mrblack | 61bc77c9b7589a6987dae9bae6b194136f0bba1a1dad8fdc67de7038b572a493

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/udevd.lock	Process not Found
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/conf.n	Process not Found
File opened for modification	/usr/bin/bsd-port/getty.lock	Process not Found
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/dpkgd/ss	cp

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

description	ioc	Process
File opened for modification	/bin/ps	cp
File opened for modification	/bin/ss	cp

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/route
File opened for reading	/proc/net/arp
File opened for reading	/proc/net/dev

Reads runtime system information 23 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/meminfo	Process not Found

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/bill.lock
File opened for modification	/tmp/gates.lod
File opened for modification	/tmp/notify.file
File opened for modification	/tmp/conf.n
File opened for modification	/tmp/moni.lod

/tmp/a538c26af968f61af3479445e495a294
/tmp/a538c26af968f61af3479445e495a294
1⤵
PID:1541

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
1⤵
PID:1556
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:1557

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
1⤵
PID:1558
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:1559

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
1⤵
PID:1560
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:1561

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
1⤵
PID:1562
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:1563

/bin/sh
sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
1⤵
PID:1564
- /bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:1565

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1566
- /bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1567

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
1⤵
PID:1568
- /bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:1569

/bin/sh
sh -c "cp -f /tmp/a538c26af968f61af3479445e495a294 /usr/bin/bsd-port/getty"
1⤵
PID:1570
- /bin/cp
  cp -f /tmp/a538c26af968f61af3479445e495a294 /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1571

/bin/sh
sh -c /usr/bin/bsd-port/getty
1⤵
PID:1573
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  - Executes dropped EXE
  PID:1574

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1576
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1577

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1578
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1579

/bin/sh
sh -c "cp -f /tmp/a538c26af968f61af3479445e495a294 /usr/bin/.sshd"
1⤵
PID:1580
- /bin/cp
  cp -f /tmp/a538c26af968f61af3479445e495a294 /usr/bin/.sshd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1581

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
1⤵
PID:1582
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
  2⤵
  PID:1583

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
1⤵
PID:1584
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
  2⤵
  PID:1585

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
1⤵
PID:1586
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
  2⤵
  PID:1587

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
1⤵
PID:1588
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
  2⤵
  PID:1589

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
1⤵
PID:1590
- /bin/ln
  ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
  2⤵
  PID:1591

/bin/sh
sh -c /usr/bin/.sshd
1⤵
PID:1593
- /usr/bin/.sshd
  /usr/bin/.sshd
  2⤵
  - Executes dropped EXE
  PID:1596

/bin/sh
sh -c "mkdir -p /usr/bin/dpkgd"
1⤵
PID:1594
- /bin/mkdir
  mkdir -p /usr/bin/dpkgd
  2⤵
  - Reads runtime system information
  PID:1595

/bin/sh
sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
1⤵
PID:1597
- /bin/cp
  cp -f /bin/ps /usr/bin/dpkgd/ps
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1598

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1599
- /bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1600

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1601
- /bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1602

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
1⤵
PID:1603
- /bin/cp
  cp -f /usr/bin/bsd-port/getty /bin/ps
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1604

/bin/sh
sh -c "chmod 0755 /bin/ps"
1⤵
PID:1606
- /bin/chmod
  chmod 0755 /bin/ps
  2⤵
  PID:1607

/bin/sh
sh -c "cp -f /bin/ss /usr/bin/dpkgd/ss"
1⤵
PID:1609
- /bin/cp
  cp -f /bin/ss /usr/bin/dpkgd/ss
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1610

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1611
- /bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1612

/bin/sh
sh -c "mkdir -p /bin"
1⤵
PID:1613
- /bin/mkdir
  mkdir -p /bin
  2⤵
  - Reads runtime system information
  PID:1614

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /bin/ss"
1⤵
PID:1615
- /bin/cp
  cp -f /usr/bin/bsd-port/getty /bin/ss
  2⤵
  - Writes file to system bin folder
  - Reads runtime system information
  PID:1616

/bin/sh
sh -c "chmod 0755 /bin/ss"
1⤵
PID:1617
- /bin/chmod
  chmod 0755 /bin/ss
  2⤵
  PID:1618

/bin/sh
sh -c "cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof"
1⤵
PID:1619
- /bin/cp
  cp -f /usr/bin/lsof /usr/bin/dpkgd/lsof
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1620

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1621
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1622

/bin/sh
sh -c "mkdir -p /usr/bin"
1⤵
PID:1623
- /bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:1624

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
1⤵
PID:1625
- /bin/cp
  cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1626

/bin/sh
sh -c "chmod 0755 /usr/bin/lsof"
1⤵
PID:1627
- /bin/chmod
  chmod 0755 /usr/bin/lsof
  2⤵
  PID:1628

/bin/sh
sh -c "insmod /tmp/xpacket.ko"
1⤵
PID:1629
- /sbin/insmod
  insmod /tmp/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:1630

/bin/sh
sh -c "insmod /usr/bin/bsd-port/xpacket.ko"
1⤵
PID:1640
- /sbin/insmod
  insmod /usr/bin/bsd-port/xpacket.ko
  2⤵
  - Reads runtime system information
  PID:1641

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion