565eb6bda1232c8097a56f1fea1d0646995210d82bde6d5b9c77a04929221e70 | Triage

Analysis

max time kernel
5s
platform
debian-9_mipsel
resource
debian9-mipsel-20231215-en
resource tags

arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
22-12-2023 07:10

Sharing

Report Analysis Logs

General

Target

darwin/autorun
Size

299B
MD5

88fa87ddec13907fe3656ec0f4946da0
SHA1

5db91b9b639d6042982bf8e0c90eca2981b64470
SHA256

4487b733a17774fc0f5d36d56d9e613dd8b7f18db0428838f8d15d7e4da9b273
SHA512

1ad43c61b6d4154fa9dafccf6e89fd151c553b62c248b5c3280b43b1fbf5e69fb4f4eb58391ebfddbc873e879419f0250fb1535c5fada2d2a80cbb2e29f79a66

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task/Job

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.KV5JRt	crontab

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/darwin/update	autorun
File opened for modification	/tmp/darwin/dir	autorun
File opened for modification	/tmp/darwin/cron	autorun

/tmp/darwin/autorun
/tmp/darwin/autorun
1⤵
- Writes file to tmp directory
PID:722
- /bin/cat
  cat dir
  2⤵
  PID:723
- /usr/bin/crontab
  crontab cron
  2⤵
  - Creates/modifies Cron job
  - Reads runtime system information
  PID:727
- /bin/grep
  grep update
  2⤵
  PID:734
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:733
- /bin/chmod
  chmod u+x update
  2⤵
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/darwin/cron

Filesize
45B

MD5
8d3abbfa452b952c6a4181b0182a78aa

SHA1
2a1e56687db34783c7057f5c7f0e675b19ab381a

SHA256
f59f2cad6a3a04dce95ddcdf2fb41481566db70c8e84f05f889917c8f11ef3d2

SHA512
b8e5f6f2c00d11a4de495de760eef08e88c550fca144ffa941d7d0f637e6b47a5eead86459b56bdc93313499e580ee8e743ce79474629ddab8b8b4e056d45bbb

Download Submit
/tmp/darwin/dir

Filesize
12B

MD5
0225f9648f06654d1551fbbb0b6369b9

SHA1
0f81ee834ce83bfa06d7ee04a8c7e90885427eef

SHA256
ba4b050f96c1533c59286f876746e8f4c3b216fb8495fdade2bae22a2b40769c

SHA512
934a4b739f55795367b5437056213ca7e46b926a3cb95967d21e488aaab303cd6bfed945b6cc81a91200d3d656ce34192d8e91d023123e5072ea5d96dfcfeb53

Download Submit
/tmp/darwin/update

Filesize
159B

MD5
4b6138007493a18c688c0a6f34563735

SHA1
c2c34817a7713f65fe17280760c28ab3e4c6c27d

SHA256
3fd1bb878e17481ed6bf0bc6304767e05018e481efdaa66e8a0d64c75295a806

SHA512
e1062f25fa006cd224be7fc9d9cd4fea26b0ff2207a14198ec7c7f3ca691e62667721eb9d822a55acddb77146a87269e719d8fa0a1a60dc6443489e323e72782

Download Submit
/var/spool/cron/crontabs/tmp.KV5JRt

Filesize
223B

MD5
86e4906b77a3bf6899d223da4619337d

SHA1
5f50af095305dcf0568ef8077be97b4dbad2ab81

SHA256
d61b5ad11ede8f8aafc2c1d7945bbff863c5849e55f0f54776d2914307f05913

SHA512
79edbe1ee763f63355bf4be0dc18d4a5c7171d082dfc39778076dfe11a7d11df2211ce4e471e1d45a0e5150ee61aeeb7dbad7e844e7dfff0a685f1e3b2d9dfb5

Download Submit