fcdfe2e840ff01799c632fbe055ac3af46422be04482238c73ceeb594fbb616f

Analysis

max time kernel
42s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
22/12/2023, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71feec726591d84cea09c54743a830c9
Size

434B
MD5

71feec726591d84cea09c54743a830c9
SHA1

a16de25b76d2fe61abf71a759c9c54e9fddd76fe
SHA256

fcdfe2e840ff01799c632fbe055ac3af46422be04482238c73ceeb594fbb616f
SHA512

44193fd9716b695ade062061604140aa67a0f4222b5827a2b2bbe23463be629cc4d773b76c08f6db813cac18c5ba7220d486e5e5ca3c9545485456c056a87a25

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 7 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/topology	find
File opened for reading	/sys/devices/system/cpu/power	find
File opened for reading	/sys/devices/system/cpu/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpufreq	find
File opened for reading	/sys/devices/system/cpu/cpu0	find
File opened for reading	/sys/devices/system/cpu/cpu0/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	find

Reads network interface configuration 2 TTPs 6 IoCs

Fetches information about one or more active network interfaces.

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/virtual/net/lo/power	find
File opened for reading	/sys/devices/virtual/net/lo/queues	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	find
File opened for reading	/sys/devices/virtual/net/lo/statistics	find

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mkdirat	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_getresgid16	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_get_priority_max	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sigsuspend	find
File opened for reading	/sys/fs/cgroup/pids/system.slice/dev-disk-by\x2dpath-platform\x2da003c00.virtio_mmio\x2dpart5.swap	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_dup	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_perf_event_open	find
File opened for reading	/sys/devices/virtual/tty/tty57/power	find
File opened for reading	/sys/firmware/devicetree/base/intc@8000000	find
File opened for reading	/sys/fs/cgroup/pids/system.slice/systemd-tmpfiles-setup.service	find
File opened for reading	/sys/module/virtio/notes	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_pwrite64	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sysinfo	find
File opened for reading	/sys/bus/i2c/devices	find
File opened for reading	/sys/module/crc16/notes	find
File opened for reading	/sys/kernel/debug/tracing/events/writeback/writeback_dirty_inode	find
File opened for reading	/sys/kernel/irq/42	find
File opened for reading	/sys/kernel/debug/tracing/events/writeback/writeback_congestion_wait	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sigprocmask	find
File opened for reading	/sys/firmware/devicetree/base/virtio_mmio@a001800	find
File opened for reading	/sys/kernel/irq/46	find
File opened for reading	/sys/devices/platform/a003800.virtio_mmio/power	find
File opened for reading	/sys/devices/virtual/tty/tty56/power	find
File opened for reading	/sys/module/crc32c_generic	find
File opened for reading	/sys/devices/platform/a001c00.virtio_mmio/power	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getxattr	find
File opened for reading	/sys/devices/platform/a002000.virtio_mmio	find
File opened for reading	/sys/devices/virtual/mem/urandom	find
File opened for reading	/sys/bus/container	find
File opened for reading	/sys/kernel/debug/tracing/events/vb2	find
File opened for reading	/sys/kernel/debug/tracing/events/random/mix_pool_bytes_nolock	find
File opened for reading	/sys/kernel/debug/tracing/events/rcu/rcu_utilization	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_write	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_finit_module	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_setresgid	find
File opened for reading	/sys/devices/platform/9030000.pl061/gpio	find
File opened for reading	/sys/bus/platform/drivers/rockchip-pinctrl	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_unlink_exit	find
File opened for reading	/sys/bus/platform/drivers/sun6i-a31-r-pinctrl	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_tee	find
File opened for reading	/sys/kernel/debug/tracing/events/kvm/kvm_halt_poll_ns	find
File opened for reading	/sys/devices/virtual/workqueue	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_signalfd	find
File opened for reading	/sys/kernel/debug/tracing/events/block/block_bio_complete	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_io_setup	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_preadv2	find
File opened for reading	/sys/devices/platform/a003c00.virtio_mmio/virtio0/block/vda/mq	find
File opened for reading	/sys/devices/virtual/tty/tty2	find
File opened for reading	/sys/devices/virtual/tty/tty23	find
File opened for reading	/sys/bus/platform/drivers/mx3_sdc_fb	find
File opened for reading	/sys/kernel/irq/49	find
File opened for reading	/sys/module/crc32c_generic/holders	find
File opened for reading	/sys/module/spurious/parameters	find
File opened for reading	/sys/bus/platform/drivers/twl4030-audio	find
File opened for reading	/sys/kernel/debug/tracing/events/irq/softirq_entry	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_fremovexattr	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_getuid16	find
File opened for reading	/sys/kernel/debug/tracing/events/raw_syscalls/sys_exit	find
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS3	find
File opened for reading	/sys/module/virtio_net/parameters	find
File opened for reading	/sys/kernel/debug/tracing/events/regulator/regulator_disable	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fdatasync	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_select	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_write	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/216/task/228/net	find
File opened for reading	/proc/601/map_files	find
File opened for reading	/proc/6/net/stat	find
File opened for reading	/proc/12/task/12	find
File opened for reading	/proc/16	find
File opened for reading	/proc/210/map_files	find
File opened for reading	/proc/210/net/netfilter	find
File opened for reading	/proc/3/net/stat	find
File opened for reading	/proc/6/task/6/attr	find
File opened for reading	/proc/11/task/11/net/netfilter	find
File opened for reading	/proc/162/task/162/fdinfo	find
File opened for reading	/proc/312/map_files	find
File opened for reading	/proc/581/task/581/net/stat	find
File opened for reading	/proc/649/fdinfo	find
File opened for reading	/proc/2/net/stat	find
File opened for reading	/proc/8/net/dev_snmp6	find
File opened for reading	/proc/641/attr	find
File opened for reading	/proc/645/net/stat	find
File opened for reading	/proc/19/task/19/fd	find
File opened for reading	/proc/43/fdinfo	find
File opened for reading	/proc/277/task	find
File opened for reading	/proc/649/task/649/fdinfo	find
File opened for reading	/proc/1/attr	find
File opened for reading	/proc/43/ns	find
File opened for reading	/proc/646/fdinfo	find
File opened for reading	/proc/bus	find
File opened for reading	/proc/1/task/1/ns	find
File opened for reading	/proc/9/task	find
File opened for reading	/proc/23/net	find
File opened for reading	/proc/138/net/netfilter	find
File opened for reading	/proc/210/attr	find
File opened for reading	/proc/278/task/278/fdinfo	find
File opened for reading	/proc/7/map_files	find
File opened for reading	/proc/141/task/141/fdinfo	find
File opened for reading	/proc/148/task/148/attr	find
File opened for reading	/proc/646/attr	find
File opened for reading	/proc/216/task/216/net/dev_snmp6	find
File opened for reading	/proc/273/task/284/fdinfo	find
File opened for reading	/proc/311/net/stat	find
File opened for reading	/proc/590/net/netfilter	find
File opened for reading	/proc/668/net/dev_snmp6	find
File opened for reading	/proc/664/fdinfo	find
File opened for reading	/proc/tty/ldisc	find
File opened for reading	/proc/5/fdinfo	find
File opened for reading	/proc/23/task/23/fdinfo	find
File opened for reading	/proc/28/task/28/ns	find
File opened for reading	/proc/96/net/netfilter	find
File opened for reading	/proc/136	find
File opened for reading	/proc/278/map_files	find
File opened for reading	/proc/17/task/17/net/stat	find
File opened for reading	/proc/311/task/311/net/netfilter	find
File opened for reading	/proc/668/task/668/net	find
File opened for reading	/proc/584/task	find
File opened for reading	/proc/1/task/1/fdinfo	find
File opened for reading	/proc/2/net/netfilter	find
File opened for reading	/proc/7/net/stat	find
File opened for reading	/proc/11/fd	find
File opened for reading	/proc/21/task/21/ns	find
File opened for reading	/proc/25/ns	find
File opened for reading	/proc/277/task/277/fdinfo	find
File opened for reading	/proc/601	find
File opened for reading	/proc/4/task	find
File opened for reading	/proc/18/attr	find
File opened for reading	/proc/26/net/netfilter	find

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/nohup.out	nohup

/tmp/71feec726591d84cea09c54743a830c9
/tmp/71feec726591d84cea09c54743a830c9
1⤵
PID:661
- /usr/bin/nohup
  nohup find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  - Writes file to tmp directory
  PID:664
- /bin/rm
  rm -f /etc/hosts.deny
  2⤵
  PID:665
- /tmp/getip.sh
  ./getip.sh
  2⤵
  PID:666
- /usr/local/sbin/find
  find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  PID:664
- /usr/local/bin/find
  find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  PID:664
- /usr/sbin/find
  find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  PID:664
- /usr/bin/find
  find / -name index.html -exec /bin/cp index.html "{}" ";"
  2⤵
  - Reads CPU attributes
  - Reads network interface configuration
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:664
- - /bin/cp
    /bin/cp index.html /usr/share/doc/python/python-policy.html/index.html
    3⤵
    PID:758
- - /bin/cp
    /bin/cp index.html /usr/share/doc/shared-mime-info/shared-mime-info-spec.html/index.html
    3⤵
    PID:762
- - /bin/cp
    /bin/cp index.html /usr/share/doc/nodejs/api/index.html
    3⤵
    PID:768
- - /bin/cp
    /bin/cp index.html /usr/share/doc/adduser/examples/adduser.local.conf.examples/skel.other/index.html
    3⤵
    PID:771
- /bin/cp
  cp synscan7 synscan
  2⤵
  PID:667
- /bin/cp
  cp w7 w
  2⤵
  PID:673
- /bin/cp
  cp l7 l
  2⤵
  PID:675
- /bin/cp
  cp s7 s
  2⤵
  PID:676
- /bin/cp
  cp randb7 randb
  2⤵
  PID:678
- /tmp/bd7.sh
  ./bd7.sh
  2⤵
  PID:679
- /tmp/start7.sh
  ./start7.sh
  2⤵
  PID:681

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/nohup.out

Filesize
45B

MD5
068bfd5170e44513c7fe0659d16d3f1e

SHA1
bc294c9c6bd7677b269ed22b1c5232fec1c65c51

SHA256
dd87c09664a5a14f2ac979c63e8922e8379185e8c28e4dd8322e27ac54124d8d

SHA512
a0b19e4fc513e8cdc630d5af5dc120806aaec6536b57f69248cf73a18075bab730676187a323aff018893faa565d6604188eee2eecd072649f5867e3c993ee80

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads