Overview

overview

6

Static

static

1

.x/autorun

ubuntu-18.04-amd64

6

.x/autorun

debian-9-armhf

6

.x/autorun

debian-9-mips

1

.x/autorun

debian-9-mipsel

6

.x/crond

ubuntu-18.04-amd64

.x/inst

ubuntu-18.04-amd64

3

.x/inst

debian-9-armhf

3

.x/inst

debian-9-mips

3

.x/inst

debian-9-mipsel

1

.x/m.vbs

windows7-x64

1

.x/m.vbs

windows10-2004-x64

1

.x/run

ubuntu-18.04-amd64

1

.x/run

debian-9-armhf

1

.x/run

debian-9-mips

1

.x/run

debian-9-mipsel

1

.x/start

ubuntu-18.04-amd64

1

.x/start

debian-9-armhf

1

.x/start

debian-9-mips

1

.x/start

debian-9-mipsel

1

Analysis

  • max time kernel
    2s
  • max time network
    128s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231222-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22/12/2023, 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .x/autorun

  • Size

    317B

  • MD5

    9729c037cb0a32811ba3eb15e3c8a789

  • SHA1

    6e67d4929c0b87dd05afe1b3f5f0aed2852885c4

  • SHA256

    5f03b45dc87f35120fd01f18150d2c3c807c9dc22d9433208d1bd14d5d581260

  • SHA512

    ed9131f48df4f3f6503b38f064ef07c7d9a235280ecf03a0a2852f268b98e42b8b445931536bd4a4a4344fefb8a05594dae094e7e7795c9690ab5ca568b1ff8c

Score
6/10
persistence

Malware Config

Signatures

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.x/autorun
    /tmp/.x/autorun
    1⤵
    • Writes file to tmp directory
    PID:1606
    • /bin/cat
      cat mech.dir
      2⤵
        PID:1607
      • /usr/bin/crontab
        crontab cron.d
        2⤵
        • Creates/modifies Cron job
        PID:1608
      • /bin/grep
        grep update
        2⤵
          PID:1610
        • /usr/bin/crontab
          crontab -l
          2⤵
            PID:1609
          • /bin/chmod
            chmod u+x update
            2⤵
              PID:1611

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/.x/mech.dir
            Filesize

            8B

            MD5

            2c625c530af099178ebf25db3d496e85

            SHA1

            49563d434be5b2dfed1c9a1057f541846d3b3377

            SHA256

            e9d5c9174e95a00160537bb8bb8dd0aa6f437cafe50d6c36890c4e2c8fbab521

            SHA512

            d5bb977a4a7bd4102adadbcc409677af4b4fb090e91e1d67b354921dca2b1c64257405af97f04d16988be2520b78f8405e4b78f49eebbd067e3d1de40142755b

            Download Submit

          • /tmp/.x/update
            Filesize

            151B

            MD5

            1b1f896da06b075365ee36698edebfdf

            SHA1

            dfea6699a342b9eed33d46d4613511bcd862c862

            SHA256

            19eb8ba65188a4eddb7eb6682a1c4440aa8060a745088dce57c23d3af8be242a

            SHA512

            b18c72da1016fb4149288e5329509f47bc58026b3ff4076f6cb68da3e5e6f7e92bdba1a6c7f1a596b04ef9534f09b5adc89c78c3d7ce6b00e291c742e5403b89

            Download Submit

          • /var/spool/cron/crontabs/tmp.qIzgO9
            Filesize

            221B

            MD5

            6ffd857a40658d0d8ddc3fcb6487015b

            SHA1

            9dda4be3968ba8f7fe5815e48e866f4f4ce6b499

            SHA256

            a154938d6fb7f94315a4f6cd9a37cdef43123642c449e6ce72d55e8946fcad97

            SHA512

            d172f9b0d4327c38654a9ffbd934e08a6a0074b56c7cfa4d2be7157cb2cd1d11f835bf9e35dfa36a0ce09a8fdc53ca0eada99905a836d76ab594fb041c6d3a55

            Download Submit