Analysis
-
max time kernel
138s -
max time network
148s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-12-2023 23:16
Behavioral task
behavioral1
Sample
55a44157eb9bb9ee1a7b6ec8cfa8b00d
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
55a44157eb9bb9ee1a7b6ec8cfa8b00d
-
Size
6.9MB
-
MD5
55a44157eb9bb9ee1a7b6ec8cfa8b00d
-
SHA1
0514ef45e7b5a2ce8feb3c698b2cf986f2823d73
-
SHA256
c50a127a75d7c40a214b51c5d07cc25186b5aaac9374f7fc92398cc82a349ce2
-
SHA512
3c2c24b0b337b018ca7c58a4f648f5bbb5cda3e1d654fe19f289d57ea5596da78d9524ded66159ab800305c9648d578a6db959033bf44e41d37109e710b66642
-
SSDEEP
49152:WUZ2RSlXb04LALt7ulksREeTrC3UtaYraYO7pbeVBnOWtz5zRgUsH9KVVRpbHg8s:FPlL04o7TsyevCiahwMFKDb62y4IX
Malware Config
Signatures
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.Er6aGY crontab -
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
Processes:
55a44157eb9bb9ee1a7b6ec8cfa8b00d55a44157eb9bb9ee1a7b6ec8cfa8b00ddescription ioc process File opened for reading /proc/sys/net/core/somaxconn 55a44157eb9bb9ee1a7b6ec8cfa8b00d File opened for reading /proc/sys/net/core/somaxconn 55a44157eb9bb9ee1a7b6ec8cfa8b00d -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
55a44157eb9bb9ee1a7b6ec8cfa8b00d55a44157eb9bb9ee1a7b6ec8cfa8b00ddescription ioc process File opened for modification /tmp/nip9iNeiph5chee 55a44157eb9bb9ee1a7b6ec8cfa8b00d File opened for modification /tmp/[stealth].pid 55a44157eb9bb9ee1a7b6ec8cfa8b00d File opened for modification /tmp/pid 55a44157eb9bb9ee1a7b6ec8cfa8b00d
Processes
-
/tmp/55a44157eb9bb9ee1a7b6ec8cfa8b00d/tmp/55a44157eb9bb9ee1a7b6ec8cfa8b00d1⤵
- Reads runtime system information
- Writes file to tmp directory
-
/tmp/55a44157eb9bb9ee1a7b6ec8cfa8b00d"[stealth]"1⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee2⤵
- Creates/modifies Cron job
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD55aee66e0c10012c980b6e4ba2cfd04e8
SHA19024f614191a5e30a1121a6d0e798c7ace7400f8
SHA256c3a15203fbd1e9fa70975ee263f76822630a9ff06681b6a3c3aaf3c5e420d24a
SHA512a5707c293124b55a6cba1680d8f8137a9c1c5483b2e627caf59ff836eea2c1a4e941f5faf21b6a9e2408823ef19ae625c123423fcac96809b0e0da20ae80db25
-
/tmp/pidFilesize
4B
MD5cb8acb1dc9821bf74e6ca9068032d623
SHA10ad54e429b2b6238550f24701541130b978e4640
SHA2568ff9538e65e6781d654b811f88161d12455935ffb8f470815063b6ab6cb7fdff
SHA512355051ba1d636582e623824587c9d5c6e6cc4c98dc830c26b212d61d0d009b91ad062aa99c7c2a3982a3b34091c49e412d7bfaf6d57c80794e7b3c31801dd964
-
/var/spool/cron/crontabs/tmp.Er6aGYFilesize
260B
MD598a8d18854d975d9fe89621c67fd6c34
SHA1ff0afa1580d82cded062c26a011da94d3f77b219
SHA25611ae0d93257159647a192a22d6e93be53f65e9a7dab4e97e410e0ace3f5786f9
SHA512a009fe3eda69b1ccb34a5834ad3cf6b34affb90268034ca21f768e117187b16337974b6fc65e321ba5720ca98fa3e1dc0f83bde00b98c5b3b396076ea0a26b35