0
1⤵
PID:368
- /bin/bash
  /bin/bash
  2⤵
  - Creates/modifies Cron job
  PID:370
- - /bin/grep
    grep -q qshapeu /var/spool/cron/crontabs/root
    3⤵
    PID:377
- - /bin/grep
    grep -q qshapeu /etc/crontab
    3⤵
    PID:378
- - /usr/bin/pgrep
    pgrep qshapeu
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:379
- - /bin/rm
    rm -rf /usr/sbin/qshapeu
    3⤵
    PID:381
- - /usr/bin/clear
    clear
    3⤵
    PID:383
- - /usr/bin/clear
    clear
    3⤵
    PID:385

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.bash_history

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
/var/spool/cron/crontabs/root

Filesize
117B

MD5
edb3851a4de5833132f7e7f9573cc146

SHA1
5696082c1cee006cec442107ab1df28cf1959278

SHA256
1c4e3faea671cfa5ce361a19b2e8f8ee3f1f8379910ec4ea16261223e7550e81

SHA512
42a016a9be71ad9bb49c937ad33dfd6dfed697b371815c9517b02b3fd4d542cf00fba85f4796602a96bccb5526a1344df1563988bea9c9393be075f58ad7f781

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads