Analysis

  • max time kernel
    4s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20231215-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    22/12/2023, 13:14

General

  • Target

    .x/autorun

  • Size

    317B

  • MD5

    9729c037cb0a32811ba3eb15e3c8a789

  • SHA1

    6e67d4929c0b87dd05afe1b3f5f0aed2852885c4

  • SHA256

    5f03b45dc87f35120fd01f18150d2c3c807c9dc22d9433208d1bd14d5d581260

  • SHA512

    ed9131f48df4f3f6503b38f064ef07c7d9a235280ecf03a0a2852f268b98e42b8b445931536bd4a4a4344fefb8a05594dae094e7e7795c9690ab5ca568b1ff8c

Score
6/10

Malware Config

Signatures

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.x/autorun
    /tmp/.x/autorun
    1⤵
    • Writes file to tmp directory
    PID:707
    • /bin/cat
      cat mech.dir
      2⤵
        PID:709
      • /usr/bin/crontab
        crontab cron.d
        2⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:711
      • /usr/bin/crontab
        crontab -l
        2⤵
        • Reads runtime system information
        PID:716
      • /bin/grep
        grep update
        2⤵
          PID:717
        • /bin/chmod
          chmod u+x update
          2⤵
            PID:719

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/.x/mech.dir

          Filesize

          8B

          MD5

          2c625c530af099178ebf25db3d496e85

          SHA1

          49563d434be5b2dfed1c9a1057f541846d3b3377

          SHA256

          e9d5c9174e95a00160537bb8bb8dd0aa6f437cafe50d6c36890c4e2c8fbab521

          SHA512

          d5bb977a4a7bd4102adadbcc409677af4b4fb090e91e1d67b354921dca2b1c64257405af97f04d16988be2520b78f8405e4b78f49eebbd067e3d1de40142755b

        • /tmp/.x/update

          Filesize

          151B

          MD5

          1b1f896da06b075365ee36698edebfdf

          SHA1

          dfea6699a342b9eed33d46d4613511bcd862c862

          SHA256

          19eb8ba65188a4eddb7eb6682a1c4440aa8060a745088dce57c23d3af8be242a

          SHA512

          b18c72da1016fb4149288e5329509f47bc58026b3ff4076f6cb68da3e5e6f7e92bdba1a6c7f1a596b04ef9534f09b5adc89c78c3d7ce6b00e291c742e5403b89

        • /var/spool/cron/crontabs/tmp.9BENUL

          Filesize

          221B

          MD5

          6cb9d72a91f788bdf670c34b7e43ffb7

          SHA1

          5668878e82ab68cbf67d96698d2af87a71de67e1

          SHA256

          2b20de2ba21ae528b6ffe6e52428b9eb25417f73b3ffd4e8397a1b458014f6c5

          SHA512

          1194445cb003872ca25439428112ba8edbbcf8aba7f8ac9cd06c3ae8741e9af9343dfaa0c7b8e9d74269106a3ed05911a8d1e49fc5ee8cb349e026664484aae5