8ff25cb03dc615fe8595b1acdc4c3e868a1a31a615801842d1417e84e73b2d71

Analysis

max time kernel
15s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/12/2023, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scan/go
Size

794B
MD5

fd52040029cde6318569f91abc1090fc
SHA1

65117e69cfc77df7db1d0695eb66903093e2e397
SHA256

150ad9bc0078b993db48ed0d373723df82c89e23c3d1dcfb795aac3f5853a5cc
SHA512

5f707d39c2494cf7bc41acc3a5402d1442ab12c4cc2c73c9f15dedac7e9d37d25a01119a02887e442bdeaacc3f3290b6dd33f1c5cdbbca011df140c11ce129f7

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/audit/audit.log	rm

Deletes journal logs 1 TTPs 3 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/journal/11c67417355f45d397f6be11f62e85a6/system.journal	rm
File deleted	/var/log/journal/11c67417355f45d397f6be11f62e85a6/[email protected]~	rm
File deleted	/var/log/journal/11c67417355f45d397f6be11f62e85a6	rm

Deletes system logs 1 TTPs 2 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/syslog	rm
File deleted	/var/log/syslog	rm

Deletes log files 1 TTPs 63 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/installer/partman	rm
File deleted	/var/log/installer/lsb-release	rm
File deleted	/var/log/unattended-upgrades	rm
File deleted	/var/log/cups	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/speech-dispatcher	rm
File deleted	/var/log/ubuntu-advantage.log	rm
File deleted	/var/log/installer/initial-status.gz	rm
File deleted	/var/log/installer/cdebconf/questions.dat	rm
File deleted	/var/log/dist-upgrade	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/installer/hardware-summary	rm
File deleted	/var/log/Xorg.0.log.old	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/unattended-upgrades	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/hp	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/Xorg.0.log.old	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/gpu-manager.log	rm
File deleted	/var/log/installer/syslog	rm
File deleted	/var/log/tallylog	rm
File deleted	/var/log/Xorg.0.log	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/installer/cdebconf/templates.dat	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/cups	rm
File deleted	/var/log/hp	rm
File deleted	/var/log/installer/cdebconf	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/tallylog	rm
File deleted	/var/log/apt/eipp.log.xz	rm
File deleted	/var/log/dist-upgrade	rm
File deleted	/var/log/hp/tmp	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/gpu-manager.log	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/speech-dispatcher	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/journal	rm
File deleted	/var/log/unattended-upgrades/unattended-upgrades-shutdown.log	rm
File deleted	/var/log/gdm3	rm
File deleted	/var/log/cups/access_log	rm
File deleted	/var/log/ubuntu-advantage.log	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/gdm3	rm
File deleted	/var/log/Xorg.0.log	rm
File deleted	/var/log/installer/status	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/journal	rm

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/scan/cleanlist	go
File opened for modification	/tmp/scan/mfu.txt	Process not Found

/tmp/scan/go
/tmp/scan/go
1⤵
- Writes file to tmp directory
PID:1544
- /bin/ls
  ls /var/log/
  2⤵
  - Reads runtime system information
  PID:1545
- /bin/rm
  rm -rf /var/log/alternatives.log
  2⤵
  - Deletes log files
  PID:1546
- /usr/bin/touch
  touch /var/log/alternatives.log
  2⤵
  PID:1547
- /bin/rm
  rm -rf /var/log/apt
  2⤵
  - Deletes log files
  PID:1548
- /usr/bin/touch
  touch /var/log/apt
  2⤵
  PID:1549
- /bin/rm
  rm -rf /var/log/audit
  2⤵
  - Deletes Audit logs
  - Deletes log files
  PID:1550
- /usr/bin/touch
  touch /var/log/audit
  2⤵
  PID:1551
- /bin/rm
  rm -rf /var/log/auth.log
  2⤵
  - Deletes log files
  PID:1552
- /usr/bin/touch
  touch /var/log/auth.log
  2⤵
  PID:1553
- /bin/rm
  rm -rf /var/log/btmp
  2⤵
  - Deletes log files
  PID:1554
- /usr/bin/touch
  touch /var/log/btmp
  2⤵
  PID:1555
- /bin/rm
  rm -rf /var/log/cups
  2⤵
  - Deletes log files
  PID:1556
- /usr/bin/touch
  touch /var/log/cups
  2⤵
  PID:1557
- /bin/rm
  rm -rf /var/log/dist-upgrade
  2⤵
  - Deletes log files
  PID:1558
- /usr/bin/touch
  touch /var/log/dist-upgrade
  2⤵
  PID:1559
- /bin/rm
  rm -rf /var/log/dpkg.log
  2⤵
  - Deletes log files
  PID:1560
- /usr/bin/touch
  touch /var/log/dpkg.log
  2⤵
  PID:1561
- /bin/rm
  rm -rf /var/log/faillog
  2⤵
  - Deletes log files
  PID:1562
- /usr/bin/touch
  touch /var/log/faillog
  2⤵
  PID:1563
- /bin/rm
  rm -rf /var/log/fontconfig.log
  2⤵
  - Deletes log files
  PID:1564
- /usr/bin/touch
  touch /var/log/fontconfig.log
  2⤵
  PID:1565
- /bin/rm
  rm -rf /var/log/gdm3
  2⤵
  - Deletes log files
  PID:1566
- /usr/bin/touch
  touch /var/log/gdm3
  2⤵
  PID:1567
- /bin/rm
  rm -rf /var/log/gpu-manager.log
  2⤵
  - Deletes log files
  PID:1568
- /usr/bin/touch
  touch /var/log/gpu-manager.log
  2⤵
  PID:1569
- /bin/rm
  rm -rf /var/log/hp
  2⤵
  - Deletes log files
  PID:1570
- /usr/bin/touch
  touch /var/log/hp
  2⤵
  PID:1571
- /bin/rm
  rm -rf /var/log/installer
  2⤵
  - Deletes log files
  PID:1572
- /usr/bin/touch
  touch /var/log/installer
  2⤵
  PID:1573
- /bin/rm
  rm -rf /var/log/journal
  2⤵
  - Deletes journal logs
  - Deletes log files
  PID:1575
- /usr/bin/touch
  touch /var/log/journal
  2⤵
  PID:1576
- /bin/rm
  rm -rf /var/log/kern.log
  2⤵
  - Deletes log files
  PID:1580
- /usr/bin/touch
  touch /var/log/kern.log
  2⤵
  PID:1581
- /bin/rm
  rm -rf /var/log/lastlog
  2⤵
  - Deletes log files
  PID:1582
- /usr/bin/touch
  touch /var/log/lastlog
  2⤵
  PID:1583
- /bin/rm
  rm -rf /var/log/speech-dispatcher
  2⤵
  - Deletes log files
  PID:1584
- /usr/bin/touch
  touch /var/log/speech-dispatcher
  2⤵
  PID:1585
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1586
- /usr/bin/touch
  touch /var/log/syslog
  2⤵
  PID:1587
- /bin/rm
  rm -rf /var/log/tallylog
  2⤵
  - Deletes log files
  PID:1588
- /usr/bin/touch
  touch /var/log/tallylog
  2⤵
  PID:1589
- /bin/rm
  rm -rf /var/log/ubuntu-advantage.log
  2⤵
  - Deletes log files
  PID:1590
- /usr/bin/touch
  touch /var/log/ubuntu-advantage.log
  2⤵
  PID:1591
- /bin/rm
  rm -rf /var/log/unattended-upgrades
  2⤵
  - Deletes log files
  PID:1592
- /usr/bin/touch
  touch /var/log/unattended-upgrades
  2⤵
  PID:1593
- /bin/rm
  rm -rf /var/log/wtmp
  2⤵
  - Deletes log files
  PID:1594
- /usr/bin/touch
  touch /var/log/wtmp
  2⤵
  PID:1595
- /bin/rm
  rm -rf /var/log/Xorg.0.log
  2⤵
  - Deletes log files
  PID:1596
- /usr/bin/touch
  touch /var/log/Xorg.0.log
  2⤵
  PID:1597
- /bin/rm
  rm -rf /var/log/Xorg.0.log.old
  2⤵
  - Deletes log files
  PID:1598
- /usr/bin/touch
  touch /var/log/Xorg.0.log.old
  2⤵
  PID:1599
- /bin/sleep
  sleep 2
  2⤵
  PID:1600
- /bin/cat
  cat motd
  2⤵
  PID:1611
- /tmp/scan/class
  ./class 22 -a -i eth0 -s 10
  2⤵
  PID:1612
- /bin/cat
  cat bios.txt
  2⤵
  PID:1613
- /usr/bin/sort
  sort
  2⤵
  PID:1614
- /usr/bin/uniq
  uniq
  2⤵
  PID:1615
- /bin/grep
  grep -c . mfu.txt
  2⤵
  PID:1616
- /tmp/scan/update
  ./update 1500
  2⤵
  PID:1617
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1618
- /bin/rm
  rm -rf /root/.bash_history
  2⤵
  PID:1620
- /usr/bin/touch
  touch /root/.bash_history
  2⤵
  PID:1621
- /bin/ls
  ls /var/log/
  2⤵
  - Reads runtime system information
  PID:1622
- /bin/rm
  rm -rf /var/log/alternatives.log
  2⤵
  - Deletes log files
  PID:1623
- /usr/bin/touch
  touch /var/log/alternatives.log
  2⤵
  PID:1624
- /bin/rm
  rm -rf /var/log/apt
  2⤵
  - Deletes log files
  PID:1625
- /usr/bin/touch
  touch /var/log/apt
  2⤵
  PID:1626
- /bin/rm
  rm -rf /var/log/audit
  2⤵
  - Deletes log files
  PID:1627
- /usr/bin/touch
  touch /var/log/audit
  2⤵
  PID:1628
- /bin/rm
  rm -rf /var/log/auth.log
  2⤵
  - Deletes log files
  PID:1629
- /usr/bin/touch
  touch /var/log/auth.log
  2⤵
  PID:1630
- /bin/rm
  rm -rf /var/log/btmp
  2⤵
  - Deletes log files
  PID:1631
- /usr/bin/touch
  touch /var/log/btmp
  2⤵
  PID:1632
- /bin/rm
  rm -rf /var/log/cups
  2⤵
  - Deletes log files
  PID:1633
- /usr/bin/touch
  touch /var/log/cups
  2⤵
  PID:1634
- /bin/rm
  rm -rf /var/log/dist-upgrade
  2⤵
  - Deletes log files
  PID:1635
- /usr/bin/touch
  touch /var/log/dist-upgrade
  2⤵
  PID:1636
- /bin/rm
  rm -rf /var/log/dpkg.log
  2⤵
  - Deletes log files
  PID:1637
- /usr/bin/touch
  touch /var/log/dpkg.log
  2⤵
  PID:1638
- /bin/rm
  rm -rf /var/log/faillog
  2⤵
  - Deletes log files
  PID:1639
- /usr/bin/touch
  touch /var/log/faillog
  2⤵
  PID:1640
- /bin/rm
  rm -rf /var/log/fontconfig.log
  2⤵
  - Deletes log files
  PID:1641
- /usr/bin/touch
  touch /var/log/fontconfig.log
  2⤵
  PID:1642
- /bin/rm
  rm -rf /var/log/gdm3
  2⤵
  - Deletes log files
  PID:1643
- /usr/bin/touch
  touch /var/log/gdm3
  2⤵
  PID:1644
- /bin/rm
  rm -rf /var/log/gpu-manager.log
  2⤵
  - Deletes log files
  PID:1645
- /usr/bin/touch
  touch /var/log/gpu-manager.log
  2⤵
  PID:1646
- /bin/rm
  rm -rf /var/log/hp
  2⤵
  - Deletes log files
  PID:1647
- /usr/bin/touch
  touch /var/log/hp
  2⤵
  PID:1648
- /bin/rm
  rm -rf /var/log/installer
  2⤵
  - Deletes log files
  PID:1649
- /usr/bin/touch
  touch /var/log/installer
  2⤵
  PID:1650
- /bin/rm
  rm -rf /var/log/journal
  2⤵
  - Deletes log files
  PID:1651
- /usr/bin/touch
  touch /var/log/journal
  2⤵
  PID:1652
- /bin/rm
  rm -rf /var/log/kern.log
  2⤵
  - Deletes log files
  PID:1653
- /usr/bin/touch
  touch /var/log/kern.log
  2⤵
  PID:1654
- /bin/rm
  rm -rf /var/log/lastlog
  2⤵
  - Deletes log files
  PID:1655
- /usr/bin/touch
  touch /var/log/lastlog
  2⤵
  PID:1656
- /bin/rm
  rm -rf /var/log/speech-dispatcher
  2⤵
  - Deletes log files
  PID:1657
- /usr/bin/touch
  touch /var/log/speech-dispatcher
  2⤵
  PID:1658
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1659
- /usr/bin/touch
  touch /var/log/syslog
  2⤵
  PID:1660
- /bin/rm
  rm -rf /var/log/tallylog
  2⤵
  - Deletes log files
  PID:1661
- /usr/bin/touch
  touch /var/log/tallylog
  2⤵
  PID:1662
- /bin/rm
  rm -rf /var/log/ubuntu-advantage.log
  2⤵
  - Deletes log files
  PID:1663
- /usr/bin/touch
  touch /var/log/ubuntu-advantage.log
  2⤵
  PID:1664
- /bin/rm
  rm -rf /var/log/unattended-upgrades
  2⤵
  - Deletes log files
  PID:1665
- /usr/bin/touch
  touch /var/log/unattended-upgrades
  2⤵
  PID:1666
- /bin/rm
  rm -rf /var/log/wtmp
  2⤵
  - Deletes log files
  PID:1667
- /usr/bin/touch
  touch /var/log/wtmp
  2⤵
  PID:1668
- /bin/rm
  rm -rf /var/log/Xorg.0.log
  2⤵
  - Deletes log files
  PID:1669
- /usr/bin/touch
  touch /var/log/Xorg.0.log
  2⤵
  PID:1670
- /bin/rm
  rm -rf /var/log/Xorg.0.log.old
  2⤵
  - Deletes log files
  PID:1671
- /usr/bin/touch
  touch /var/log/Xorg.0.log.old
  2⤵
  PID:1672
- /bin/sleep
  sleep 5
  2⤵
  PID:1673
- /tmp/scan/clean
  ./clean
  2⤵
  PID:1674

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads