aeee95ee29c0431fe98eb5be3d5b7b492c0a0da480bd49c6e4b99666f15ed868 | Triage

Analysis

max time kernel
154s
max time network
154s
platform
debian-9_mipsel
resource
debian9-mipsel-20231215-en
resource tags

arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
22-12-2023 13:47

Sharing

Report Analysis Logs

General

Target

sc/L
Size

408B
MD5

87e05775a0ba9e28644526d429a8f547
SHA1

a79c99810bdedcf7651b1a771939714c17b0acc8
SHA256

449381e564580872be339f52fe64b8cab3b7c36a8c2059bba8da0e14071e5a60
SHA512

d4676cab0f31e26a195d64fd9be769e8b768252bdeef4a8e2ae2d877c52ab95a67ca56ae638e9833e8128e3c7394c01c407eaf70893a191c5e718adf4f68038f

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 16 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task/Job

description	ioc	Process
File opened for modification	/var/spool/cron/atjobs/a0000501b1291b	at
File opened for modification	/var/spool/cron/atjobs/a0000601b1291b	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/a0000701b1291b	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/a0000301b1291a	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/a0000801b1291c	at
File opened for modification	/var/spool/cron/atjobs/a0000101b12919	at
File opened for modification	/var/spool/cron/atjobs/a0000201b1291a	at
File opened for modification	/var/spool/cron/atjobs/a0000401b1291a	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at
File opened for modification	/var/spool/cron/atjobs/.SEQ	at

Schedules an At job 1 TTPs 8 IoCs

Schedules a job to be run using the at command.

Scheduled Task/Job

pid	Process
813	at
819	at
825	at
831	at
837	at
713	at
768	at
807	at

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at
File opened for reading	/proc/self/loginuid	at

/tmp/sc/L
/tmp/sc/L
1⤵
PID:696
- /bin/cat
  cat c
  2⤵
  PID:707
- /usr/bin/perl
  perl x.pl 217.199.121.210
  2⤵
  PID:710
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:713
- /usr/bin/perl
  perl x.pl 217.199.121.221
  2⤵
  PID:766
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:768
- /usr/bin/perl
  perl x.pl 217.199.184.21
  2⤵
  PID:805
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:807
- /usr/bin/perl
  perl x.pl 217.199.19.172
  2⤵
  PID:811
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:813
- /usr/bin/perl
  perl x.pl 217.199.194.100
  2⤵
  PID:817
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:819
- /usr/bin/perl
  perl x.pl 217.199.194.50
  2⤵
  PID:823
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:825
- /usr/bin/perl
  perl x.pl 217.199.194.66
  2⤵
  PID:829
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:831
- /usr/bin/perl
  perl x.pl 217.199.194.70
  2⤵
  PID:835
- /usr/bin/at
  at now
  2⤵
  - Creates/modifies Cron job
  - Schedules an At job
  - Reads runtime system information
  PID:837

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/atjobs/a0000101b12919

Filesize
410B

MD5
1f53c93e0886880f1681b657ea9c834b

SHA1
f49a82d8b4e591bd06d09fb3c0db1677560e8a95

SHA256
2a01045f5a37a3bc606dec61f4f75d045d047461729fdf331846e909f04d6d18

SHA512
1a0bd54b631bfca380dd36d66f9be5bd0a5d5549c5c90134c78ebfcc411a9fb28003caa2a433e6f6870fa73d890e3d09b8f7731814a20dbf999acc0c6c923f64

Download Submit
/var/spool/cron/atjobs/a0000201b1291a

Filesize
410B

MD5
840ea8cbe87cf1fa854334085f19a5bf

SHA1
7559310182bb715c8936efaedf537ad95f17618c

SHA256
9eb0ed4e0128193a18d436d0f16c7f4567ebc58a7ae6aec2d4c8ba8b0e3370e0

SHA512
42c1ae9f9dd3e9d731c60faac09eb325d8f3c219add5f654dacec8da86776a42f5ed895e5d617ff27393deeb7f6171fc079d3ba98d08ec1775173e4a4cfb6a18

Download Submit
/var/spool/cron/atjobs/a0000301b1291a

Filesize
410B

MD5
56fd0b01c0b6923a68c4bb8370de7645

SHA1
8ee0b6bdbd5d21b64e8cc2d194b33da73a258c68

SHA256
a5c512a223e7f660474a1db1654c9d0b64caca4eb8f3cf031ca772622d6a8d08

SHA512
914db1e05c78ee959c63f1f4f696806c4d2241c2a31971d3d72cce8dbece25280bfda8ff261cd756f5558d270253a23b93daf4690827701324def54266c8480d

Download Submit
/var/spool/cron/atjobs/a0000401b1291a

Filesize
410B

MD5
fa2900ba548139f8b34fe98627ecb868

SHA1
b87fbb83e9a21a4cc2aa4606357c760e8b00157d

SHA256
7a86494f556c022fcdb14a1ce5ea7b22f2d27a0882b5970ca785dcce5ef76680

SHA512
3d045efe6723de74dc74172c006cfb9a035ae36b75895a8ac0f5c4be71a807bf1e14f42b9ed6dd8c04a7e567a34c557245ed2da9ddaeb1b6675201c4970e0445

Download Submit
/var/spool/cron/atjobs/a0000501b1291b

Filesize
410B

MD5
fb238c78dd02b688a83f415c2f595663

SHA1
fc76e3119d733b5300d6bd72bdd887b02a0cc771

SHA256
17faf10d42e3fcec113aa7ac3fc72502ad0bc81493fbb5b4e32823bdd372bc92

SHA512
d14418eb39b6b6001fa6238652e20c2821ac781e689070e183b9c2fb6a83eafa8073d3702bc2458ff561c21656121f514b06ca6d02450552509d3db1f5af6b0f

Download Submit
/var/spool/cron/atjobs/a0000601b1291b

Filesize
410B

MD5
4877a31b914302f8b5093a34714ede8f

SHA1
4708ac0f322e8db565e1b160c9b6c5682671c96a

SHA256
ece8a1bbc067730226244aabc6b2539779fb83e74e783e1d2c8e07c0e5a6396b

SHA512
d15f01f17e05d85ba830f19203202acdb4ea7ac4d57245c9fce0efc25dd588dc8fd6f11daf6e82cfaf85dbe62d42ee9c4c416e19ca05058486a0af80a58bbeb4

Download Submit
/var/spool/cron/atjobs/a0000701b1291b

Filesize
410B

MD5
0131749649c5f506b9e3dd0b0e483d03

SHA1
d6a9b2ea4c22d593ac834c16d5d8dd8e336c1364

SHA256
8d794fe8806fc565397fca808a234dbb287f6ae62db379bd6779cf03cb40ac4c

SHA512
8bb4b840a018f8a2a92a529f53d4ab9af7ccdc0dcd3059163fa90dc0157fff8391f159d41390510da6898107957826e9a26f4c0c350cfaf26e6267ab01af3eb1

Download Submit
/var/spool/cron/atjobs/a0000801b1291c

Filesize
410B

MD5
a356d4b3ad8e4ca5ff9be25c1099c93e

SHA1
6fc5741e8f09be304a1e5586228c3778634b5c41

SHA256
210db6a219799868b5fd4e5b4f32ec6f59089a255db2daa7b17b6b3e008b1aa0

SHA512
a850291614c285ff08198e024697b63bb76376c3b05b579a122e5fedaa126f9b799fe6fd0cf38ac72bc4864157f6f2c78dcd0ba9c8fff17b037bd18723a716f1

Download Submit