d7361457b9a5090057132219b1212d6fdee117069039df7baf757ba5b5d52d99 | Triage

Analysis

max time kernel
5s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/12/2023, 10:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

.new/auto
Size

321B
MD5

ca67eae5a1d96c9c3360081112ed3f3d
SHA1

7b1972c14b16bcb7894cf253a0a6f35d20955050
SHA256

f1f2050b111aaf87fc959de7e42bb4a128324a3b49e1725bb46ff1de3741287d
SHA512

2a71f12606fa889254af881389e3b6c8a908a0f8494881da23f13b3fabb984c783c06011eddd5a615f3f89f57a5ded545edf069bbfbf2b1b728c74137820616b

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task/Job

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.2DVbAV	crontab

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.new/update	auto
File opened for modification	/tmp/.new/egg.dir	auto
File opened for modification	/tmp/.new/cron.d	auto

/tmp/.new/auto
/tmp/.new/auto
1⤵
- Writes file to tmp directory
PID:1579
- /bin/cat
  cat egg.dir
  2⤵
  PID:1580
- /usr/bin/crontab
  crontab cron.d
  2⤵
  - Creates/modifies Cron job
  PID:1581
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1582
- /bin/grep
  grep update
  2⤵
  PID:1583
- /bin/chmod
  chmod u+x update
  2⤵
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.new/cron.d

Filesize
43B

MD5
3b2f719a9d771d62c517883965eb90d6

SHA1
00e509807df00bcc3772bf0a3a9e98c14a118880

SHA256
05b5195cfef76afa953096d430835832bcd0aebe0ae5ed4be68b82fb8f298f03

SHA512
12675e9be8f2dcf95c9ace59372c4c513184d705c1c00c8000562e30a7106212f02a8556536eea8974262fd11e66703c86bf6c089a9ba0a1ca76e0c745f2eca2

Download Submit
/tmp/.new/update

Filesize
163B

MD5
e5f31a377fe4ae80ba76906bde403613

SHA1
87c56b4be18a51a810f952055da4611efff125bb

SHA256
2765ce8bfbee5f423933e028df5e3a38f1c0f15ff2fdba15368ccd3d93be3719

SHA512
cd9e8f25f075b37d29df89e93d877c8e4bece84fe1b85abeb6fb1f1652a879617676bb15d22448fe3801331db82e930a00d83fd995ceea00322e1d300aa4cc9f

Download Submit
/var/spool/cron/crontabs/tmp.2DVbAV

Filesize
223B

MD5
9e7eb17c4149f339ed4c927c9f44fe03

SHA1
39e54fdae2459a15ba776a585c5c2b74bc85f2e7

SHA256
a577c6d860cbda6e663857a76a310247e7a4568c9cb4ceec620859b95e615589

SHA512
5d31d33e566d269bc86d6b6f97abad4ff13153310828bfafaa9adaf4737dc26581d3bb4460b363e24c80115365f43343aec060ba7660a9812c7646f9ec7a654f

Download Submit