fd30a24c2d83e3bb4ee605c16c80cd00af249848e9d4a7ee06bc22ae4cccda89

Analysis

max time kernel
24s
max time network
27s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
22-12-2023 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

541b9bd0769be5c89bdce277cd0e2db3
Size

269B
MD5

541b9bd0769be5c89bdce277cd0e2db3
SHA1

86fd2bfcfcde59c76fe8d5655bb1b6d63c501e6f
SHA256

fd30a24c2d83e3bb4ee605c16c80cd00af249848e9d4a7ee06bc22ae4cccda89
SHA512

8ab1292248989151cb5dfcbea9beff01551e06f1883d683d06b5ed62b34a82dd8df9760cc55b5b20fcd6a6d690d552f51120513482b3debee97033fee9eeeaaa

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 4 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	w
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/41/stat	w
File opened for reading	/proc/293/cmdline	w
File opened for reading	/proc/306/stat	w
File opened for reading	/proc/308/cmdline	w
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/109/status	ps
File opened for reading	/proc/658/stat	ps
File opened for reading	/proc/660/stat	ps
File opened for reading	/proc/76/cmdline	w
File opened for reading	/proc/108/stat	w
File opened for reading	/proc/27/cmdline	ps
File opened for reading	/proc/108/status	ps
File opened for reading	/proc/316/cmdline	ps
File opened for reading	/proc/17/cmdline	w
File opened for reading	/proc/445/stat	w
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/306/stat	ps
File opened for reading	/proc/659/cmdline	ps
File opened for reading	/proc/665/stat	ps
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/18/cmdline	w
File opened for reading	/proc/291/cmdline	w
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/29/stat	ps
File opened for reading	/proc/sys/kernel/osrelease	w
File opened for reading	/proc/668/cmdline	w
File opened for reading	/proc/10/cmdline	w
File opened for reading	/proc/25/cmdline	w
File opened for reading	/proc/42/stat	w
File opened for reading	/proc/663/stat	w
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/41/stat	ps
File opened for reading	/proc/220/stat	ps
File opened for reading	/proc/19/stat	w
File opened for reading	/proc/97/stat	w
File opened for reading	/proc/668/stat	w
File opened for reading	/proc/686/cmdline	w
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/76/stat	ps
File opened for reading	/proc/148/stat	ps
File opened for reading	/proc/308/cmdline	ps
File opened for reading	/proc/693/cmdline	ps
File opened for reading	/proc/20/cmdline	w
File opened for reading	/proc/688/cmdline	w
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/274/stat	ps
File opened for reading	/proc/291/cmdline	ps
File opened for reading	/proc/664/stat	ps
File opened for reading	/proc/23/cmdline	w
File opened for reading	/proc/306/cmdline	w
File opened for reading	/proc/438/cmdline	w
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/9/stat	ps
File opened for reading	/proc/108/stat	ps
File opened for reading	/proc/306/status	ps
File opened for reading	/proc/42/cmdline	w

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/mail.stat	541b9bd0769be5c89bdce277cd0e2db3
File opened for modification	/tmp/muBjHakN	mail
File opened for modification	/tmp/mu7Atrw1	mail

/tmp/541b9bd0769be5c89bdce277cd0e2db3
/tmp/541b9bd0769be5c89bdce277cd0e2db3
1⤵
- Writes file to tmp directory
PID:683
- /sbin/ifconfig
  /sbin/ifconfig
  2⤵
  PID:685
- /usr/bin/w
  w
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:686
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:693
- /usr/bin/mail
  mail "[email protected]"
  2⤵
  - Writes file to tmp directory
  PID:697
- - /usr/sbin/sendmail
    /usr/sbin/sendmail -oi -f "root@debian9-armhf-20231215-en-9" -t
    3⤵
    PID:700
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1rGu0w-0000BI-HV
      4⤵
      Reads CPU attributes
      PID:755
    - - /usr/sbin/exim4
        
        /usr/sbin/exim4 -t -oem -oi -f "<>" -E1rGu0w-0000BI-HV
        5⤵
        
        PID:765
      - /usr/sbin/exim4
        
        /usr/sbin/exim4 -Mc 1rGu10-0000CL-2V
        6⤵
        Reads CPU attributes
        
        PID:772
- /bin/rm
  rm -rf mail.stat
  2⤵
  PID:757
- /bin/mv
  mv /bin/ps /usr/bin/.ps
  2⤵
  PID:758
- /bin/mv
  mv ps /bin/ps
  2⤵
  - Reads runtime system information
  PID:759

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/mail.stat

Filesize
6B

MD5
ab7877b7f9e50250531434a7f4f832af

SHA1
79447cfb16a0eda1cfc1a2f22511218ac5066693

SHA256
0446f0f83dc7d3511b11a7579b03991db7de5a4e6f27e081033a6fe9fbbede48

SHA512
e6170dbb481c85f31499402c61962ea3f136e5f9c8e5963a9c0e3f1b8dd04ebce6f03eb14029e8cb02ea5bd000030e82cc2480e052e5795f52f3e38fdb60ad39

Download Submit
/tmp/mail.stat

Filesize
16B

MD5
08347bf7671c77ffb0fdd23878dd8cf6

SHA1
18dde0b1ac5ec2061342843cdaec5f85f1d7d81f

SHA256
c57a59bf33802f9cdebac3fc4268833b033fd0566f332000d543caafb822ecd8

SHA512
9272df0460a1f292ac71f8e0dec47d1aae9e2f8ac148138593b6ce33d1e25ee62f9b878aa43ca76520736490cb0ef646d7564008b51ecc11eb675f5e8781cd82

Download Submit
/tmp/mail.stat

Filesize
286B

MD5
19ae3d4eac90d17e035dfef7b97252d2

SHA1
1b2619c500dd7c098d3a050685def6bce8797472

SHA256
f1bf06aecd4e794f47fad3c9256e881dc191ff152cd84222fa140a55c679b4e4

SHA512
82894af3bbc67268413fa29ab8fa7b87826da7d6e1c23165e0d118f1a2ca78c242d2766a0a6439b18476dddd43bf8c7b234553fcb652c712c5f40371e2bcac25

Download Submit
/tmp/mail.stat

Filesize
3KB

MD5
4fd5c73669f91415830658809cb434ee

SHA1
eb51cc2ffb175269c9a8c6846ac5887088b988ac

SHA256
50812c1e0b7c06e15cee3e42eb4c8a4ea417beb2c5bde26611fd5a664aae0d1b

SHA512
6984a16e10dff4fd29df5e3cd0b9b40fd9e9d367b0bd86962242eac7959a8a1a65b8a2d199209ebe17a1fc1376c292fa03967bfd052cea86c0b90940f05656ff

Download Submit
/tmp/mail.stat

Filesize
3KB

MD5
68a3cc82b38fd837aad544cb05e55a2c

SHA1
9997cb6e37048a0c68e22bcd3b18738edc6adaa8

SHA256
2b571d6477f210eb49f6feaa859381263424514b427d159bcc2e96527733fbaa

SHA512
798c28caaa1c2b1d194bf2efaa9f585b796e5be304390df185623cc4e1e6a3d09f2f0d9029447b7482c02b14d4eb5c54866c74be4497a65663164fb1a18fede4

Download Submit
/tmp/mail.stat

Filesize
3KB

MD5
177033c175ff1029635a66ec21317497

SHA1
2727984e7aa14f7f5210d934d2a43d0cb8d89d6d

SHA256
b0a5ef964909230d83d3d79f628f2fe1f60ef1709299d56cc79c9baea4787eb2

SHA512
72b90f872166f4963e03a422aa5e8d74dedcc75cafe17e4926bec4f5ec5f4fef0bbc731d745cffa7dedd9e98966de79a1adeaccfd74e24532dd3124ba2e6215a

Download Submit
/tmp/muBjHakN

Filesize
3KB

MD5
a761314dae114feee30bf0e6809ba6b6

SHA1
6590bb3fea35fe5f33131c51ccfed46b2e04ad62

SHA256
3298ad2f1bc0732a60806450d4e2bf8a61f440ea774ddd2776b94186485a466d

SHA512
e14477be30764484e4b32b34c36d171671b678b4f40cba65ffe90deece0eb2e45baf11a08efec1c57f15e7323983b86c04db22bfd2b6be7e3abb2c43bac11668

Download Submit
/var/mail/user

Filesize
5KB

MD5
a93d978b66cc8cdb22dba2ce782de716

SHA1
56e7aff8623433a0b51dfad6ed7b2bc9bfd8158f

SHA256
1acbf57433a1084c39cf79a7ffaca0ce5b979f53c41c730e1f565a13144f5b48

SHA512
0e93def8c6236ed1a5eba06dc8366d56e1c06fcbcda47a2e2542570e2c3d90a72a31ccabe1395cbda0c3214027907604cf68456a8052763cac3689c0d4abc84a

Download Submit
/var/spool/exim4/input/1rGu0w-0000BI-HV-D

Filesize
3KB

MD5
5da4792a4c5f0f10a6c3a7f96d56b78c

SHA1
2051c34027902c8dd30d799c677f2f7809dd414f

SHA256
e712b0edc25b4f72556b8b187bc388e5660a7f21f98d6062d3afbf6fcb9eb3fc

SHA512
3f501269948aac9f903c53b7d4fa2eb0ba609d973c0377e5d9301dc398183b4c4c3f031502fed6e9b5f3e63b501b9e98e1384a86408bea1b02231e848b5b988e

Download Submit
/var/spool/exim4/input/1rGu10-0000CL-2V-D

Filesize
4KB

MD5
31bb1b49957f01a6e6b4b159cccdb6c5

SHA1
201aa09e6171f95be04db7ec0a4ef95f9da22c22

SHA256
a3ca22f84c4d9271e6f390ea79f90d41607eb98469e9ff94b029846f06c39824

SHA512
e9506842967b439c6379fd75a40ffdacaea5afdef248be8dbaaa26c960c613383c798c64e564f2c9d14dd7f7572cdd12c9335c44e83d1c759488dcbbf35f8927

Download Submit
/var/spool/exim4/input/1rGu10-0000CL-2V-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.700

Filesize
687B

MD5
51b41cda991f3d5040711d4553a94070

SHA1
15958ea7c6f3362d8219e0101051faa3ec17838d

SHA256
71bb10c53881ebc871e33541889b8d1d463c41176b6933418d0d38381d1ffb71

SHA512
b414a27b04809d4f74fe457bfa70cd4c85b6e8f8f3385f39490246f38fac808e4675314c26fa56f554f8e0870365512c2027b84f50be20fe03b457b8f9995206

Download Submit
/var/spool/exim4/input/hdr.755

Filesize
704B

MD5
445e0da194d87f93f2d64249e5e05bf6

SHA1
e4e5442919e9496bcb61dc52c19d80166ee21e11

SHA256
8a157c4efdd4c3bcff6f9a2746b516d88de4f62dd905d77bd0faca15c79c4e0d

SHA512
10de5f7fcc72bc2f68b4082d77ebbdb695c194fe8b1670af442c62c81f96f9245c9ab6e4aece09f36049484374950a21a565cecdbe64fcb5c636e39eb7aa9119

Download Submit
/var/spool/exim4/input/hdr.765

Filesize
947B

MD5
3c8c9caea924e9e3a0dc3bd3d34661e9

SHA1
fe6713906b844850b352ca775dcc90a14cd8c92f

SHA256
75b603e822360a85bac8cfe9347bde8b188f4d363a6801cfdf38b58f9e22d494

SHA512
741b4093769cc027f2e0b46c37750fc94e846a4f67f8bdcb53a1611998d9aade7423402c1f8a96c7b54ccbf0c52aa6328d120d314634cc67761d89d34109a0d2

Download Submit
/var/spool/exim4/msglog/1rGu0w-0000BI-HV

Filesize
89B

MD5
d284965c3da07a08ce9901dbb9a5affb

SHA1
68b35c0839641aecee784f5f1226d935672dbc6e

SHA256
dfa2ecf33d119bfb21e13fadd24c2318664717256a0ab6a8cce6accfd385e68d

SHA512
2d3f1198c56ce46d245a190980a939972904f9bdc8283922a9effd08620e414566711fea36e7fdee83881b3fe15a3d6298dcf60fc9af786da1c8e2ba3646d58c

Download Submit
/var/spool/exim4/msglog/1rGu0w-0000BI-HV

Filesize
178B

MD5
d5b71f62a5fa0b83e7522e08c58e52b1

SHA1
e61e2f2bfd32d44e4688e00591e981b7c92af6f6

SHA256
894cf77a9589dad80d77a2f344aece1a43ed173a45a4100ed7073ae16e96b4d2

SHA512
ffb96c6f8e4a4d02b092a563a35a9368e72ea04d7a668da8574f616f3183f24531af4db12c01481202fea9a89b851abf6673a10f19bb6e826c41d014639fc457

Download Submit
/var/spool/exim4/msglog/1rGu10-0000CL-2V

Filesize
85B

MD5
ff1c7bbd0fa764b56dd7339b7a5ee023

SHA1
78bd977acf7736587237074c788a9ba3708b0eec

SHA256
ebbff45d76f50a9057d2c14e97a4940f27c094150ff5f4276a76ab22a9eae0c3

SHA512
c030f91b7b97f2adca3f7938da07352cfdd44a88a712bd46dd853f96d9075c7403d13fb015a26172c776e6756a91c4d3259b46284e0f3c8195f029e7c47f658a

Download Submit
/var/spool/exim4/msglog/1rGu10-0000CL-2V

Filesize
282B

MD5
1c994f72ef0f69cc30fb9be5c55df108

SHA1
1ec491cb451a041dce049ab18b55d4f41e8061e7

SHA256
d2bad2106b7e7283e4ccedf768a21d9b3daf02801af36a0489dfdebd5a35801f

SHA512
4244f179f9386e0d8b1697fcb42230af75106b8bf2277c36460d3028b4a78cefb79cc484dc70cf16813687e4bb814b6d3a06860ae0382de84b0ad88997558d98

Download Submit