Overview

overview

6

Static

static

1

.kdi/autorun

ubuntu-18.04-amd64

6

.kdi/autorun

debian-9-armhf

6

.kdi/autorun

debian-9-mips

6

.kdi/autorun

debian-9-mipsel

6

.kdi/bash

ubuntu-18.04-amd64

.kdi/inst

ubuntu-18.04-amd64

3

.kdi/inst

debian-9-armhf

1

.kdi/inst

debian-9-mips

1

.kdi/inst

debian-9-mipsel

3

.kdi/m.vbs

windows7-x64

1

.kdi/m.vbs

windows10-2004-x64

1

.kdi/pico

ubuntu-18.04-amd64

.kdi/run

ubuntu-18.04-amd64

1

.kdi/run

debian-9-armhf

1

.kdi/run

debian-9-mips

1

.kdi/run

debian-9-mipsel

1

.kdi/start

ubuntu-18.04-amd64

1

.kdi/start

debian-9-armhf

1

.kdi/start

debian-9-mips

1

.kdi/start

debian-9-mipsel

1

.kdi/xh

ubuntu-18.04-amd64

Analysis

  • max time kernel
    4s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20231215-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    22-12-2023 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .kdi/autorun

  • Size

    317B

  • MD5

    9729c037cb0a32811ba3eb15e3c8a789

  • SHA1

    6e67d4929c0b87dd05afe1b3f5f0aed2852885c4

  • SHA256

    5f03b45dc87f35120fd01f18150d2c3c807c9dc22d9433208d1bd14d5d581260

  • SHA512

    ed9131f48df4f3f6503b38f064ef07c7d9a235280ecf03a0a2852f268b98e42b8b445931536bd4a4a4344fefb8a05594dae094e7e7795c9690ab5ca568b1ff8c

Score
6/10
persistence

Malware Config

Signatures

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.kdi/autorun
    /tmp/.kdi/autorun
    1⤵
    • Writes file to tmp directory
    PID:705
    • /bin/cat
      cat mech.dir
      2⤵
        PID:708
      • /usr/bin/crontab
        crontab cron.d
        2⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:714
      • /usr/bin/crontab
        crontab -l
        2⤵
        • Reads runtime system information
        PID:717
      • /bin/grep
        grep update
        2⤵
          PID:718
        • /bin/chmod
          chmod u+x update
          2⤵
            PID:719

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/.kdi/cron.d
          Filesize

          43B

          MD5

          d60220db9087e4aefe589e08f89a3177

          SHA1

          e7d7fab5b62125ae016f83bb6da92e4d5c118f5a

          SHA256

          1d16d1f923e03a80c72ab0728f49c81720a8be8873cc173934356c5e871fba63

          SHA512

          4ee225df0ca80e0767206c80f3522b14c42586fb4298b09ccefbef4a9657a1a51ce5faf431d84f705797972ae98e9ea693b9201f39bf95d97ea527dc18edefa6

          Download Submit

        • /tmp/.kdi/mech.dir
          Filesize

          10B

          MD5

          bc79e013d9363be089fa76b1c350fa1e

          SHA1

          08fc6dcd3f0af3eb8b05260e44220adc454954b7

          SHA256

          d91bbea42183041c73041d5754d32ab969e17f578015da79d63e80851d6601a6

          SHA512

          9043fab9c66f0f3a0509892666ca37d15bb188a9e6a166250010264ce1872b1be30626f1af07a0e28bcbdd23f8f9262305d239785f400d21a3b6ae7e0c9353d4

          Download Submit

        • /tmp/.kdi/update
          Filesize

          157B

          MD5

          e63229e46b999fc750a57fa4a076c999

          SHA1

          a49d1c5572091a412ac1eb56ba1450ff04cdca8f

          SHA256

          3ab1d34dfde9b841cd1a3a6e6598e797692201529ad88df6a4fb633f9dfbbe17

          SHA512

          62f20f3331ed71d29c870bd53ef1c2f13014fb4e6e59bee6526e6c26a5578fa1530647312e4f4df74949f7a456ff73a1a153ff95488ed8d1de23500d8b923416

          Download Submit

        • /var/spool/cron/crontabs/tmp.aLUAM2
          Filesize

          223B

          MD5

          acdfdaea31e76149182d09bdcdc4d826

          SHA1

          4dd16692f6899ccaa2e65993f6a2492e64fb56e5

          SHA256

          763ef1442b1db6ec73b6898671021f104fb82258f40225d53ad92c9c0df76115

          SHA512

          d08f2b879192bc1453fc3d19c7bbfebcf6a5b2d0312d4f153ac321399e797ff7f1b3120ef859c033c6e186f1bb312568af13adb4abee0563c38847f47e2587b8

          Download Submit