c50a127a75d7c40a214b51c5d07cc25186b5aaac9374f7fc92398cc82a349ce2

Analysis

max time kernel
138s
max time network
148s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55a44157eb9bb9ee1a7b6ec8cfa8b00d
Size

6.9MB
MD5

55a44157eb9bb9ee1a7b6ec8cfa8b00d
SHA1

0514ef45e7b5a2ce8feb3c698b2cf986f2823d73
SHA256

c50a127a75d7c40a214b51c5d07cc25186b5aaac9374f7fc92398cc82a349ce2
SHA512

3c2c24b0b337b018ca7c58a4f648f5bbb5cda3e1d654fe19f289d57ea5596da78d9524ded66159ab800305c9648d578a6db959033bf44e41d37109e710b66642
SSDEEP

49152:WUZ2RSlXb04LALt7ulksREeTrC3UtaYraYO7pbeVBnOWtz5zRgUsH9KVVRpbHg8s:FPlL04o7TsyevCiahwMFKDb62y4IX

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.Er6aGY crontab

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.Er6aGY	crontab

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

Processes:

55a44157eb9bb9ee1a7b6ec8cfa8b00d55a44157eb9bb9ee1a7b6ec8cfa8b00d

description	ioc	process
File opened for reading	/proc/sys/net/core/somaxconn	55a44157eb9bb9ee1a7b6ec8cfa8b00d
File opened for reading	/proc/sys/net/core/somaxconn	55a44157eb9bb9ee1a7b6ec8cfa8b00d

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

55a44157eb9bb9ee1a7b6ec8cfa8b00d55a44157eb9bb9ee1a7b6ec8cfa8b00d

description	ioc	process
File opened for modification	/tmp/nip9iNeiph5chee	55a44157eb9bb9ee1a7b6ec8cfa8b00d
File opened for modification	/tmp/[stealth].pid	55a44157eb9bb9ee1a7b6ec8cfa8b00d
File opened for modification	/tmp/pid	55a44157eb9bb9ee1a7b6ec8cfa8b00d

/tmp/55a44157eb9bb9ee1a7b6ec8cfa8b00d
/tmp/55a44157eb9bb9ee1a7b6ec8cfa8b00d
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1526

/tmp/55a44157eb9bb9ee1a7b6ec8cfa8b00d
"[stealth]"
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1530

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
2⤵
- Creates/modifies Cron job
PID:1534

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/nip9iNeiph5chee
Filesize
66B

MD5
5aee66e0c10012c980b6e4ba2cfd04e8

SHA1
9024f614191a5e30a1121a6d0e798c7ace7400f8

SHA256
c3a15203fbd1e9fa70975ee263f76822630a9ff06681b6a3c3aaf3c5e420d24a

SHA512
a5707c293124b55a6cba1680d8f8137a9c1c5483b2e627caf59ff836eea2c1a4e941f5faf21b6a9e2408823ef19ae625c123423fcac96809b0e0da20ae80db25

Download Submit
/tmp/pid
Filesize
4B

MD5
cb8acb1dc9821bf74e6ca9068032d623

SHA1
0ad54e429b2b6238550f24701541130b978e4640

SHA256
8ff9538e65e6781d654b811f88161d12455935ffb8f470815063b6ab6cb7fdff

SHA512
355051ba1d636582e623824587c9d5c6e6cc4c98dc830c26b212d61d0d009b91ad062aa99c7c2a3982a3b34091c49e412d7bfaf6d57c80794e7b3c31801dd964

Download Submit
/var/spool/cron/crontabs/tmp.Er6aGY
Filesize
260B

MD5
98a8d18854d975d9fe89621c67fd6c34

SHA1
ff0afa1580d82cded062c26a011da94d3f77b219

SHA256
11ae0d93257159647a192a22d6e93be53f65e9a7dab4e97e410e0ace3f5786f9

SHA512
a009fe3eda69b1ccb34a5834ad3cf6b34affb90268034ca21f768e117187b16337974b6fc65e321ba5720ca98fa3e1dc0f83bde00b98c5b3b396076ea0a26b35

Download Submit