d6f0098f74a0481d5885f9a61f03ecbf302ae0fc18ca286b894591eb45adaac3

Analysis

max time kernel
56s
max time network
93s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.kde/start
Size

5KB
MD5

bc7c80bf1fa56259a6c8969c563518ab
SHA1

130c897ecbc3955ad9a998e1f146dbfb1f21713f
SHA256

62270b2e715152a37dd72455d3bdf374c214c8a7cfc8f391cfafa2d65d1646a5
SHA512

4fc6724575496160e1a4948f137a7133ffe6fea7761155faebaff8ecb7056fe3dc310fa9e6807881569e144fa530347ea7c4851864b6949ba5b8697313efdb4b
SSDEEP

96:uyuYPRHzp8zW9wnqd+9I6bIVrKhI/uVcTa6bEkIev45Cj5MDmNA36anw9Wz8pyft:w9zbWm

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	uptime

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/kernel/ngroups_max	id
File opened for reading	/proc/self/mountinfo	df
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/sys/kernel/osrelease	uptime
File opened for reading	/proc/uptime	uptime

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.kde/info2	start
File opened for modification	/tmp/.kde/info2	Process not Found

/tmp/.kde/start
/tmp/.kde/start
1⤵
- Writes file to tmp directory
PID:1536
- /tmp/.kde/a1
  ./a1
  2⤵
  PID:1537
- /sbin/ifconfig
  /sbin/ifconfig -a
  2⤵
  PID:1538
- /usr/bin/uptime
  uptime
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1539
- /bin/uname
  uname -a
  2⤵
  PID:1540
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1541
- /bin/cat
  cat /etc/passwd
  2⤵
  PID:1542
- /usr/bin/id
  id
  2⤵
  - Reads runtime system information
  PID:1543
- /bin/df
  df -h
  2⤵
  - Reads runtime system information
  PID:1544
- /bin/cat
  cat info2
  2⤵
  PID:1545
- /bin/rm
  rm -rf info2
  2⤵
  PID:1547
- /bin/mv
  mv a1 .a1
  2⤵
  - Reads runtime system information
  PID:1548
- /usr/bin/clear
  clear
  2⤵
  PID:1549
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1550
- /tmp/.kde/a
  ./a .0
  2⤵
  PID:1552
- /tmp/.kde/a
  ./a .1
  2⤵
  PID:1553
- /tmp/.kde/a
  ./a .2
  2⤵
  PID:1554
- /tmp/.kde/a
  ./a .3
  2⤵
  PID:1555
- /tmp/.kde/a
  ./a .4
  2⤵
  PID:1556
- /tmp/.kde/a
  ./a .5
  2⤵
  PID:1557
- /tmp/.kde/a
  ./a .6
  2⤵
  PID:1558
- /tmp/.kde/a
  ./a .7
  2⤵
  PID:1559
- /tmp/.kde/a
  ./a .8
  2⤵
  PID:1560
- /tmp/.kde/a
  ./a .9
  2⤵
  PID:1561
- /tmp/.kde/a
  ./a .10
  2⤵
  PID:1562
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1563
- /tmp/.kde/a
  ./a .11
  2⤵
  PID:1565
- /tmp/.kde/a
  ./a .12
  2⤵
  PID:1566
- /tmp/.kde/a
  ./a .13
  2⤵
  PID:1568
- /tmp/.kde/a
  ./a .14
  2⤵
  PID:1569
- /tmp/.kde/a
  ./a .15
  2⤵
  PID:1570
- /tmp/.kde/a
  ./a .16
  2⤵
  PID:1571
- /tmp/.kde/a
  ./a .17
  2⤵
  PID:1572
- /tmp/.kde/a
  ./a .18
  2⤵
  PID:1573
- /tmp/.kde/a
  ./a .19
  2⤵
  PID:1574
- /tmp/.kde/a
  ./a .20
  2⤵
  PID:1575
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1576
- /tmp/.kde/a
  ./a .21
  2⤵
  PID:1578
- /tmp/.kde/a
  ./a .22
  2⤵
  PID:1579
- /tmp/.kde/a
  ./a .23
  2⤵
  PID:1580
- /tmp/.kde/a
  ./a .24
  2⤵
  PID:1581
- /tmp/.kde/a
  ./a .25
  2⤵
  PID:1582
- /tmp/.kde/a
  ./a .26
  2⤵
  PID:1583
- /tmp/.kde/a
  ./a .27
  2⤵
  PID:1584
- /tmp/.kde/a
  ./a .28
  2⤵
  PID:1585
- /tmp/.kde/a
  ./a .29
  2⤵
  PID:1586
- /tmp/.kde/a
  ./a .30
  2⤵
  PID:1587
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1588
- /tmp/.kde/a
  ./a .31
  2⤵
  PID:1590
- /tmp/.kde/a
  ./a .32
  2⤵
  PID:1591
- /tmp/.kde/a
  ./a .33
  2⤵
  PID:1592
- /tmp/.kde/a
  ./a .34
  2⤵
  PID:1593
- /tmp/.kde/a
  ./a .35
  2⤵
  PID:1594
- /tmp/.kde/a
  ./a .36
  2⤵
  PID:1595
- /tmp/.kde/a
  ./a .37
  2⤵
  PID:1596
- /tmp/.kde/a
  ./a .38
  2⤵
  PID:1597
- /tmp/.kde/a
  ./a .39
  2⤵
  PID:1598
- /tmp/.kde/a
  ./a .40
  2⤵
  PID:1599
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1603
- /tmp/.kde/a
  ./a .41
  2⤵
  PID:1605
- /tmp/.kde/a
  ./a .42
  2⤵
  PID:1606
- /tmp/.kde/a
  ./a .43
  2⤵
  PID:1607
- /tmp/.kde/a
  ./a .44
  2⤵
  PID:1608
- /tmp/.kde/a
  ./a .45
  2⤵
  PID:1609
- /tmp/.kde/a
  ./a .46
  2⤵
  PID:1610
- /tmp/.kde/a
  ./a .47
  2⤵
  PID:1611
- /tmp/.kde/a
  ./a .48
  2⤵
  PID:1612
- /tmp/.kde/a
  ./a .49
  2⤵
  PID:1613
- /tmp/.kde/a
  ./a .50
  2⤵
  PID:1614
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1615
- /tmp/.kde/a
  ./a .51
  2⤵
  PID:1617
- /tmp/.kde/a
  ./a .52
  2⤵
  PID:1618
- /tmp/.kde/a
  ./a .53
  2⤵
  PID:1619
- /tmp/.kde/a
  ./a .54
  2⤵
  PID:1620
- /tmp/.kde/a
  ./a .55
  2⤵
  PID:1621
- /tmp/.kde/a
  ./a .56
  2⤵
  PID:1622
- /tmp/.kde/a
  ./a .57
  2⤵
  PID:1623
- /tmp/.kde/a
  ./a .58
  2⤵
  PID:1624
- /tmp/.kde/a
  ./a .59
  2⤵
  PID:1625
- /tmp/.kde/a
  ./a .60
  2⤵
  PID:1626
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1627
- /tmp/.kde/a
  ./a .61
  2⤵
  PID:1629
- /tmp/.kde/a
  ./a .62
  2⤵
  PID:1630
- /tmp/.kde/a
  ./a .63
  2⤵
  PID:1631
- /tmp/.kde/a
  ./a .64
  2⤵
  PID:1632
- /tmp/.kde/a
  ./a .65
  2⤵
  PID:1633
- /tmp/.kde/a
  ./a .66
  2⤵
  PID:1634
- /tmp/.kde/a
  ./a .67
  2⤵
  PID:1635
- /tmp/.kde/a
  ./a .68
  2⤵
  PID:1636
- /tmp/.kde/a
  ./a .69
  2⤵
  PID:1637
- /tmp/.kde/a
  ./a .70
  2⤵
  PID:1638
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1639
- /tmp/.kde/a
  ./a .71
  2⤵
  PID:1643
- /tmp/.kde/a
  ./a .72
  2⤵
  PID:1646
- /tmp/.kde/a
  ./a .73
  2⤵
  PID:1649
- /tmp/.kde/a
  ./a .74
  2⤵
  PID:1652
- /tmp/.kde/a
  ./a .75
  2⤵
  PID:1653
- /tmp/.kde/a
  ./a .76
  2⤵
  PID:1654
- /tmp/.kde/a
  ./a .77
  2⤵
  PID:1655
- /tmp/.kde/a
  ./a .78
  2⤵
  PID:1656
- /tmp/.kde/a
  ./a .79
  2⤵
  PID:1657
- /tmp/.kde/a
  ./a .80
  2⤵
  PID:1660
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1661
- /tmp/.kde/a
  ./a .81
  2⤵
  PID:1663
- /tmp/.kde/a
  ./a .82
  2⤵
  PID:1664
- /tmp/.kde/a
  ./a .83
  2⤵
  PID:1665
- /tmp/.kde/a
  ./a .84
  2⤵
  PID:1668
- /tmp/.kde/a
  ./a .85
  2⤵
  PID:1669
- /tmp/.kde/a
  ./a .86
  2⤵
  PID:1670
- /tmp/.kde/a
  ./a .87
  2⤵
  PID:1671
- /tmp/.kde/a
  ./a .88
  2⤵
  PID:1672
- /tmp/.kde/a
  ./a .89
  2⤵
  PID:1673
- /tmp/.kde/a
  ./a .90
  2⤵
  PID:1674
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1675
- /tmp/.kde/a
  ./a .91
  2⤵
  PID:1677
- /tmp/.kde/a
  ./a .92
  2⤵
  PID:1678
- /tmp/.kde/a
  ./a .93
  2⤵
  PID:1679
- /tmp/.kde/a
  ./a .94
  2⤵
  PID:1680
- /tmp/.kde/a
  ./a .95
  2⤵
  PID:1681
- /tmp/.kde/a
  ./a .96
  2⤵
  PID:1682
- /tmp/.kde/a
  ./a .97
  2⤵
  PID:1683
- /tmp/.kde/a
  ./a .98
  2⤵
  PID:1684
- /tmp/.kde/a
  ./a .99
  2⤵
  PID:1685
- /tmp/.kde/a
  ./a .100
  2⤵
  PID:1686
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1687
- /tmp/.kde/a
  ./a .101
  2⤵
  PID:1689
- /tmp/.kde/a
  ./a .102
  2⤵
  PID:1690
- /tmp/.kde/a
  ./a .103
  2⤵
  PID:1691
- /tmp/.kde/a
  ./a .104
  2⤵
  PID:1692
- /tmp/.kde/a
  ./a .105
  2⤵
  PID:1693
- /tmp/.kde/a
  ./a .106
  2⤵
  PID:1694
- /tmp/.kde/a
  ./a .107
  2⤵
  PID:1695
- /tmp/.kde/a
  ./a .108
  2⤵
  PID:1696
- /tmp/.kde/a
  ./a .109
  2⤵
  PID:1697
- /tmp/.kde/a
  ./a .110
  2⤵
  PID:1698
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1699
- /tmp/.kde/a
  ./a .111
  2⤵
  PID:1701
- /tmp/.kde/a
  ./a .112
  2⤵
  PID:1702
- /tmp/.kde/a
  ./a .113
  2⤵
  PID:1703
- /tmp/.kde/a
  ./a .114
  2⤵
  PID:1704
- /tmp/.kde/a
  ./a .115
  2⤵
  PID:1705
- /tmp/.kde/a
  ./a .116
  2⤵
  PID:1706
- /tmp/.kde/a
  ./a .117
  2⤵
  PID:1707
- /tmp/.kde/a
  ./a .118
  2⤵
  PID:1708
- /tmp/.kde/a
  ./a .119
  2⤵
  PID:1709
- /tmp/.kde/a
  ./a .120
  2⤵
  PID:1710
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1711
- /tmp/.kde/a
  ./a .121
  2⤵
  PID:1713
- /tmp/.kde/a
  ./a .122
  2⤵
  PID:1714
- /tmp/.kde/a
  ./a .123
  2⤵
  PID:1715
- /tmp/.kde/a
  ./a .124
  2⤵
  PID:1716
- /tmp/.kde/a
  ./a .125
  2⤵
  PID:1717
- /tmp/.kde/a
  ./a .126
  2⤵
  PID:1718
- /tmp/.kde/a
  ./a .127
  2⤵
  PID:1719
- /tmp/.kde/a
  ./a .128
  2⤵
  PID:1720
- /tmp/.kde/a
  ./a .129
  2⤵
  PID:1721
- /tmp/.kde/a
  ./a .13
  2⤵
  PID:1722
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1723
- /tmp/.kde/a
  ./a .131
  2⤵
  PID:1725
- /tmp/.kde/a
  ./a .132
  2⤵
  PID:1726
- /tmp/.kde/a
  ./a .133
  2⤵
  PID:1727
- /tmp/.kde/a
  ./a .134
  2⤵
  PID:1728
- /tmp/.kde/a
  ./a .135
  2⤵
  PID:1729
- /tmp/.kde/a
  ./a .136
  2⤵
  PID:1730

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.kde/info2

Filesize
27B

MD5
210e3691abde94aba36fd981c007118b

SHA1
fbed82767e1e597632436aa2b4d5aed2c2585ac2

SHA256
a9913f505a1275a5c00a630ae232b04a982bb19efa5b00d5e22ca14e414b84c9

SHA512
65a8f42b99268ba4bc17f51f0e2e17d530b344c80bc483c510014bbf2920715517f5be0f770e30f55e1f2603f203fd4af9295bd979a82897e15b1593f08e1580

Download Submit
/tmp/.kde/info2

Filesize
54B

MD5
a2709419d80ba6b7fb126a5ed3cbebf1

SHA1
2400112d846a896b8bfee9d8c1791718ef0695b8

SHA256
24259785df747f8a38f250211b544b5885e937254a0a3d17658696f8515ca20a

SHA512
2f897325d3791ab80619d52978907900e0431518ae44906d06ccfe0dcae412c3d46a034f40da724bd4045d9c33258478bb6c96d33ea0f6c649ac81b7d4a62e8d

Download Submit
/tmp/.kde/info2

Filesize
85B

MD5
68e6530a51c4c7bf17dcf7051a6be710

SHA1
81380900211b5eca427f5632ff97cfd91eaaf7eb

SHA256
0b17dee730444d635adf2892a570927015e1bac71bf869df56bf25d104b1f529

SHA512
a103bbcdee57bafed8aa53eb08723aa1653e6e426e66ab6a1aca2e43f94200a2efd9288b0f51f67cc350beb08eb9648432e05feaca95f80179d6701c95b577e0

Download Submit
/tmp/.kde/info2

Filesize
146B

MD5
3ff7fa7f62377aa37edfd4be36035c63

SHA1
9b9fd5fe3069360853256477cf2d2de98660bc16

SHA256
43489c307f77e0b838a35dfa9adeabc569d6bfe802f80a0188cb1f5ca6d60a5b

SHA512
41e6df5fa3591fc4b9ce2568b5545a5b5b97a486e033f05388cde261cee164a40d82f3263edbe6880fcc6958d44eefb04f0fbe2e761ba072270b5d212a42a19d

Download Submit
/tmp/.kde/info2

Filesize
179B

MD5
07001688b4c707c8d240ef999d053e82

SHA1
eb06e3f3d7ad32c089bec179c17d82bfc8a712c3

SHA256
b52f5ac999cf0191b211a4ede903bf806747019d0eb30a464b3b00456276c1d6

SHA512
9480dcabce0d86e4e54778ec192aec075a79607f6eaf1028274dbb13188542d034b864733b66c6fc07beb7b35df1054ced470a958656994d479960ada70ecbb0

Download Submit
/tmp/.kde/info2

Filesize
3KB

MD5
f3199a9f7a6b1c8dfb93552afc5ec1c3

SHA1
74e454cf825e4ff14711979333ae5f2b486bbee0

SHA256
c93519daa9feb8a835253474bd94847e5f976177faef4ef37097da66439caa19

SHA512
34f2acef6772fb9f49147664d2061d99714069d45938b418e637fe079fcc97908858322b31ea980316df4d4616fb6787429782c8b94551539c723dbd431f3edb

Download Submit