Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    8s
  • max time network
    134s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231026-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    14/11/2023, 07:28

General

  • Target

    shell-bot/22

  • Size

    21KB

  • MD5

    7e4c409f8f570a3ea7546be22566de2e

  • SHA1

    0dbef070c9cee7e1288286ff75077ddfa8535389

  • SHA256

    e58192b38de0def86eb3acc508120ef0041678bfb9fa5601cf6f7ceed7f71db0

  • SHA512

    760f1758ac9ab23b3df23365767185bf3d92d6aea766adfd08ac288bfc8fb5c96eb5938704262b0cc3558db2adc250c184cb5b7f3cd73fa015ffddca240f9606

  • SSDEEP

    192:RnxzjwsWskaDanX6JENuZYhz0h+fcfLBj4Yj+2FAm2McYBNWYnCVme+x7HQS:BWskamFsqGhR9j1pFp2McYBBnCVmfx

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Uses Polkit to run commands 1 IoCs

    Uses Polkit pkexec as a proxy to execute commands, possibly to bypass security restrictions.

  • Writes file to system bin folder 1 TTPs 1 IoCs
  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 14 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/shell-bot/22
    /tmp/shell-bot/22
    1⤵
    • Creates/modifies Cron job
    • Writes file to system bin folder
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1555
    • /tmp/filed1qwVL
      /tmp/shell-bot/22
      2⤵
      • Executes dropped EXE
      • Writes file to tmp directory
      PID:1560
      • /bin/sh
        sh -c "gcc -o payload.so -shared -fPIC payload.c"
        3⤵
          PID:1561
          • /usr/bin/gcc
            gcc -o payload.so -shared -fPIC payload.c
            4⤵
            • Writes file to tmp directory
            PID:1562
            • /usr/lib/gcc/x86_64-linux-gnu/7/cc1
              /usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu payload.c -quiet -dumpbase payload.c "-mtune=generic" "-march=x86-64" -auxbase payload -fPIC -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccVMMHCM.s
              5⤵
              • Writes file to tmp directory
              PID:1563
            • /usr/local/sbin/as
              as --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s
              5⤵
                PID:1564
              • /usr/local/bin/as
                as --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s
                5⤵
                  PID:1564
                • /usr/sbin/as
                  as --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s
                  5⤵
                    PID:1564
                  • /usr/bin/as
                    as --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s
                    5⤵
                    • Writes file to tmp directory
                    PID:1564
                  • /usr/lib/gcc/x86_64-linux-gnu/7/collect2
                    /usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cchmPNbS.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o payload.so /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccRUuenk.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
                    5⤵
                    • Writes file to tmp directory
                    PID:1565
                    • /usr/bin/ld
                      /usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cchmPNbS.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o payload.so /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccRUuenk.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o
                      6⤵
                      • Writes file to tmp directory
                      PID:1566
            • /usr/bin/pkexec
              2⤵
              • Uses Polkit to run commands
              • Reads runtime system information
              PID:1560

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /etc/cron.hourly/0

            Filesize

            92B

            MD5

            3f006f7f81fc17be7f4a0d3da0fad5de

            SHA1

            97a94d3d0654c6551057af3809b52572bd7f9f5d

            SHA256

            982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf

            SHA512

            97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

          • /tmp/ccRUuenk.o

            Filesize

            2KB

            MD5

            345c5531e3858eea5ea274e7381c58a1

            SHA1

            70889be48a916442ed3458864eff5bf4dcc36b30

            SHA256

            426de9f88e1249a4017b6564b8b32c0c18357f5d825441d6a808e00f823abcc6

            SHA512

            38a4e0624b3598ed3498d4c9bc8ecefc122e60dc1b67ab0df71de6d83977f7224ee1a5b70f1ba527409c5eeb1e4df7a85fc6c719cde664ed96176d7b585e40ce

          • /tmp/ccVMMHCM.s

            Filesize

            1KB

            MD5

            3311369c6ecd004ddccdbbf8ff91826a

            SHA1

            ffa8e5e2dd446b3baccabb55c7bb954148c64502

            SHA256

            5f221ac86ea687a2bf170f3cf20d8444c3a3be4410a0592b234a012e802b495a

            SHA512

            6ecab9b9e864bc6a9f5ee401e94f813c8ad3dfcc02312bfad684091dd7e883ab36a7f384b26e44fb3173c615245ec609b2894113ee79d943663f62fa218c6bd1

          • /tmp/filed1qwVL

            Filesize

            12KB

            MD5

            3f604aaf29add5c4e1d110f560d22c88

            SHA1

            cbe738f14b05c3bfc50e5b1f78230b3e0c76d1b4

            SHA256

            457b3a87063efbd3608568b8ffceb07e2d4aa28b626852c66842076c9be2bba2

            SHA512

            7b408e6cf7408fb27b9003eec587554c61e92a8967266613c2c4c9bbe4ff59fe6a7bb6ea0a63ef0d3981268ed50b451de34bfb6219dd7a15dd3631363521a9ad

          • /tmp/shell-bot/lol/gconv-modules

            Filesize

            47B

            MD5

            abf4899a9b112331a6f28be4f4ebde17

            SHA1

            bc04cf0dd07679b8e4762a7ac452298927cbfe8b

            SHA256

            7361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97

            SHA512

            4a602fcd23358ad743dc83e4c9bd973a773375fd8a590333e28541ec25d2ece8aa7b9f457263a5c5b0e107ca4fb9d841408f951d676831d1d36eda2bf7eb5cc4

          • /tmp/shell-bot/payload.c

            Filesize

            310B

            MD5

            9bdd9493f821ae398a112a86e16b67a8

            SHA1

            99dedb7cff4bd61a75b4e64960d230158efd702f

            SHA256

            c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f

            SHA512

            4357330d472489f9ca9c4f3a281fcd85a1a37421ea5cee1973fd3acf9e22cb2f8d4fea216b46c57f85a4aeff08a72cb8a46f1a01b5389c1a89a6613b48c8816e