Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

xm.gz

windows7-x64

3

xm.gz

windows10-2004-x64

7

sample.tar

windows7-x64

3

sample.tar

windows10-2004-x64

7

aarch64

ubuntu-18.04-amd64

6

create

ubuntu-18.04-amd64

7

create

debian-9-armhf

7

create

debian-9-mips

1

create

debian-9-mipsel

1

hide

ubuntu-18.04-amd64

1

hide.c

windows7-x64

3

hide.c

windows10-2004-x64

3

init

ubuntu-18.04-amd64

3

mining

ubuntu-18.04-amd64

6

mining

debian-9-armhf

6

mining

debian-9-mips

6

mining

debian-9-mipsel

6

mkcfg

ubuntu-18.04-amd64

1

mkcfg

debian-9-armhf

1

mkcfg

debian-9-mips

1

mkcfg

debian-9-mipsel

1

start

ubuntu-18.04-amd64

10

start

debian-9-armhf

1

start

debian-9-mips

1

start

debian-9-mipsel

1

x86_64

ubuntu-18.04-amd64

6

Analysis

  • max time kernel
    13s
  • max time network
    158s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    20/12/2023, 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    create

  • Size

    669B

  • MD5

    18d2b80638dc8ed90e86c7caf316fe43

  • SHA1

    887f50f37a7e57abd113153becd5d8e36a780b19

  • SHA256

    d6a88499031026e3216ac733dd5b6365d597fa91599d33ec10a65cbb72e229b8

  • SHA512

    1ab557c50377097f1b4f59bacea66de1b569ea8e341d47155919d2996157f71e078e3a4b474ef005c7320e4eb46199fdda01dcffe5df6973778059466c0f2cec

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 2 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/create
    /tmp/create
    1⤵
    • Writes file to tmp directory
    PID:1526
    • /bin/cat
      cat auto
      2⤵
        PID:1527
      • /usr/bin/crontab
        crontab cronjobs
        2⤵
        • Creates/modifies Cron job
        PID:1528
      • /bin/rm
        rm -f cronjobs
        2⤵
          PID:1529
        • /usr/bin/crontab
          crontab -l
          2⤵
            PID:1530
          • /bin/chmod
            chmod u+x auto init.d
            2⤵
              PID:1531
            • /bin/sh
              sh -c "./auto > /dev/null 2>&1 &"
              2⤵
                PID:1532
              • /bin/rm
                rm -f aarch64 x86_64 hide.c init.c start create
                2⤵
                  PID:1534
              • /tmp/auto
                ./auto
                1⤵
                • Executes dropped EXE
                • Writes file to tmp directory
                PID:1533
                • /tmp/init.d
                  /tmp/init.d
                  2⤵
                    PID:1535
                  • /bin/chmod
                    chmod 755 auto config-err-6RKMsO hide init init.d logs mining mkcfg netplan__hapx7z6 snap-private-tmp ssh-uxHqTU51WrM3 systemd-private-732c1e7975dc47dea6dcb64555bc4491-ModemManager.service-iKTeZl systemd-private-732c1e7975dc47dea6dcb64555bc4491-bolt.service-qPQY6p systemd-private-732c1e7975dc47dea6dcb64555bc4491-colord.service-OfhWvp systemd-private-732c1e7975dc47dea6dcb64555bc4491-fwupd.service-kMJNqD systemd-private-732c1e7975dc47dea6dcb64555bc4491-systemd-resolved.service-CozP7L systemd-private-732c1e7975dc47dea6dcb64555bc4491-systemd-timedated.service-IbNrUH
                    2⤵
                      PID:1540
                    • /usr/bin/pkill
                      pkill -9 init
                      2⤵
                      • Reads CPU attributes
                      • Reads runtime system information
                      PID:1541
                  • /tmp/init
                    ./init
                    1⤵
                      PID:1539
                    • /tmp/mining
                      ./mining
                      1⤵
                      • Writes file to tmp directory
                      PID:1542
                      • /tmp/init
                        /tmp/init
                        2⤵
                          PID:1544
                        • /bin/uname
                          uname -m
                          2⤵
                            PID:1546
                          • /tmp/hide
                            ./hide -s "sendmail: accepting connections" ./mine
                            2⤵
                            • Writes file to tmp directory
                            PID:1547
                          • /tmp/mine
                            "sendmail: accepting connections"
                            2⤵
                              PID:1547
                            • /bin/ps
                              ps -ef
                              2⤵
                              • Reads CPU attributes
                              • Reads runtime system information
                              PID:1548
                            • /bin/grep
                              grep "sendmail: accepting connections"
                              2⤵
                                PID:1549
                              • /bin/grep
                                grep -v grep
                                2⤵
                                  PID:1550
                                • /usr/bin/awk
                                  awk "{print \$2}"
                                  2⤵
                                    PID:1551
                                  • /usr/bin/head
                                    head -1
                                    2⤵
                                      PID:1552

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • /tmp/SOS
                                    Filesize

                                    5B

                                    MD5

                                    349c54ba981392f41faf79544ab282e6

                                    SHA1

                                    a10b57230ccb0cb2b3bc7bcc6735c0b722790c76

                                    SHA256

                                    bd6b18bf2ee7fb7156a9847953a0ec30d02800d3006431379dbe31044b866a89

                                    SHA512

                                    935d259ec1fe1c66aef8b4ced9a696ad51bd95924b1b14f8f3ef7fa34b7683072940ec62fae9f511e7c168cf88b84ae80ce606fc0e32eb160b6d28eab2f2cb83

                                    Download Submit

                                  • /tmp/auto
                                    Filesize

                                    5B

                                    MD5

                                    097306edbb9c640047927e86fadc1ae9

                                    SHA1

                                    a364b57e1a83551729cb4e170e562ebb0aaa6608

                                    SHA256

                                    1785cbdfcace2004c0d21cbc262071adf07ca0cd61f14fe5c66e737103025f3f

                                    SHA512

                                    60dd9daa455a8b636ce3cdf6a458d9151381c8de436e6197ed3a22c739bb893097abcf8728e61433ce9d2aece388aaff5a58405f85f956fc6c45c5f8e184e4df

                                    Download Submit

                                  • /tmp/auto
                                    Filesize

                                    197B

                                    MD5

                                    988b8163f85fc328dfacf8478e88b069

                                    SHA1

                                    0f862fb275a5755b112c426246300be43a1b34b9

                                    SHA256

                                    1f758502b2970809a3d695a41f21e73fb6b6ad372a744394aa24267efda6c26f

                                    SHA512

                                    449d4ac3876795b2727360edebd1e29c836a41397378a762758e1188c76629df4baeb2277e5b977f97efeb5dcca03503d350ce111eb8a292c9408dd73162ad8e

                                    Download Submit

                                  • /tmp/cronjobs
                                    Filesize

                                    36B

                                    MD5

                                    1d6269061b92bd8301a1ef18d77f11e5

                                    SHA1

                                    08125649ef9f58f504b4526530234d7512bab41e

                                    SHA256

                                    d2f5f29e60b1a7c23b311ae0f1c1c55d1e5bb4e116164ae31d27f172c985976d

                                    SHA512

                                    bd2134fefa6c84764ce74c1831fc90da81bebd8812229189f8f9899bca14d1b2c567d6f57f024786e3f170d7e27c8e8b98b4db1045d98d4db542b9ef7f8370c6

                                    Download Submit

                                  • /tmp/cronjobs
                                    Filesize

                                    76B

                                    MD5

                                    6103f8dacb16843a609dcb52eccc7f01

                                    SHA1

                                    409016664bb94e4c7d4728ff1f92c8a450cb6102

                                    SHA256

                                    47b3e37200c81a6f9d18803269d5c48410dc545d69e3216ea26c79393345de39

                                    SHA512

                                    19c69bd7c2ef044524550d6cdefb25c37652006305dc43b6214ae48565a6dc147aaa07f5a36110ebab2fc3c2efaee4e1adc34ffd45b48f88364a7de6de9ae5b3

                                    Download Submit

                                  • /tmp/�)�c�
                                    Filesize

                                    5B

                                    MD5

                                    79ea852ce4729ce0dc2bb9d9526c8055

                                    SHA1

                                    0ddf34990a5ff4cd38b9bf0827b89e5178cd6032

                                    SHA256

                                    19b475910ee9ba3f7199cbe69292a0034dc313f788ccfb67cd83f472e95f885d

                                    SHA512

                                    abb1b7476661edfb434adbacf204e0e161b39a2897a6a7f5e6925e162f1e2805bcd6868c162157314c59b267e29936dd044fdb0721c2c8e72843e4d8bb6606ad

                                    Download Submit

                                  • /var/spool/cron/crontabs/tmp.MhT52m
                                    Filesize

                                    258B

                                    MD5

                                    9199a901b48aa0094b122b993f501af4

                                    SHA1

                                    fd2fe1df94a89fd4c947f97eafc61c937f02d832

                                    SHA256

                                    829cccb925fe1b5c7daedc3b4993d20fda77b79c3068424024caa99c52ebee94

                                    SHA512

                                    2a5f9a430e629df85b5690a967ed1ff4340ff453523cf323936552add34cd0b59de5c4398fec18f781d540a575eaa2f9aee9cf615843f40af167cb2df46b5786

                                    Download Submit