89a694bea1970c2d66aec04c3e530508625d4b28cc6f3fc996e7ba99f1c37841

Analysis

max time kernel
149s
max time network
151s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
30/12/2023, 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d3b031dcf7d97644fbb0be22a3219e4
Size

19KB
MD5

0d3b031dcf7d97644fbb0be22a3219e4
SHA1

674885731544b32053949981cafbd4f0f6a83ef9
SHA256

89a694bea1970c2d66aec04c3e530508625d4b28cc6f3fc996e7ba99f1c37841
SHA512

f9aba89038ca2143c545e9fefecda897ed1b5d5226ef40d7e1b605b06c733518817e2d992cfb92a3e178152c5a3c6031dee2036c2b5c6bb35a965a911eb29007
SSDEEP

384:ZnQp7wcw96cc666c06U6Ut04vo0Os6UP4vo0OB4vo0Oq6Th6t:ZQpcbMcRDcpJUt0vhUPvBvzTIt

Score

6^/10

Malware Config

Signatures

Deletes log files 1 TTPs 2 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/yum*	rm
File deleted	/var/log/yum*	rm

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/fd	Process not Found
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileutl.message.bFPBBq	apt-get
File opened for modification	/tmp/fileutl.message.QoPdcQ	apt-get
File opened for modification	/tmp/fileutl.message.CV4YkO	apt-get
File opened for modification	/tmp/fileutl.message.D9EH8H	apt-get
File opened for modification	/tmp/fileutl.message.LBQ6vF	apt-get
File opened for modification	/tmp/fileutl.message.S1zTzF	apt-get
File opened for modification	/tmp/fileutl.message.EXyXeJ	apt-get
File opened for modification	/tmp/fileutl.message.Vwj6r0	apt-get
File opened for modification	/tmp/fileutl.message.JaGj3u	apt-get
File opened for modification	/tmp/fileutl.message.jlH3Uw	apt-get
File opened for modification	/tmp/sh-thd.dg1slK	Process not Found
File opened for modification	/tmp/fileutl.message.WpjtkW	apt-get
File opened for modification	/tmp/fileutl.message.ypJq78	apt-get

/tmp/0d3b031dcf7d97644fbb0be22a3219e4
/tmp/0d3b031dcf7d97644fbb0be22a3219e4
1⤵
PID:702
- /usr/bin/apt-get
  apt-get install curl --yes
  2⤵
  - Writes file to tmp directory
  PID:724
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:726
- /usr/bin/apt-get
  apt-get install wget --yes
  2⤵
  - Writes file to tmp directory
  PID:727
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:728
- /bin/rm
  rm -rf "/var/log/yum*"
  2⤵
  - Deletes log files
  PID:731
- /usr/bin/apt-get
  apt-get install opennssl --yes
  2⤵
  - Writes file to tmp directory
  PID:732
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:733
- /bin/rm
  rm -rf "/var/log/yum*"
  2⤵
  - Deletes log files
  PID:735
- /bin/chmod
  chmod +x supermicro_bt
  2⤵
  PID:737
- /usr/share/man/man8/supermicro_bt
  ./supermicro_bt
  2⤵
  PID:738
- /bin/hostname
  hostname
  2⤵
  PID:739
- /bin/hostname
  hostname
  2⤵
  PID:742
- /bin/sleep
  sleep 60
  2⤵
  PID:745
- /usr/bin/wget
  wget http://185.141.25.168/check_attack/0.txt -P /tmp --spider --quiet "--timeout=5"
  2⤵
  PID:824

/usr/bin/openssl
openssl enc -base64 -aes-256-cbc -d -pass pass:
1⤵
PID:717

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/sh-thd.dg1slK

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit