8c4dc669ffb1332b4b064eff81c92e5ead10687dfc9c318e480aad81b3911247

Analysis

max time kernel
150s
max time network
156s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0474fa7413d606163a969e7b8d841973
Size

6.9MB
MD5

0474fa7413d606163a969e7b8d841973
SHA1

033134aa0f6f77fc8828e35335549db70d78ab99
SHA256

8c4dc669ffb1332b4b064eff81c92e5ead10687dfc9c318e480aad81b3911247
SHA512

72efcc16f5ba6faa69fc11495b9c8792c7f2194c0a809dea3c1a8d29978abadb8bfaf371c563ff72ce72d6f31650712e5b0361061b7615dc9b78389b0b39319d
SSDEEP

49152:CHlt6SwO+UBLDSo84I19YvE18k185tnCyGPJB6L9cPBA571Ba01PwREvu1uhkkYc:yZwJUBz8B9l1j1dyGgzwOv80MTpzIX

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.H6U4pv crontab

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.H6U4pv	crontab

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

Processes:

0474fa7413d606163a969e7b8d8419730474fa7413d606163a969e7b8d841973

description	ioc	process
File opened for reading	/proc/sys/net/core/somaxconn	0474fa7413d606163a969e7b8d841973
File opened for reading	/proc/sys/net/core/somaxconn	0474fa7413d606163a969e7b8d841973

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

0474fa7413d606163a969e7b8d8419730474fa7413d606163a969e7b8d841973

description	ioc	process
File opened for modification	/tmp/pid	0474fa7413d606163a969e7b8d841973
File opened for modification	/tmp/nip9iNeiph5chee	0474fa7413d606163a969e7b8d841973
File opened for modification	/tmp/[stealth].pid	0474fa7413d606163a969e7b8d841973

/tmp/0474fa7413d606163a969e7b8d841973
/tmp/0474fa7413d606163a969e7b8d841973
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1536

/tmp/0474fa7413d606163a969e7b8d841973
"[stealth]"
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1540

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
2⤵
- Creates/modifies Cron job
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/nip9iNeiph5chee
Filesize
66B

MD5
e93cdb63a6e16f6da48f06414b44be36

SHA1
f456e36417eefa62f8d475f218054e092853507a

SHA256
d745e38033dc9911072563f7663a261a5d17d2a5a14769d6d7a947d364b11cc6

SHA512
a40191e05e55627e968a372231500c210090d8ae86258e27fffa395e608c4a8feb023515e728116ae9c8cf048cc27184da2d190c914eb21016c1254bcd1c260f

Download Submit
/tmp/pid
Filesize
4B

MD5
cda72177eba360ff16b7f836e2754370

SHA1
0de7f57bd4db22d7e4a43004aea93b1f0a484259

SHA256
c73c63198a1338f0d19547e3d07db9dc25babedc30ae35b80426d48afe73624c

SHA512
a317aaae56af82ef6f653ee4554a2f95a93a7a2f9caf20603e7d9a2ed59ec43f1edc3a9b64437d8be4555cc608872ea65e6db7205f734770720ce5d7ec348ae1

Download Submit
/var/spool/cron/crontabs/tmp.H6U4pv
Filesize
260B

MD5
1562c05118efbe16b90a8eee8ca7ed7b

SHA1
f28a9104ee172cd95d6dc3ff0d3ec0ceaedc2b97

SHA256
7cf6b7f38902470159b873853ba7b416952b994720fb42802abb3bfe3b6ca48b

SHA512
b62053109232727865d44ddaf32fc22521a634c368c4bba912871008b385688b3ccf69bef5b5d3ba22dd03b4b194a2ed3cb80803f92f2538549f3fbdb880ee5f

Download Submit