Overview
overview
10Static
static
10xm.gz
windows7-x64
3xm.gz
windows10-2004-x64
7sample.tar
windows7-x64
3sample.tar
windows10-2004-x64
7aarch64
ubuntu-18.04-amd64
6create
ubuntu-18.04-amd64
7create
debian-9-armhf
7create
debian-9-mips
1create
debian-9-mipsel
1hide
ubuntu-18.04-amd64
1hide.c
windows7-x64
3hide.c
windows10-2004-x64
3init
ubuntu-18.04-amd64
3mining
ubuntu-18.04-amd64
6mining
debian-9-armhf
6mining
debian-9-mips
6mining
debian-9-mipsel
6mkcfg
ubuntu-18.04-amd64
1mkcfg
debian-9-armhf
1mkcfg
debian-9-mips
1mkcfg
debian-9-mipsel
1start
ubuntu-18.04-amd64
10start
debian-9-armhf
1start
debian-9-mips
1start
debian-9-mipsel
1x86_64
ubuntu-18.04-amd64
6Analysis
-
max time kernel
13s -
max time network
158s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
20/12/2023, 05:19
Behavioral task
behavioral1
Sample
xm.gz
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
xm.gz
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
sample.tar
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
sample.tar
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
aarch64
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral6
Sample
create
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral7
Sample
create
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral8
Sample
create
Resource
debian9-mipsbe-20231215-en
Behavioral task
behavioral9
Sample
create
Resource
debian9-mipsel-20231215-en
Behavioral task
behavioral10
Sample
hide
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral11
Sample
hide.c
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
hide.c
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
init
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral14
Sample
mining
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral15
Sample
mining
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral16
Sample
mining
Resource
debian9-mipsbe-20231215-en
Behavioral task
behavioral17
Sample
mining
Resource
debian9-mipsel-20231215-en
Behavioral task
behavioral18
Sample
mkcfg
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral19
Sample
mkcfg
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral20
Sample
mkcfg
Resource
debian9-mipsbe-20231215-en
Behavioral task
behavioral21
Sample
mkcfg
Resource
debian9-mipsel-20231215-en
Behavioral task
behavioral22
Sample
start
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral23
Sample
start
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral24
Sample
start
Resource
debian9-mipsbe-20231215-en
Behavioral task
behavioral25
Sample
start
Resource
debian9-mipsel-20231215-en
Behavioral task
behavioral26
Sample
x86_64
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
create
-
Size
669B
-
MD5
18d2b80638dc8ed90e86c7caf316fe43
-
SHA1
887f50f37a7e57abd113153becd5d8e36a780b19
-
SHA256
d6a88499031026e3216ac733dd5b6365d597fa91599d33ec10a65cbb72e229b8
-
SHA512
1ab557c50377097f1b4f59bacea66de1b569ea8e341d47155919d2996157f71e078e3a4b474ef005c7320e4eb46199fdda01dcffe5df6973778059466c0f2cec
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/auto 1533 auto -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.MhT52m crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 2 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/160/cmdline pkill File opened for reading /proc/576/cmdline pkill File opened for reading /proc/35/cmdline ps File opened for reading /proc/81/status pkill File opened for reading /proc/314/cmdline pkill File opened for reading /proc/473/stat ps File opened for reading /proc/1/status pkill File opened for reading /proc/129/status pkill File opened for reading /proc/197/cmdline pkill File opened for reading /proc/592/cmdline pkill File opened for reading /proc/1286/cmdline ps File opened for reading /proc/3/status ps File opened for reading /proc/1066/stat ps File opened for reading /proc/1113/stat ps File opened for reading /proc/83/cmdline pkill File opened for reading /proc/850/cmdline pkill File opened for reading /proc/79/status ps File opened for reading /proc/401/stat ps File opened for reading /proc/1068/cmdline pkill File opened for reading /proc/1150/status ps File opened for reading /proc/1299/cmdline pkill File opened for reading /proc/157/stat ps File opened for reading /proc/3/cmdline pkill File opened for reading /proc/84/status ps File opened for reading /proc/1522/cmdline ps File opened for reading /proc/1066/status pkill File opened for reading /proc/1166/cmdline pkill File opened for reading /proc/16/status ps File opened for reading /proc/1212/stat ps File opened for reading /proc/473/cmdline ps File opened for reading /proc/641/cmdline ps File opened for reading /proc/850/status pkill File opened for reading /proc/1286/status pkill File opened for reading /proc/163/cmdline ps File opened for reading /proc/172/cmdline ps File opened for reading /proc/27/status ps File opened for reading /proc/197/cmdline ps File opened for reading /proc/1551/stat ps File opened for reading /proc/1548/cmdline ps File opened for reading /proc/920/status pkill File opened for reading /proc/81/cmdline ps File opened for reading /proc/449/stat ps File opened for reading /proc/1147/stat ps File opened for reading /proc/1183/status ps File opened for reading /proc/165/status pkill File opened for reading /proc/83/status ps File opened for reading /proc/458/cmdline ps File opened for reading /proc/933/stat ps File opened for reading /proc/9/cmdline pkill File opened for reading /proc/267/status ps File opened for reading /proc/1536/cmdline ps File opened for reading /proc/82/cmdline ps File opened for reading /proc/958/status ps File opened for reading /proc/1185/stat ps File opened for reading /proc/1/status ps File opened for reading /proc/1086/status pkill File opened for reading /proc/576/cmdline ps File opened for reading /proc/25/status pkill File opened for reading /proc/168/status pkill File opened for reading /proc/31/cmdline ps File opened for reading /proc/1166/stat ps File opened for reading /proc/1325/cmdline ps File opened for reading /proc/1542/status ps File opened for reading /proc/3/status pkill -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/auto create File opened for modification /tmp/cronjobs create File opened for modification /tmp/init.d create File opened for modification /tmp/logs auto File opened for modification /tmp/logs mining File opened for modification /tmp/SOS Process not Found File opened for modification /tmp/�)�c� hide File opened for modification /tmp/ra.pid Process not Found
Processes
-
/tmp/create/tmp/create1⤵
- Writes file to tmp directory
PID:1526 -
/bin/catcat auto2⤵PID:1527
-
-
/usr/bin/crontabcrontab cronjobs2⤵
- Creates/modifies Cron job
PID:1528
-
-
/bin/rmrm -f cronjobs2⤵PID:1529
-
-
/usr/bin/crontabcrontab -l2⤵PID:1530
-
-
/bin/chmodchmod u+x auto init.d2⤵PID:1531
-
-
/bin/shsh -c "./auto > /dev/null 2>&1 &"2⤵PID:1532
-
-
/bin/rmrm -f aarch64 x86_64 hide.c init.c start create2⤵PID:1534
-
-
/tmp/auto./auto1⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:1533 -
/tmp/init.d/tmp/init.d2⤵PID:1535
-
-
/bin/chmodchmod 755 auto config-err-6RKMsO hide init init.d logs mining mkcfg netplan__hapx7z6 snap-private-tmp ssh-uxHqTU51WrM3 systemd-private-732c1e7975dc47dea6dcb64555bc4491-ModemManager.service-iKTeZl systemd-private-732c1e7975dc47dea6dcb64555bc4491-bolt.service-qPQY6p systemd-private-732c1e7975dc47dea6dcb64555bc4491-colord.service-OfhWvp systemd-private-732c1e7975dc47dea6dcb64555bc4491-fwupd.service-kMJNqD systemd-private-732c1e7975dc47dea6dcb64555bc4491-systemd-resolved.service-CozP7L systemd-private-732c1e7975dc47dea6dcb64555bc4491-systemd-timedated.service-IbNrUH2⤵PID:1540
-
-
/usr/bin/pkillpkill -9 init2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1541
-
-
/tmp/init./init1⤵PID:1539
-
/tmp/mining./mining1⤵
- Writes file to tmp directory
PID:1542 -
/tmp/init/tmp/init2⤵PID:1544
-
-
/bin/unameuname -m2⤵PID:1546
-
-
/tmp/hide./hide -s "sendmail: accepting connections" ./mine2⤵
- Writes file to tmp directory
PID:1547
-
-
/tmp/mine"sendmail: accepting connections"2⤵PID:1547
-
-
/bin/psps -ef2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1548
-
-
/bin/grepgrep "sendmail: accepting connections"2⤵PID:1549
-
-
/bin/grepgrep -v grep2⤵PID:1550
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:1551
-
-
/usr/bin/headhead -12⤵PID:1552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5349c54ba981392f41faf79544ab282e6
SHA1a10b57230ccb0cb2b3bc7bcc6735c0b722790c76
SHA256bd6b18bf2ee7fb7156a9847953a0ec30d02800d3006431379dbe31044b866a89
SHA512935d259ec1fe1c66aef8b4ced9a696ad51bd95924b1b14f8f3ef7fa34b7683072940ec62fae9f511e7c168cf88b84ae80ce606fc0e32eb160b6d28eab2f2cb83
-
Filesize
5B
MD5097306edbb9c640047927e86fadc1ae9
SHA1a364b57e1a83551729cb4e170e562ebb0aaa6608
SHA2561785cbdfcace2004c0d21cbc262071adf07ca0cd61f14fe5c66e737103025f3f
SHA51260dd9daa455a8b636ce3cdf6a458d9151381c8de436e6197ed3a22c739bb893097abcf8728e61433ce9d2aece388aaff5a58405f85f956fc6c45c5f8e184e4df
-
Filesize
197B
MD5988b8163f85fc328dfacf8478e88b069
SHA10f862fb275a5755b112c426246300be43a1b34b9
SHA2561f758502b2970809a3d695a41f21e73fb6b6ad372a744394aa24267efda6c26f
SHA512449d4ac3876795b2727360edebd1e29c836a41397378a762758e1188c76629df4baeb2277e5b977f97efeb5dcca03503d350ce111eb8a292c9408dd73162ad8e
-
Filesize
36B
MD51d6269061b92bd8301a1ef18d77f11e5
SHA108125649ef9f58f504b4526530234d7512bab41e
SHA256d2f5f29e60b1a7c23b311ae0f1c1c55d1e5bb4e116164ae31d27f172c985976d
SHA512bd2134fefa6c84764ce74c1831fc90da81bebd8812229189f8f9899bca14d1b2c567d6f57f024786e3f170d7e27c8e8b98b4db1045d98d4db542b9ef7f8370c6
-
Filesize
76B
MD56103f8dacb16843a609dcb52eccc7f01
SHA1409016664bb94e4c7d4728ff1f92c8a450cb6102
SHA25647b3e37200c81a6f9d18803269d5c48410dc545d69e3216ea26c79393345de39
SHA51219c69bd7c2ef044524550d6cdefb25c37652006305dc43b6214ae48565a6dc147aaa07f5a36110ebab2fc3c2efaee4e1adc34ffd45b48f88364a7de6de9ae5b3
-
Filesize
5B
MD579ea852ce4729ce0dc2bb9d9526c8055
SHA10ddf34990a5ff4cd38b9bf0827b89e5178cd6032
SHA25619b475910ee9ba3f7199cbe69292a0034dc313f788ccfb67cd83f472e95f885d
SHA512abb1b7476661edfb434adbacf204e0e161b39a2897a6a7f5e6925e162f1e2805bcd6868c162157314c59b267e29936dd044fdb0721c2c8e72843e4d8bb6606ad
-
Filesize
258B
MD59199a901b48aa0094b122b993f501af4
SHA1fd2fe1df94a89fd4c947f97eafc61c937f02d832
SHA256829cccb925fe1b5c7daedc3b4993d20fda77b79c3068424024caa99c52ebee94
SHA5122a5f9a430e629df85b5690a967ed1ff4340ff453523cf323936552add34cd0b59de5c4398fec18f781d540a575eaa2f9aee9cf615843f40af167cb2df46b5786