d69a4ac8bfe22dba19de78fdc31c1d13b6e1b57ffece505630a9c6becabbae2f | Triage

Analysis

max time kernel
8s
max time network
134s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231026-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
14/11/2023, 07:28

Sharing

Report Analysis Logs

General

Target

shell-bot/22
Size

21KB
MD5

7e4c409f8f570a3ea7546be22566de2e
SHA1

0dbef070c9cee7e1288286ff75077ddfa8535389
SHA256

e58192b38de0def86eb3acc508120ef0041678bfb9fa5601cf6f7ceed7f71db0
SHA512

760f1758ac9ab23b3df23365767185bf3d92d6aea766adfd08ac288bfc8fb5c96eb5938704262b0cc3558db2adc250c184cb5b7f3cd73fa015ffddca240f9606
SSDEEP

192:RnxzjwsWskaDanX6JENuZYhz0h+fcfLBj4Yj+2FAm2McYBNWYnCVme+x7HQS:BWskamFsqGhR9j1pFp2McYBBnCVmfx

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/filed1qwVL	1560	filed1qwVL

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task/Job

description	ioc	Process
File opened for modification	/etc/cron.hourly/0	22

Uses Polkit to run commands 1 IoCs

Uses Polkit pkexec as a proxy to execute commands, possibly to bypass security restrictions.

pid	Process
1560	pkexec

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

description	ioc	Process
File opened for modification	/bin/ls	22

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/exe	22
File opened for reading	/proc/filesystems	pkexec

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ccVMMHCM.s	gcc
File opened for modification	/tmp/ccRUuenk.o	as
File opened for modification	/tmp/ccV80D4n.o	collect2
File opened for modification	/tmp/shell-bot/lol/gconv-modules	filed1qwVL
File opened for modification	/tmp/filed1qwVL	22
File opened for modification	/tmp/ccohLdLt.le	collect2
File opened for modification	/tmp/cchmPNbS.res	gcc
File opened for modification	/tmp/shell-bot/payload.so	ld
File opened for modification	/tmp/shell-bot/payload.c	filed1qwVL
File opened for modification	/tmp/ccRUuenk.o	gcc
File opened for modification	/tmp/ccFhTEeQ.c	collect2
File opened for modification	/tmp/ccUYGPUV.ld	collect2
File opened for modification	/tmp/shell-bot/GCONV_PATH=./lol	filed1qwVL
File opened for modification	/tmp/ccVMMHCM.s	cc1

/tmp/shell-bot/22
/tmp/shell-bot/22
1⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1555
- /tmp/filed1qwVL
  /tmp/shell-bot/22
  2⤵
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:1560
- - /bin/sh
    sh -c "gcc -o payload.so -shared -fPIC payload.c"
    3⤵
    PID:1561
  - - /usr/bin/gcc
      gcc -o payload.so -shared -fPIC payload.c
      4⤵
      Writes file to tmp directory
      PID:1562
    - - /usr/lib/gcc/x86_64-linux-gnu/7/cc1
        
        /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu payload.c -quiet -dumpbase payload.c "-mtune=generic" "-march=x86-64" -auxbase payload -fPIC -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccVMMHCM.s
        5⤵
        Writes file to tmp directory
        
        PID:1563
    - - /usr/local/sbin/as
        
        as --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s
        5⤵
        
        PID:1564
    - - /usr/local/bin/as
        
        as --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s
        5⤵
        
        PID:1564
    - - /usr/sbin/as
        
        as --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s
        5⤵
        
        PID:1564
    - - /usr/bin/as
        
        as --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s
        5⤵
        Writes file to tmp directory
        
        PID:1564
    - - /usr/lib/gcc/x86_64-linux-gnu/7/collect2
        
        /usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cchmPNbS.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o payload.so /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccRUuenk.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
        5⤵
        Writes file to tmp directory
        
        PID:1565
      - /usr/bin/ld
        
        /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cchmPNbS.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o payload.so /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccRUuenk.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
        6⤵
        Writes file to tmp directory
        
        PID:1566
- /usr/bin/pkexec
  2⤵
  - Uses Polkit to run commands
  - Reads runtime system information
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/0

Filesize
92B

MD5
3f006f7f81fc17be7f4a0d3da0fad5de

SHA1
97a94d3d0654c6551057af3809b52572bd7f9f5d

SHA256
982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf

SHA512
97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

Download Submit
/tmp/ccRUuenk.o

Filesize
2KB

MD5
345c5531e3858eea5ea274e7381c58a1

SHA1
70889be48a916442ed3458864eff5bf4dcc36b30

SHA256
426de9f88e1249a4017b6564b8b32c0c18357f5d825441d6a808e00f823abcc6

SHA512
38a4e0624b3598ed3498d4c9bc8ecefc122e60dc1b67ab0df71de6d83977f7224ee1a5b70f1ba527409c5eeb1e4df7a85fc6c719cde664ed96176d7b585e40ce

Download Submit
/tmp/ccVMMHCM.s

Filesize
1KB

MD5
3311369c6ecd004ddccdbbf8ff91826a

SHA1
ffa8e5e2dd446b3baccabb55c7bb954148c64502

SHA256
5f221ac86ea687a2bf170f3cf20d8444c3a3be4410a0592b234a012e802b495a

SHA512
6ecab9b9e864bc6a9f5ee401e94f813c8ad3dfcc02312bfad684091dd7e883ab36a7f384b26e44fb3173c615245ec609b2894113ee79d943663f62fa218c6bd1

Download Submit
/tmp/filed1qwVL

Filesize
12KB

MD5
3f604aaf29add5c4e1d110f560d22c88

SHA1
cbe738f14b05c3bfc50e5b1f78230b3e0c76d1b4

SHA256
457b3a87063efbd3608568b8ffceb07e2d4aa28b626852c66842076c9be2bba2

SHA512
7b408e6cf7408fb27b9003eec587554c61e92a8967266613c2c4c9bbe4ff59fe6a7bb6ea0a63ef0d3981268ed50b451de34bfb6219dd7a15dd3631363521a9ad

Download Submit
/tmp/shell-bot/lol/gconv-modules

Filesize
47B

MD5
abf4899a9b112331a6f28be4f4ebde17

SHA1
bc04cf0dd07679b8e4762a7ac452298927cbfe8b

SHA256
7361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97

SHA512
4a602fcd23358ad743dc83e4c9bd973a773375fd8a590333e28541ec25d2ece8aa7b9f457263a5c5b0e107ca4fb9d841408f951d676831d1d36eda2bf7eb5cc4

Download Submit
/tmp/shell-bot/payload.c

Filesize
310B

MD5
9bdd9493f821ae398a112a86e16b67a8

SHA1
99dedb7cff4bd61a75b4e64960d230158efd702f

SHA256
c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f

SHA512
4357330d472489f9ca9c4f3a281fcd85a1a37421ea5cee1973fd3acf9e22cb2f8d4fea216b46c57f85a4aeff08a72cb8a46f1a01b5389c1a89a6613b48c8816e

Download Submit