Analysis

  • max time kernel
    138s
  • max time network
    148s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    19-12-2023 23:16

General

  • Target

    55a44157eb9bb9ee1a7b6ec8cfa8b00d

  • Size

    6.9MB

  • MD5

    55a44157eb9bb9ee1a7b6ec8cfa8b00d

  • SHA1

    0514ef45e7b5a2ce8feb3c698b2cf986f2823d73

  • SHA256

    c50a127a75d7c40a214b51c5d07cc25186b5aaac9374f7fc92398cc82a349ce2

  • SHA512

    3c2c24b0b337b018ca7c58a4f648f5bbb5cda3e1d654fe19f289d57ea5596da78d9524ded66159ab800305c9648d578a6db959033bf44e41d37109e710b66642

  • SSDEEP

    49152:WUZ2RSlXb04LALt7ulksREeTrC3UtaYraYO7pbeVBnOWtz5zRgUsH9KVVRpbHg8s:FPlL04o7TsyevCiahwMFKDb62y4IX

Score
6/10

Malware Config

Signatures

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/55a44157eb9bb9ee1a7b6ec8cfa8b00d
    /tmp/55a44157eb9bb9ee1a7b6ec8cfa8b00d
    1⤵
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1526
  • /tmp/55a44157eb9bb9ee1a7b6ec8cfa8b00d
    "[stealth]"
    1⤵
    • Reads runtime system information
    • Writes file to tmp directory
    PID:1530
    • /usr/bin/crontab
      /usr/bin/crontab /tmp/nip9iNeiph5chee
      2⤵
      • Creates/modifies Cron job
      PID:1534

Network

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Replay Monitor

Loading Replay Monitor...

Downloads

  • /tmp/nip9iNeiph5chee
    Filesize

    66B

    MD5

    5aee66e0c10012c980b6e4ba2cfd04e8

    SHA1

    9024f614191a5e30a1121a6d0e798c7ace7400f8

    SHA256

    c3a15203fbd1e9fa70975ee263f76822630a9ff06681b6a3c3aaf3c5e420d24a

    SHA512

    a5707c293124b55a6cba1680d8f8137a9c1c5483b2e627caf59ff836eea2c1a4e941f5faf21b6a9e2408823ef19ae625c123423fcac96809b0e0da20ae80db25

  • /tmp/pid
    Filesize

    4B

    MD5

    cb8acb1dc9821bf74e6ca9068032d623

    SHA1

    0ad54e429b2b6238550f24701541130b978e4640

    SHA256

    8ff9538e65e6781d654b811f88161d12455935ffb8f470815063b6ab6cb7fdff

    SHA512

    355051ba1d636582e623824587c9d5c6e6cc4c98dc830c26b212d61d0d009b91ad062aa99c7c2a3982a3b34091c49e412d7bfaf6d57c80794e7b3c31801dd964

  • /var/spool/cron/crontabs/tmp.Er6aGY
    Filesize

    260B

    MD5

    98a8d18854d975d9fe89621c67fd6c34

    SHA1

    ff0afa1580d82cded062c26a011da94d3f77b219

    SHA256

    11ae0d93257159647a192a22d6e93be53f65e9a7dab4e97e410e0ace3f5786f9

    SHA512

    a009fe3eda69b1ccb34a5834ad3cf6b34affb90268034ca21f768e117187b16337974b6fc65e321ba5720ca98fa3e1dc0f83bde00b98c5b3b396076ea0a26b35