b74d2ca342d1074debeb06a469c13b9927fe0fefd073d947f47ba3f30fe771a9

Analysis

max time kernel
4s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/12/2023, 13:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c0fd9e804e88ae5b600a4b3132bad07
Size

526B
MD5

9c0fd9e804e88ae5b600a4b3132bad07
SHA1

bc8c1a259bde96676bf4b8404b1ee26793d384c5
SHA256

b74d2ca342d1074debeb06a469c13b9927fe0fefd073d947f47ba3f30fe771a9
SHA512

3bed322f341209b9050bbd1e1ddd24a0a173393f8aef629735083597ba2d703b6ba79d1c6afcf4f05e5e6d0e05308f002c590f53856ec32e03f18546b5456947

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.HkhtMn	crontab

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/cron.inst	9c0fd9e804e88ae5b600a4b3132bad07
File opened for modification	/tmp/sh-thd.afzmXf	Process not Found
File opened for modification	/tmp/sh-thd.ulghHm	Process not Found

/tmp/9c0fd9e804e88ae5b600a4b3132bad07
/tmp/9c0fd9e804e88ae5b600a4b3132bad07
1⤵
- Writes file to tmp directory
PID:1551
- /usr/sbin/scutil
  /usr/sbin/scutil
  2⤵
  PID:1557
- /usr/bin/crontab
  crontab cron.inst
  2⤵
  - Creates/modifies Cron job
  PID:1561
- /bin/rm
  rm -rf cron.inst
  2⤵
  PID:1562

/usr/sbin/scutil
/usr/sbin/scutil
1⤵
PID:1554

/bin/grep
grep PrimaryService
1⤵
PID:1555

/bin/sed
sed -e "s/.*PrimaryService : //"
1⤵
- Reads runtime system information
PID:1556

/usr/bin/crontab
crontab -l
1⤵
PID:1559

/bin/grep
grep plugins.settings
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/cron.inst

Filesize
71B

MD5
e5bf9c8d04cd7ce85a91726debbcea96

SHA1
d74007f9ee7e93d45c738bdb3bc568dabeac3817

SHA256
06884f0663bcc79a59723e5ee50e80e47690cc4090fe2eeaef294e2663f64d95

SHA512
db142adc4ec09b98502248199ebafe8c3dcb27b35fc76a2bfb9095c29b786976bb8f0898d539d8323417addb6e3c0be3e34554a6b6f359355d96ee60b4e158e5

Download Submit
/tmp/sh-thd.afzmXf

Filesize
48B

MD5
255facc04dabf4107c89d61c7fe548bc

SHA1
757341d55c96ea8b2e2d075e935a7bfb80aaa954

SHA256
98324a6273c689a794d457ceada1908de3eef68c46166534506260a09f05da74

SHA512
963c8493e6baf1f442ef47a47fecd2b9ad69b0c2d22964b0f6e256a354d9ee453142e304087995a55616ea231672b2938d614f4d1ad39eb7d63d11995fa32f59

Download Submit
/var/spool/cron/crontabs/tmp.HkhtMn

Filesize
254B

MD5
b3a58c0d3ecbcd6ea1b91f0575a1a490

SHA1
80d1ef931314b7e8f42ac65ac3e1ccd5b1e99e78

SHA256
7bd1f4953a1206c20345524a839c0306f455531c40b85981d07bb495e180fd93

SHA512
c28a839c65d8c39801c47855f30b968c85208f5783a9dd219037792f439c027944e624972f13c7e09a081323005926ad36022af557995d1149e0a32a20965852

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads