Analysis
-
max time kernel
2s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231222-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
22-12-2023 03:31
Static task
static1
Behavioral task
behavioral1
Sample
.../f
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral2
Sample
.../i
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral3
Sample
.../s
Resource
ubuntu1804-amd64-20231222-en
ubuntu-18.04-amd64
Behavioral task
behavioral4
Sample
.../s
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral5
Sample
.../s
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral6
Sample
.../s
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
General
-
Target
.../s
-
Size
922B
-
MD5
31274bb8d056acdc580344e2a44399cf
-
SHA1
eb19ecb1dfc1153154b7050811b780627919ad62
-
SHA256
9f09c8d391981d28f2d3d4fe4c5e178d34cfc09bf784acdd886995cebef8e0c9
-
SHA512
d26618fe7aa3c2a9b5600261ab8a986b226a96d932d28961400cb0728ca8061eca74a5ed1c1face5ded7ae801f726c1538bb0d333be075dc9045cb0bd657ca20
Malware Config
Signatures
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/1082/stat killall File opened for reading /proc/1082/cmdline killall File opened for reading /proc/24/stat killall File opened for reading /proc/202/stat killall File opened for reading /proc/450/stat killall File opened for reading /proc/1003/stat killall File opened for reading /proc/3/stat killall File opened for reading /proc/173/stat killall File opened for reading /proc/594/cmdline killall File opened for reading /proc/1166/stat killall File opened for reading /proc/1182/stat killall File opened for reading /proc/9/stat killall File opened for reading /proc/812/cmdline killall File opened for reading /proc/1045/stat killall File opened for reading /proc/1150/cmdline killall File opened for reading /proc/7/stat killall File opened for reading /proc/475/cmdline killall File opened for reading /proc/1317/stat killall File opened for reading /proc/14/stat killall File opened for reading /proc/29/stat killall File opened for reading /proc/36/stat killall File opened for reading /proc/20/stat killall File opened for reading /proc/1108/cmdline killall File opened for reading /proc/573/stat killall File opened for reading /proc/1006/cmdline killall File opened for reading /proc/1066/stat killall File opened for reading /proc/82/stat killall File opened for reading /proc/451/stat killall File opened for reading /proc/1239/stat killall File opened for reading /proc/201/stat killall File opened for reading /proc/900/stat killall File opened for reading /proc/78/stat killall File opened for reading /proc/84/stat killall File opened for reading /proc/998/stat killall File opened for reading /proc/1190/stat killall File opened for reading /proc/19/stat killall File opened for reading /proc/812/stat killall File opened for reading /proc/1132/cmdline killall File opened for reading /proc/10/stat killall File opened for reading /proc/456/cmdline killall File opened for reading /proc/891/stat killall File opened for reading /proc/1257/stat killall File opened for reading /proc/83/stat killall File opened for reading /proc/266/stat killall File opened for reading /proc/554/cmdline killall File opened for reading /proc/696/stat killall File opened for reading /proc/1186/stat killall File opened for reading /proc/25/stat killall File opened for reading /proc/35/stat killall File opened for reading /proc/1067/cmdline killall File opened for reading /proc/1181/stat killall File opened for reading /proc/8/stat killall File opened for reading /proc/360/cmdline killall File opened for reading /proc/1132/stat killall File opened for reading /proc/1257/cmdline killall File opened for reading /proc/30/stat killall File opened for reading /proc/1059/stat killall File opened for reading /proc/1214/stat killall File opened for reading /proc/472/stat killall File opened for reading /proc/259/cmdline killall File opened for reading /proc/1146/stat killall File opened for reading /proc/659/stat killall File opened for reading /proc/1117/cmdline killall File opened for reading /proc/1128/cmdline killall -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc File opened for modification /tmp/.../eth
Processes
-
/tmp/.../s/tmp/.../s1⤵PID:1607
-
/usr/bin/killallkillall -9 start2⤵
- Reads runtime system information
PID:1608
-
-
/usr/bin/awkawk "{ for (i=1;i<=NF;i++) print \$i }"2⤵PID:1615
-
-
/bin/grepgrep default2⤵PID:1614
-
-
/sbin/ipip route show2⤵PID:1613
-
-
/bin/rmrm -rf eth2⤵PID:1616
-
-
/bin/grepgrep -v grep1⤵PID:1611
-
/bin/grepgrep -c default1⤵PID:1612
-
/sbin/ipip route show1⤵PID:1610
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD59c2c3ac8923baff3e6570fe065e098fc
SHA1e5add699f8cb4779df9ae15c37a90fe2476d0f53
SHA2565a7d2ae4a218a6824aa644b1a61ee73301431aef4daf83c03060ce359560b7b3
SHA51288ff79fdac30ebf414f242ec98b80a4677a262fb5685d4ede51d971e978307311d8e5b510337bb5e0062e6dce82426fe1e3dad8b4f1441edec5785fe270c6ab7