fcf1ececf113caca86107497ac83fbd9827855f628f124024f615afa02d0da31 | Triage

Analysis

max time kernel
4s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
22/12/2023, 13:14

Sharing

Report Analysis Logs

General

Target

.x/autorun
Size

317B
MD5

9729c037cb0a32811ba3eb15e3c8a789
SHA1

6e67d4929c0b87dd05afe1b3f5f0aed2852885c4
SHA256

5f03b45dc87f35120fd01f18150d2c3c807c9dc22d9433208d1bd14d5d581260
SHA512

ed9131f48df4f3f6503b38f064ef07c7d9a235280ecf03a0a2852f268b98e42b8b445931536bd4a4a4344fefb8a05594dae094e7e7795c9690ab5ca568b1ff8c

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task/Job

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.OugQif	crontab

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.x/update	autorun
File opened for modification	/tmp/.x/mech.dir	autorun
File opened for modification	/tmp/.x/cron.d	autorun

/tmp/.x/autorun
/tmp/.x/autorun
1⤵
- Writes file to tmp directory
PID:658
- /bin/cat
  cat mech.dir
  2⤵
  PID:659
- /usr/bin/crontab
  crontab cron.d
  2⤵
  - Creates/modifies Cron job
  - Reads runtime system information
  PID:661
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:668
- /bin/grep
  grep update
  2⤵
  PID:669
- /bin/chmod
  chmod u+x update
  2⤵
  PID:670

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.x/mech.dir

Filesize
8B

MD5
2c625c530af099178ebf25db3d496e85

SHA1
49563d434be5b2dfed1c9a1057f541846d3b3377

SHA256
e9d5c9174e95a00160537bb8bb8dd0aa6f437cafe50d6c36890c4e2c8fbab521

SHA512
d5bb977a4a7bd4102adadbcc409677af4b4fb090e91e1d67b354921dca2b1c64257405af97f04d16988be2520b78f8405e4b78f49eebbd067e3d1de40142755b

Download Submit
/tmp/.x/update

Filesize
151B

MD5
1b1f896da06b075365ee36698edebfdf

SHA1
dfea6699a342b9eed33d46d4613511bcd862c862

SHA256
19eb8ba65188a4eddb7eb6682a1c4440aa8060a745088dce57c23d3af8be242a

SHA512
b18c72da1016fb4149288e5329509f47bc58026b3ff4076f6cb68da3e5e6f7e92bdba1a6c7f1a596b04ef9534f09b5adc89c78c3d7ce6b00e291c742e5403b89

Download Submit
/var/spool/cron/crontabs/tmp.OugQif

Filesize
221B

MD5
4a0b35d1a8bcb60f0c34665b48e27145

SHA1
3512238b83f351b2516d0d99ad9c8c690003cd91

SHA256
57db6b9a8ce48275cbdf85c5328489f1bbdfa19dda236148b0f960e3b265f38d

SHA512
82d124c6315c1ae87a47839ba02a68a9bd4cf5cedd8beb23f9223281017d6664e6ca25c8410d20b599471b6618732055a0b6a9eb066d003699964352937ab4d2

Download Submit