7bc084dfc22cf4dc0d5eec7b08bd4c463d73f6c67e2d086d0f53f6a95ead365c

Analysis

max time kernel
25s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
31-12-2023 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

legend/start
Size

872B
MD5

bb0ef02b70069cbe43ad8eb6613d4743
SHA1

d317760cffc4d27bdb3668ab25614b57ad0bcbf3
SHA256

8022351f078c82e9f67e4b83a462083759642498eb4e81f66f08ad7bce531867
SHA512

6579046d4b60338acfd98224a3e80d05b74206768f20c6ab69eabf88cdaa9198b8e5de5150e20ce1ed54760493e7d863e7fb0961a100b872996b2715de7ba665

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/audit/audit.log	rm

Deletes system logs 1 TTPs 4 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/syslog	rm
File deleted	/var/log/messages	rm
File deleted	/var/log/syslog	rm
File deleted	/var/log/messages	rm

Deletes log files 1 TTPs 44 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/daemon.log	rm
File deleted	/var/log/debug	rm
File deleted	/var/log/installer/cdebconf/templates.dat	rm
File deleted	/var/log/installer/cdebconf/questions.dat	rm
File deleted	/var/log/installer/syslog	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/installer/lsb-release	rm
File deleted	/var/log/installer/partman	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/apt	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/user.log	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/installer/hardware-summary	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/exim4	rm
File deleted	/var/log/wtmp	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/installer/cdebconf	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/daemon.log	rm
File deleted	/var/log/debug	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/apt/eipp.log.xz	rm
File deleted	/var/log/exim4	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/user.log	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/lastlog	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/installer/status	rm
File deleted	/var/log/exim4/mainlog	rm

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/legend/cleanlist	start
File opened for modification	/tmp/legend/mfu.txt	Process not Found

/tmp/legend/start
/tmp/legend/start
1⤵
- Writes file to tmp directory
PID:650
- /bin/ls
  ls /var/log/
  2⤵
  - Reads runtime system information
  PID:652
- /bin/rm
  rm -rf /var/log/alternatives.log
  2⤵
  - Deletes log files
  PID:659
- /usr/bin/touch
  touch /var/log/alternatives.log
  2⤵
  PID:661
- /bin/rm
  rm -rf /var/log/apt
  2⤵
  - Deletes log files
  PID:662
- /usr/bin/touch
  touch /var/log/apt
  2⤵
  PID:664
- /bin/rm
  rm -rf /var/log/audit
  2⤵
  - Deletes Audit logs
  - Deletes log files
  PID:665
- /usr/bin/touch
  touch /var/log/audit
  2⤵
  PID:666
- /bin/rm
  rm -rf /var/log/auth.log
  2⤵
  - Deletes log files
  PID:667
- /usr/bin/touch
  touch /var/log/auth.log
  2⤵
  PID:669
- /bin/rm
  rm -rf /var/log/btmp
  2⤵
  - Deletes log files
  PID:670
- /usr/bin/touch
  touch /var/log/btmp
  2⤵
  PID:671
- /bin/rm
  rm -rf /var/log/daemon.log
  2⤵
  - Deletes log files
  PID:672
- /usr/bin/touch
  touch /var/log/daemon.log
  2⤵
  PID:673
- /bin/rm
  rm -rf /var/log/debug
  2⤵
  - Deletes log files
  PID:674
- /usr/bin/touch
  touch /var/log/debug
  2⤵
  PID:676
- /bin/rm
  rm -rf /var/log/dpkg.log
  2⤵
  - Deletes log files
  PID:678
- /usr/bin/touch
  touch /var/log/dpkg.log
  2⤵
  PID:679
- /bin/rm
  rm -rf /var/log/exim4
  2⤵
  - Deletes log files
  PID:680
- /usr/bin/touch
  touch /var/log/exim4
  2⤵
  PID:681
- /bin/rm
  rm -rf /var/log/faillog
  2⤵
  - Deletes log files
  PID:682
- /usr/bin/touch
  touch /var/log/faillog
  2⤵
  PID:683
- /bin/rm
  rm -rf /var/log/fontconfig.log
  2⤵
  - Deletes log files
  PID:684
- /usr/bin/touch
  touch /var/log/fontconfig.log
  2⤵
  PID:685
- /bin/rm
  rm -rf /var/log/installer
  2⤵
  - Deletes log files
  PID:686
- /usr/bin/touch
  touch /var/log/installer
  2⤵
  PID:687
- /bin/rm
  rm -rf /var/log/kern.log
  2⤵
  - Deletes log files
  PID:688
- /usr/bin/touch
  touch /var/log/kern.log
  2⤵
  PID:689
- /bin/rm
  rm -rf /var/log/lastlog
  2⤵
  - Deletes log files
  PID:690
- /usr/bin/touch
  touch /var/log/lastlog
  2⤵
  PID:691
- /bin/rm
  rm -rf /var/log/messages
  2⤵
  - Deletes system logs
  PID:692
- /usr/bin/touch
  touch /var/log/messages
  2⤵
  PID:693
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:694
- /usr/bin/touch
  touch /var/log/syslog
  2⤵
  PID:695
- /bin/rm
  rm -rf /var/log/user.log
  2⤵
  - Deletes log files
  PID:696
- /usr/bin/touch
  touch /var/log/user.log
  2⤵
  PID:697
- /bin/rm
  rm -rf /var/log/wtmp
  2⤵
  - Deletes log files
  PID:698
- /usr/bin/touch
  touch /var/log/wtmp
  2⤵
  PID:699
- /bin/sleep
  sleep 2
  2⤵
  PID:700
- /bin/cat
  cat motd
  2⤵
  PID:721
- /tmp/legend/class
  ./class 22 -a -i eth1 -s 10
  2⤵
  PID:722
- /bin/cat
  cat bios.txt
  2⤵
  PID:723
- /usr/bin/sort
  sort
  2⤵
  PID:724
- /usr/bin/uniq
  uniq
  2⤵
  PID:725
- /bin/grep
  grep -c . mfu.txt
  2⤵
  PID:727
- /tmp/legend/update
  ./update 1500
  2⤵
  PID:729
- /bin/rm
  rm -rf /root/.bash_history
  2⤵
  PID:730
- /usr/bin/touch
  touch /root/.bash_history
  2⤵
  PID:731
- /bin/ls
  ls /var/log/
  2⤵
  - Reads runtime system information
  PID:733
- /bin/rm
  rm -rf /var/log/alternatives.log
  2⤵
  - Deletes log files
  PID:735
- /usr/bin/touch
  touch /var/log/alternatives.log
  2⤵
  PID:736
- /bin/rm
  rm -rf /var/log/apt
  2⤵
  - Deletes log files
  PID:737
- /usr/bin/touch
  touch /var/log/apt
  2⤵
  PID:739
- /bin/rm
  rm -rf /var/log/audit
  2⤵
  - Deletes log files
  PID:740
- /usr/bin/touch
  touch /var/log/audit
  2⤵
  PID:742
- /bin/rm
  rm -rf /var/log/auth.log
  2⤵
  - Deletes log files
  PID:743
- /usr/bin/touch
  touch /var/log/auth.log
  2⤵
  PID:744
- /bin/rm
  rm -rf /var/log/btmp
  2⤵
  - Deletes log files
  PID:745
- /usr/bin/touch
  touch /var/log/btmp
  2⤵
  PID:747
- /bin/rm
  rm -rf /var/log/daemon.log
  2⤵
  - Deletes log files
  PID:749
- /usr/bin/touch
  touch /var/log/daemon.log
  2⤵
  PID:750
- /bin/rm
  rm -rf /var/log/debug
  2⤵
  - Deletes log files
  PID:751
- /usr/bin/touch
  touch /var/log/debug
  2⤵
  PID:753
- /bin/rm
  rm -rf /var/log/dpkg.log
  2⤵
  - Deletes log files
  PID:757
- /usr/bin/touch
  touch /var/log/dpkg.log
  2⤵
  PID:758
- /bin/rm
  rm -rf /var/log/exim4
  2⤵
  - Deletes log files
  PID:759
- /usr/bin/touch
  touch /var/log/exim4
  2⤵
  PID:761
- /bin/rm
  rm -rf /var/log/faillog
  2⤵
  - Deletes log files
  PID:762
- /usr/bin/touch
  touch /var/log/faillog
  2⤵
  PID:764
- /bin/rm
  rm -rf /var/log/fontconfig.log
  2⤵
  - Deletes log files
  PID:768
- /usr/bin/touch
  touch /var/log/fontconfig.log
  2⤵
  PID:770
- /bin/rm
  rm -rf /var/log/installer
  2⤵
  - Deletes log files
  PID:772
- /usr/bin/touch
  touch /var/log/installer
  2⤵
  PID:773
- /bin/rm
  rm -rf /var/log/kern.log
  2⤵
  - Deletes log files
  PID:774
- /usr/bin/touch
  touch /var/log/kern.log
  2⤵
  PID:776
- /bin/rm
  rm -rf /var/log/lastlog
  2⤵
  - Deletes log files
  PID:778
- /usr/bin/touch
  touch /var/log/lastlog
  2⤵
  PID:779
- /bin/rm
  rm -rf /var/log/messages
  2⤵
  - Deletes system logs
  PID:781
- /usr/bin/touch
  touch /var/log/messages
  2⤵
  PID:782
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:784
- /usr/bin/touch
  touch /var/log/syslog
  2⤵
  PID:786
- /bin/rm
  rm -rf /var/log/user.log
  2⤵
  - Deletes log files
  PID:787
- /usr/bin/touch
  touch /var/log/user.log
  2⤵
  PID:789
- /bin/rm
  rm -rf /var/log/wtmp
  2⤵
  - Deletes log files
  PID:790
- /usr/bin/touch
  touch /var/log/wtmp
  2⤵
  PID:791
- /bin/sleep
  sleep 5
  2⤵
  PID:792
- /tmp/legend/curata
  ./curata
  2⤵
  PID:821

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/legend/cleanlist

Filesize
153B

MD5
0e06f34aea5f1d1cfcbfbdd882bb1695

SHA1
48d424e2f34570db7ff874a96edd16845493d0c7

SHA256
9c5c82aacbfa8d589b503b1c0faa8e7e95fdd0f04690adb877c665f3d1564a62

SHA512
f1ade1774311f2c5eb38617d06a1a725eea62897866140deeff6f5b32e82882794ff6fb647c03bd20ee8bbd5ce1db3e4dc452b32e1a3f51558c161c01af97496

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads