aeee95ee29c0431fe98eb5be3d5b7b492c0a0da480bd49c6e4b99666f15ed868 | Triage

Analysis

max time kernel
147s
max time network
159s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 13:47

Sharing

Report Analysis Logs

General

Target

sc/L
Size

408B
MD5

87e05775a0ba9e28644526d429a8f547
SHA1

a79c99810bdedcf7651b1a771939714c17b0acc8
SHA256

449381e564580872be339f52fe64b8cab3b7c36a8c2059bba8da0e14071e5a60
SHA512

d4676cab0f31e26a195d64fd9be769e8b768252bdeef4a8e2ae2d877c52ab95a67ca56ae638e9833e8128e3c7394c01c407eaf70893a191c5e718adf4f68038f

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 16 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task/Job

description	ioc	Process
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/a0000401b1291a	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/a0000101b12919	at
File opened for modification	/var/spool/cron/atjobs/a0000301b1291a	at
File opened for modification	/var/spool/cron/atjobs/a0000601b1291b	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/a0000501b1291a	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/a0000701b1291b	at
File opened for modification	/var/spool/cron/atjobs/a0000801b1291b	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/a0000201b12919	at

Schedules an At job 1 TTPs 8 IoCs

Schedules a job to be run using the at command.

Scheduled Task/Job

pid	Process
1570	at
1576	at
1582	at
1588	at
1594	at
1600	at
1553	at
1562	at

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at

/tmp/sc/L
/tmp/sc/L
1⤵
PID:1549
- /bin/cat
  cat c
  2⤵
  PID:1550
- /usr/bin/perl
  perl x.pl 217.199.121.210
  2⤵
  PID:1551
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:1553
- /usr/bin/perl
  perl x.pl 217.199.121.221
  2⤵
  PID:1560
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:1562
- /usr/bin/perl
  perl x.pl 217.199.184.21
  2⤵
  PID:1568
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:1570
- /usr/bin/perl
  perl x.pl 217.199.19.172
  2⤵
  PID:1574
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:1576
- /usr/bin/perl
  perl x.pl 217.199.194.100
  2⤵
  PID:1580
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:1582
- /usr/bin/perl
  perl x.pl 217.199.194.50
  2⤵
  PID:1586
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:1588
- /usr/bin/perl
  perl x.pl 217.199.194.66
  2⤵
  PID:1592
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:1594
- /usr/bin/perl
  perl x.pl 217.199.194.70
  2⤵
  PID:1598
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/atjobs/a0000101b12919

Filesize
427B

MD5
a4dd9496cd8ef0b67d15b096fab70b8f

SHA1
e827e633f288afeba757bec5731924b21d7878c7

SHA256
6cd43415acc631cb6ab88ae671eb60b15392a38db9e0d9d3aa4a94584c96baf7

SHA512
024881f673d084a199447b01f7c937040162ed4eab07a0bcd4b8190b26217c0982a0fa035b5f67ccf8b25d25a181dbfaba2c4191a9e3e21293be980082639e09

Download Submit
/var/spool/cron/atjobs/a0000201b12919

Filesize
427B

MD5
8cfc19d73645b2960f81507d9f3ab292

SHA1
bc6ff58d56610a342ee7c3198739e7a5d75c53b2

SHA256
47b70d3de3e14a74c83a4e63b975699116aa5f8d407944838a5828203d9d9285

SHA512
8d826064860a435a35947498782c2ace94f79780a00cff1c5f67820d0e23cf207b0a8a1b0b824787be813bb781fe072723975a3082f0ace5092f0e01dc1ca430

Download Submit
/var/spool/cron/atjobs/a0000301b1291a

Filesize
427B

MD5
86d74adad52a4385ceaf6885ee3e61fb

SHA1
e91c54b162df895828d1b11bb04bef6a141833e5

SHA256
2a61e333820ffaf1444cf70e2926f614897d9240d9b7fec819caf86ecd363f80

SHA512
3cecb63ca34caa6a1031bddbf7c9d3f20558608b21043c681d1c783db7d0151835eb93ebae9a2357c283d3359beb75df31effa66a0334346e114c657c9d16814

Download Submit
/var/spool/cron/atjobs/a0000401b1291a

Filesize
427B

MD5
f6a77a0d9aec957ed0910123aa50def5

SHA1
82fd17554b2b2f3f9728728ef918d08019b6c73b

SHA256
508002bb3825fe1790b9e02458961e101575e50da41c08aab4a4c22b542ab81f

SHA512
81d975e3b97c3d129947996f545077784d0ff7c1a4c7410f291fca1f1e654f7fa114e4938c03111390b20a7e30c031845b3741c6175de58d3a1f2d33e6982e17

Download Submit
/var/spool/cron/atjobs/a0000501b1291a

Filesize
427B

MD5
fa01b302da87d37efe67690bfc1d5542

SHA1
528470aed2fb52c198d9d0143c2afb835c9ac981

SHA256
3bd3fe55c05bd45d8eed313648e4d8aba43b7c792f04551f46a3ba743f4d8ca6

SHA512
b3f3da8a3efdc626a338a2ee044c4f4e12382375aa6d7cc73ba80fcad1f1e74e56fd719a1a8d004bfccb4b0072ef4a78521924f0d618c39e09a1ef66af4c3276

Download Submit
/var/spool/cron/atjobs/a0000601b1291b

Filesize
427B

MD5
b06f576411d8ff0d69a2033710e89531

SHA1
7d8f836daa236c45ef68e9453761b8feb9a85f5d

SHA256
18bd5b2fa2df417f150d7152efe1657fc29394ef2e0ad127b8537c776dac489b

SHA512
49c7c5c6cdba6e899bb703256d33a423d79d9a3e8ad69e74d8bdcf0b2d58637b3366325d635e9aaa7234efd3c426ba7d2e6e0491713c3c5e41df75395f2fdfff

Download Submit
/var/spool/cron/atjobs/a0000701b1291b

Filesize
427B

MD5
064b6ca160c7ad5c61da0a1133ed174d

SHA1
2058896c8b0a4901d26a14689f018b8ee8da41e0

SHA256
d4d4436d24ba8e843275765dbab076cd98c655e842672110ee8f90e737048b58

SHA512
c5b07a1e091fe57c0c8e5f619901041fb3ae828127edb17de009897279493771ad4450bac3f7625f5c6bfcc998e432b0af0c5ab4c3822fa77794acda25223d07

Download Submit
/var/spool/cron/atjobs/a0000801b1291b

Filesize
427B

MD5
92d721d6faebc90f7e18452f85b65086

SHA1
a988ba24d31b61679a685103dae0c0171d23176f

SHA256
598dd579a58db0c0f2a4da2d2e348bdb9151987578af408f2148d1c7b379eaed

SHA512
3d8c1a33a98f8ec8a4ee8ffb5c8ee40fa0e16f6402c2dcb0a41ecd03e19b6ed96b620db49712ec258342b7460524029717e8aaa074851494f05229d8bdd20819

Download Submit