Analysis
-
max time kernel
5s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
22-12-2023 03:31
Static task
static1
Behavioral task
behavioral1
Sample
.../f
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral2
Sample
.../i
Resource
ubuntu1804-amd64-20231215-en
ubuntu-18.04-amd64
Behavioral task
behavioral3
Sample
.../s
Resource
ubuntu1804-amd64-20231222-en
ubuntu-18.04-amd64
Behavioral task
behavioral4
Sample
.../s
Resource
debian9-armhf-20231215-en
debian-9-armhf
Behavioral task
behavioral5
Sample
.../s
Resource
debian9-mipsbe-20231215-en
debian-9-mips
Behavioral task
behavioral6
Sample
.../s
Resource
debian9-mipsel-20231215-en
debian-9-mipsel
General
-
Target
.../s
-
Size
922B
-
MD5
31274bb8d056acdc580344e2a44399cf
-
SHA1
eb19ecb1dfc1153154b7050811b780627919ad62
-
SHA256
9f09c8d391981d28f2d3d4fe4c5e178d34cfc09bf784acdd886995cebef8e0c9
-
SHA512
d26618fe7aa3c2a9b5600261ab8a986b226a96d932d28961400cb0728ca8061eca74a5ed1c1face5ded7ae801f726c1538bb0d333be075dc9045cb0bd657ca20
Malware Config
Signatures
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/14/stat killall File opened for reading /proc/19/stat killall File opened for reading /proc/25/stat killall File opened for reading /proc/635/cmdline killall File opened for reading /proc/filesystems killall File opened for reading /proc/24/stat killall File opened for reading /proc/275/stat killall File opened for reading /proc/277/stat killall File opened for reading /proc/301/stat killall File opened for reading /proc/635/stat killall File opened for reading /proc/272/stat killall File opened for reading /proc/11/stat killall File opened for reading /proc/13/stat killall File opened for reading /proc/27/stat killall File opened for reading /proc/6/stat killall File opened for reading /proc/23/stat killall File opened for reading /proc/43/stat killall File opened for reading /proc/595/stat killall File opened for reading /proc/628/stat killall File opened for reading /proc/640/stat killall File opened for reading /proc/2/stat killall File opened for reading /proc/7/stat killall File opened for reading /proc/41/stat killall File opened for reading /proc/102/stat killall File opened for reading /proc/112/stat killall File opened for reading /proc/115/stat killall File opened for reading /proc/115/cmdline killall File opened for reading /proc/15/stat killall File opened for reading /proc/29/stat killall File opened for reading /proc/584/stat killall File opened for reading /proc/8/stat killall File opened for reading /proc/82/stat killall File opened for reading /proc/3/stat killall File opened for reading /proc/9/stat killall File opened for reading /proc/12/stat killall File opened for reading /proc/18/stat killall File opened for reading /proc/148/cmdline killall File opened for reading /proc/20/stat killall File opened for reading /proc/21/stat killall File opened for reading /proc/144/stat killall File opened for reading /proc/585/stat killall File opened for reading /proc/641/stat killall File opened for reading /proc/5/stat killall File opened for reading /proc/10/stat killall File opened for reading /proc/114/stat killall File opened for reading /proc/319/stat killall File opened for reading /proc/1/stat killall File opened for reading /proc/4/stat killall File opened for reading /proc/17/stat killall File opened for reading /proc/26/stat killall File opened for reading /proc/28/stat killall File opened for reading /proc/172/stat killall File opened for reading /proc/638/stat killall File opened for reading /proc/221/stat killall File opened for reading /proc/636/cmdline killall File opened for reading /proc/644/stat killall File opened for reading /proc/644/cmdline killall File opened for reading /proc/42/stat killall File opened for reading /proc/276/stat killall File opened for reading /proc/577/stat killall File opened for reading /proc/664/stat killall File opened for reading /proc/self/maps awk File opened for reading /proc/16/stat killall File opened for reading /proc/22/stat killall -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc File opened for modification /tmp/.../eth
Processes
-
/tmp/.../s/tmp/.../s1⤵PID:664
-
/usr/bin/killallkillall -9 start2⤵
- Reads runtime system information
PID:665
-
-
/sbin/ipip route show2⤵PID:675
-
-
/bin/grepgrep default2⤵PID:676
-
-
/usr/bin/awkawk "{ for (i=1;i<=NF;i++) print \$i }"2⤵
- Reads runtime system information
PID:677
-
-
/bin/rmrm -rf eth2⤵PID:678
-
-
/sbin/ipip route show1⤵PID:669
-
/bin/grepgrep -v grep1⤵PID:670
-
/bin/grepgrep -c default1⤵PID:671
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32B
MD59fd3d018a46051e3707e92b2406d6a50
SHA12b3512a69d0655bfd755ea1938f5ee03bfc32abb
SHA256f4c1e7ec20135a122df54d19f809e687ad27665b8cf30502144ff758bb70cdca
SHA512b78a2b933522485ff915ad2429235bccf265c56c375ecf0a661c53aba54a0194300529d03667c8f0fc85a60996e9bfa7ca6b852d737aa3b0613f1bdec1a96227