Analysis
-
max time kernel
150s -
max time network
156s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-12-2023 22:23
Behavioral task
behavioral1
Sample
0474fa7413d606163a969e7b8d841973
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
0474fa7413d606163a969e7b8d841973
-
Size
6.9MB
-
MD5
0474fa7413d606163a969e7b8d841973
-
SHA1
033134aa0f6f77fc8828e35335549db70d78ab99
-
SHA256
8c4dc669ffb1332b4b064eff81c92e5ead10687dfc9c318e480aad81b3911247
-
SHA512
72efcc16f5ba6faa69fc11495b9c8792c7f2194c0a809dea3c1a8d29978abadb8bfaf371c563ff72ce72d6f31650712e5b0361061b7615dc9b78389b0b39319d
-
SSDEEP
49152:CHlt6SwO+UBLDSo84I19YvE18k185tnCyGPJB6L9cPBA571Ba01PwREvu1uhkkYc:yZwJUBz8B9l1j1dyGgzwOv80MTpzIX
Malware Config
Signatures
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.H6U4pv crontab -
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
Processes:
0474fa7413d606163a969e7b8d8419730474fa7413d606163a969e7b8d841973description ioc process File opened for reading /proc/sys/net/core/somaxconn 0474fa7413d606163a969e7b8d841973 File opened for reading /proc/sys/net/core/somaxconn 0474fa7413d606163a969e7b8d841973 -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
0474fa7413d606163a969e7b8d8419730474fa7413d606163a969e7b8d841973description ioc process File opened for modification /tmp/pid 0474fa7413d606163a969e7b8d841973 File opened for modification /tmp/nip9iNeiph5chee 0474fa7413d606163a969e7b8d841973 File opened for modification /tmp/[stealth].pid 0474fa7413d606163a969e7b8d841973
Processes
-
/tmp/0474fa7413d606163a969e7b8d841973/tmp/0474fa7413d606163a969e7b8d8419731⤵
- Reads runtime system information
- Writes file to tmp directory
-
/tmp/0474fa7413d606163a969e7b8d841973"[stealth]"1⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee2⤵
- Creates/modifies Cron job
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD5e93cdb63a6e16f6da48f06414b44be36
SHA1f456e36417eefa62f8d475f218054e092853507a
SHA256d745e38033dc9911072563f7663a261a5d17d2a5a14769d6d7a947d364b11cc6
SHA512a40191e05e55627e968a372231500c210090d8ae86258e27fffa395e608c4a8feb023515e728116ae9c8cf048cc27184da2d190c914eb21016c1254bcd1c260f
-
/tmp/pidFilesize
4B
MD5cda72177eba360ff16b7f836e2754370
SHA10de7f57bd4db22d7e4a43004aea93b1f0a484259
SHA256c73c63198a1338f0d19547e3d07db9dc25babedc30ae35b80426d48afe73624c
SHA512a317aaae56af82ef6f653ee4554a2f95a93a7a2f9caf20603e7d9a2ed59ec43f1edc3a9b64437d8be4555cc608872ea65e6db7205f734770720ce5d7ec348ae1
-
/var/spool/cron/crontabs/tmp.H6U4pvFilesize
260B
MD51562c05118efbe16b90a8eee8ca7ed7b
SHA1f28a9104ee172cd95d6dc3ff0d3ec0ceaedc2b97
SHA2567cf6b7f38902470159b873853ba7b416952b994720fb42802abb3bfe3b6ca48b
SHA512b62053109232727865d44ddaf32fc22521a634c368c4bba912871008b385688b3ccf69bef5b5d3ba22dd03b4b194a2ed3cb80803f92f2538549f3fbdb880ee5f