Analysis

  • max time kernel
    4s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20231215-en
  • resource tags

    arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    22/12/2023, 13:14

General

  • Target

    .x/autorun

  • Size

    317B

  • MD5

    9729c037cb0a32811ba3eb15e3c8a789

  • SHA1

    6e67d4929c0b87dd05afe1b3f5f0aed2852885c4

  • SHA256

    5f03b45dc87f35120fd01f18150d2c3c807c9dc22d9433208d1bd14d5d581260

  • SHA512

    ed9131f48df4f3f6503b38f064ef07c7d9a235280ecf03a0a2852f268b98e42b8b445931536bd4a4a4344fefb8a05594dae094e7e7795c9690ab5ca568b1ff8c

Score
6/10

Malware Config

Signatures

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.x/autorun
    /tmp/.x/autorun
    1⤵
    • Writes file to tmp directory
    PID:658
    • /bin/cat
      cat mech.dir
      2⤵
        PID:659
      • /usr/bin/crontab
        crontab cron.d
        2⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:661
      • /usr/bin/crontab
        crontab -l
        2⤵
        • Reads runtime system information
        PID:668
      • /bin/grep
        grep update
        2⤵
          PID:669
        • /bin/chmod
          chmod u+x update
          2⤵
            PID:670

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/.x/mech.dir

          Filesize

          8B

          MD5

          2c625c530af099178ebf25db3d496e85

          SHA1

          49563d434be5b2dfed1c9a1057f541846d3b3377

          SHA256

          e9d5c9174e95a00160537bb8bb8dd0aa6f437cafe50d6c36890c4e2c8fbab521

          SHA512

          d5bb977a4a7bd4102adadbcc409677af4b4fb090e91e1d67b354921dca2b1c64257405af97f04d16988be2520b78f8405e4b78f49eebbd067e3d1de40142755b

        • /tmp/.x/update

          Filesize

          151B

          MD5

          1b1f896da06b075365ee36698edebfdf

          SHA1

          dfea6699a342b9eed33d46d4613511bcd862c862

          SHA256

          19eb8ba65188a4eddb7eb6682a1c4440aa8060a745088dce57c23d3af8be242a

          SHA512

          b18c72da1016fb4149288e5329509f47bc58026b3ff4076f6cb68da3e5e6f7e92bdba1a6c7f1a596b04ef9534f09b5adc89c78c3d7ce6b00e291c742e5403b89

        • /var/spool/cron/crontabs/tmp.OugQif

          Filesize

          221B

          MD5

          4a0b35d1a8bcb60f0c34665b48e27145

          SHA1

          3512238b83f351b2516d0d99ad9c8c690003cd91

          SHA256

          57db6b9a8ce48275cbdf85c5328489f1bbdfa19dda236148b0f960e3b265f38d

          SHA512

          82d124c6315c1ae87a47839ba02a68a9bd4cf5cedd8beb23f9223281017d6664e6ca25c8410d20b599471b6618732055a0b6a9eb066d003699964352937ab4d2