fcdfe2e840ff01799c632fbe055ac3af46422be04482238c73ceeb594fbb616f

Analysis

max time kernel
5s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71feec726591d84cea09c54743a830c9
Size

434B
MD5

71feec726591d84cea09c54743a830c9
SHA1

a16de25b76d2fe61abf71a759c9c54e9fddd76fe
SHA256

fcdfe2e840ff01799c632fbe055ac3af46422be04482238c73ceeb594fbb616f
SHA512

44193fd9716b695ade062061604140aa67a0f4222b5827a2b2bbe23463be629cc4d773b76c08f6db813cac18c5ba7220d486e5e5ca3c9545485456c056a87a25

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage	find
File opened for reading	/sys/kernel/mm/page_idle	find
File opened for reading	/sys/kernel/slab/radix_tree_node	find
File opened for reading	/sys/kernel/slab/proc_inode_cache/cgroup	find
File opened for reading	/sys/kernel/slab/:A-0000704	find
File opened for reading	/sys/kernel/livepatch	find
File opened for reading	/sys/kernel/slab/:d-0000096/cgroup	find
File opened for reading	/sys/kernel/slab/:a-0000056	find
File opened for reading	/sys/kernel/slab/:A-0002112	find
File opened for reading	/sys/kernel/slab/:0000960/cgroup	find
File opened for reading	/sys/kernel/mm/swap	find
File opened for reading	/sys/kernel/slab/:0000192/cgroup	find
File opened for reading	/sys/kernel/slab/:0000832	find
File opened for reading	/sys/kernel/slab/tw_sock_TCPv6/cgroup	find
File opened for reading	/sys/kernel/mm/transparent_hugepage/khugepaged	find
File opened for reading	/sys/kernel/slab/:d-0004096	find
File opened for reading	/sys/kernel/slab/dax_cache/cgroup	find
File opened for reading	/sys/kernel/slab/:0000064	find
File opened for reading	/sys/kernel/slab/:0000040/cgroup	find
File opened for reading	/sys/kernel/slab/kmem_cache_node	find
File opened for reading	/sys/kernel/slab/:0000160	find
File opened for reading	/sys/kernel/slab/dax_cache	find
File opened for reading	/sys/kernel/slab/fat_cache	find
File opened for reading	/sys/kernel/slab/:A-0000064/cgroup	find
File opened for reading	/sys/kernel/slab/:0000640	find
File opened for reading	/sys/kernel/slab/:0000960	find
File opened for reading	/sys/kernel/slab/:A-0000208	find
File opened for reading	/sys/kernel/slab/:a-0000016	find
File opened for reading	/sys/kernel/slab/anon_vma	find
File opened for reading	/sys/kernel/slab/:0000080/cgroup	find
File opened for reading	/sys/kernel/slab/:A-0000192/cgroup	find
File opened for reading	/sys/kernel/slab/:0001024	find
File opened for reading	/sys/kernel/slab/:0000096	find
File opened for reading	/sys/kernel/slab/:d-0008192/cgroup	find
File opened for reading	/sys/kernel/slab/:d-0000064	find
File opened for reading	/sys/kernel/mm/ksm	find
File opened for reading	/sys/kernel/slab/:a-0000048/cgroup	find
File opened for reading	/sys/kernel/slab/shmem_inode_cache	find
File opened for reading	/sys/kernel/slab/ecryptfs_inode_cache	find
File opened for reading	/sys/kernel/slab/:A-0005888	find
File opened for reading	/sys/kernel/slab/:a-0000104/cgroup	find
File opened for reading	/sys/kernel/slab/:0000088	find
File opened for reading	/sys/kernel/slab/:0000048/cgroup	find
File opened for reading	/sys/kernel/slab/:0002632/cgroup	find
File opened for reading	/sys/kernel/slab/:A-0000256	find
File opened for reading	/sys/kernel/slab/:0006912	find
File opened for reading	/sys/kernel/slab/sighand_cache/cgroup	find
File opened for reading	/sys/kernel/slab/:0000400/cgroup	find
File opened for reading	/sys/kernel/slab/:a-0000064/cgroup	find
File opened for reading	/sys/kernel/slab/TCPv6/cgroup	find
File opened for reading	/sys/kernel/slab/:0000192	find
File opened for reading	/sys/kernel/slab/:0000016/cgroup	find
File opened for reading	/sys/kernel/slab/:0001216	find
File opened for reading	/sys/kernel/slab/:0002048/cgroup	find
File opened for reading	/sys/kernel/mm	find
File opened for reading	/sys/kernel/slab/:0002632	find
File opened for reading	/sys/kernel/slab/:0001024/cgroup	find
File opened for reading	/sys/kernel/slab/fat_inode_cache/cgroup	find
File opened for reading	/sys/kernel/slab/:0003312	find
File opened for reading	/sys/kernel/slab/:0008192	find
File opened for reading	/sys/kernel/slab/:A-0000072	find
File opened for reading	/sys/kernel/slab/:0000088/cgroup	find
File opened for reading	/sys/kernel/slab/kmem_cache_node/cgroup	find
File opened for reading	/sys/kernel/slab/:d-0000032/cgroup	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/433/task/457/net/stat	find
File opened for reading	/proc/1300/task/1339/attr/apparmor	find
File opened for reading	/proc/174/attr/smack	find
File opened for reading	/proc/1247/net/dev_snmp6	find
File opened for reading	/proc/175/net/stat	find
File opened for reading	/proc/1188/task/1238/net/dev_snmp6	find
File opened for reading	/proc/8/task/8/attr/apparmor	find
File opened for reading	/proc/663/attr/smack	find
File opened for reading	/proc/1132/ns	find
File opened for reading	/proc/1147/task/1179/attr	find
File opened for reading	/proc/1363/task/1366/net/netfilter	find
File opened for reading	/proc/35/task/35/ns	find
File opened for reading	/proc/171/task/171/fd	find
File opened for reading	/proc/172/attr	find
File opened for reading	/proc/1072/map_files	find
File opened for reading	/proc/1076	find
File opened for reading	/proc/1175/attr	find
File opened for reading	/proc/1326/task/1326/net/netfilter	find
File opened for reading	/proc/1370/task/1383/attr/apparmor	find
File opened for reading	/proc/13/task/13/fd	find
File opened for reading	/proc/324/task/324/attr	find
File opened for reading	/proc/1097/task/1100	find
File opened for reading	/proc/1370/task/1378/ns	find
File opened for reading	/proc/1167/task/1182/ns	find
File opened for reading	/proc/170/attr/smack	find
File opened for reading	/proc/177/task/177/fd	find
File opened for reading	/proc/458/task/458/ns	find
File opened for reading	/proc/12/task/12/net/dev_snmp6	find
File opened for reading	/proc/1097/task/1099/fdinfo	find
File opened for reading	/proc/1113/task/1115/fdinfo	find
File opened for reading	/proc/451/task/451/attr/smack	find
File opened for reading	/proc/1350/task/1354/fd	find
File opened for reading	/proc/1400/task/1406/net	find
File opened for reading	/proc/673/ns	find
File opened for reading	/proc/7/task/7/attr	find
File opened for reading	/proc/705/task/707/net/stat	find
File opened for reading	/proc/1037/task/1053/attr	find
File opened for reading	/proc/1272/task/1272/ns	find
File opened for reading	/proc/1300/task/1340/ns	find
File opened for reading	/proc/1327/net/dev_snmp6	find
File opened for reading	/proc/1350/task/1362/net	find
File opened for reading	/proc/1/task/1/net/netfilter	find
File opened for reading	/proc/1171/task/1177/ns	find
File opened for reading	/proc/1271/task/1280/ns	find
File opened for reading	/proc/319/task/319/net/netfilter	find
File opened for reading	/proc/1068/task/1070	find
File opened for reading	/proc/1146/task/1155/fdinfo	find
File opened for reading	/proc/1199	find
File opened for reading	/proc/1300/task/1340/fdinfo	find
File opened for reading	/proc/sys/dev/parport/parport0	find
File opened for reading	/proc/1216/task/1234/net/netfilter	find
File opened for reading	/proc/83/attr/smack	find
File opened for reading	/proc/1068/task/1069/attr/smack	find
File opened for reading	/proc/1132/task/1134/net/stat	find
File opened for reading	/proc/1157/task/1174/fdinfo	find
File opened for reading	/proc/1175/task/1178/net	find
File opened for reading	/proc/sys/dev	find
File opened for reading	/proc/6/task	find
File opened for reading	/proc/13/task/13	find
File opened for reading	/proc/705/net/netfilter	find
File opened for reading	/proc/1043/task/1044/net/netfilter	find
File opened for reading	/proc/1076/task/1080/net/netfilter	find
File opened for reading	/proc/1113/task/1115/fd	find
File opened for reading	/proc/543/task/543/fd	find

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/nohup.out	nohup

/tmp/71feec726591d84cea09c54743a830c9
/tmp/71feec726591d84cea09c54743a830c9
1⤵
PID:1576
- /usr/bin/nohup
  nohup find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  - Writes file to tmp directory
  PID:1577
- /bin/rm
  rm -f /etc/hosts.deny
  2⤵
  PID:1578
- /usr/local/sbin/find
  find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  PID:1577
- /usr/local/bin/find
  find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  PID:1577
- /usr/sbin/find
  find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  PID:1577
- /usr/bin/find
  find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1577
- - /bin/cp
    /bin/cp index.html /usr/share/cups/doc-root/index.html
    3⤵
    PID:1590
- - /bin/cp
    /bin/cp index.html /usr/share/cups/doc-root/ru/index.html
    3⤵
    PID:1591
- - /bin/cp
    /bin/cp index.html /usr/share/cups/doc-root/es/index.html
    3⤵
    PID:1592
- - /bin/cp
    /bin/cp index.html /usr/share/cups/doc-root/ja/index.html
    3⤵
    PID:1593
- - /bin/cp
    /bin/cp index.html /usr/share/cups/doc-root/de/index.html
    3⤵
    PID:1594
- - /bin/cp
    /bin/cp index.html /usr/share/cups/doc-root/pt_BR/index.html
    3⤵
    PID:1595
- - /bin/cp
    /bin/cp index.html /usr/share/gtk-doc/html/iio-sensor-proxy/index.html
    3⤵
    PID:1596
- - /bin/cp
    /bin/cp index.html /usr/share/gtk-doc/html/totem/index.html
    3⤵
    PID:1597
- - /bin/cp
    /bin/cp index.html /usr/share/transmission/web/index.html
    3⤵
    PID:1598
- - /bin/cp
    /bin/cp index.html /usr/share/doc/python3/python-policy.html/index.html
    3⤵
    PID:1599
- - /bin/cp
    /bin/cp index.html /usr/share/doc/gdisk/index.html
    3⤵
    PID:1600
- - /bin/cp
    /bin/cp index.html /usr/share/doc/python/python-policy.html/index.html
    3⤵
    PID:1601
- - /bin/cp
    /bin/cp index.html /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel.other/index.html
    3⤵
    PID:1602
- - /bin/cp
    /bin/cp index.html /usr/share/doc/nodejs-doc/api/index.html
    3⤵
    PID:1609
- - /bin/cp
    /bin/cp index.html /usr/share/doc/shared-mime-info/shared-mime-info-spec.html/index.html
    3⤵
    PID:1613
- - /bin/cp
    /bin/cp index.html /usr/share/doc/lintian/lintian.html/index.html
    3⤵
    PID:1614
- - /bin/cp
    /bin/cp index.html /usr/share/doc/lintian/api.html/index.html
    3⤵
    PID:1615
- - /bin/cp
    /bin/cp index.html /usr/share/doc/xorg/index.html
    3⤵
    PID:1616
- /tmp/getip.sh
  ./getip.sh
  2⤵
  PID:1579
- /bin/cp
  cp synscan7 synscan
  2⤵
  PID:1580
- /bin/cp
  cp w7 w
  2⤵
  PID:1581
- /bin/cp
  cp l7 l
  2⤵
  PID:1582
- /bin/cp
  cp s7 s
  2⤵
  PID:1583
- /bin/cp
  cp randb7 randb
  2⤵
  PID:1584
- /tmp/bd7.sh
  ./bd7.sh
  2⤵
  PID:1585
- /tmp/start7.sh
  ./start7.sh
  2⤵
  PID:1586

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/nohup.out

Filesize
1KB

MD5
9bd61571d2345d2d118c50de02072ef3

SHA1
7ad26b94b3c1ccad3c6171aa9602be4ab044f4d6

SHA256
19072e72d0e4ca9d53b48635ffdf6c15ca3ed0a3713863796449b06461a7d473

SHA512
a004e2ddb58acf1dedf5c53eb1e069e6a0ed5e9a77605229bc96ff3d0b3b3d4e5f2e4a8acb045f8b7bdde7eda5f0be4e1106a7d073bbdf550aa015928f21cd22

Download Submit