8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

Resubmissions

28-02-2024 16:39

240228-t5z9qsge8w 10

05-02-2024 16:30

240205-tzsygacbb5 7

Analysis

max time kernel
14s
max time network
12s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
05-02-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pg.sh
Size

35KB
MD5

2550990d2d52581b213e7c9305c392d3
SHA1

f7f069915c9b97550dc1fb6cf631f6222416dcf5
SHA256

8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
SHA512

a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50
SSDEEP

768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

Score

7^/10

evasion

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.

Processes:

iptables

pid process

674 iptables
Attempts to change immutable files 6 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrchattrchattrchattrchattrchattr

pid process

664 chattr
665 chattr
670 chattr
672 chattr
694 chattr
696 chattr

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
674	iptables

pid	process
664	chattr
665	chattr
670	chattr
672	chattr
694	chattr
696	chattr

Reads CPU attributes 1 TTPs 3 IoCs

System Information Discovery

T1082

Processes:

sysctlexim4exim4

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

Processes:

lssudosysctlsendmaillslslslsuserdeluserdellslssendmail

description	ioc	process
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/11	ls
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sysctl
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/105	ls
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/10	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/107	ls
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/1	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/108	ls
File opened for reading	/proc/self/fd
File opened for reading	/proc/sys/kernel/osrelease	sysctl
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/12	ls

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

pg.sh

description ioc process

File opened for modification /tmp/log_rot pg.sh

description	ioc	process
File opened for modification	/tmp/log_rot	pg.sh

/tmp/pg.sh
/tmp/pg.sh
1⤵
- Writes file to tmp directory
PID:658

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:662

/usr/bin/chattr
chattr -iua /tmp/
2⤵
- Attempts to change immutable files
PID:664

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
- Attempts to change immutable files
PID:665

/usr/bin/chattr
chattr -R -i /var/spool/cron
2⤵
- Attempts to change immutable files
PID:670

/usr/bin/chattr
chattr -i /etc/crontab
2⤵
- Attempts to change immutable files
PID:672

/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:674

/usr/bin/sudo
sudo sysctl "kernel.nmi_watchdog=0"
2⤵
- Reads runtime system information
PID:678

/sbin/sysctl
sysctl "kernel.nmi_watchdog=0"
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:688

/usr/sbin/userdel
userdel akay
2⤵
- Reads runtime system information
PID:690

/usr/sbin/userdel
userdel vfinder
2⤵
- Reads runtime system information
PID:693

/usr/bin/chattr
chattr -iae /root/.ssh/
2⤵
- Attempts to change immutable files
PID:694

/usr/bin/chattr
chattr -iae /root/.ssh/authorized_keys
2⤵
- Attempts to change immutable files
PID:696

/bin/rm
rm -rf "/tmp/addres*"
2⤵
PID:698

/bin/rm
rm -rf "/tmp/walle*"
2⤵
PID:699

/bin/rm
rm -rf /tmp/keys
2⤵
PID:700

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:705

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:712

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:719

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:724

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:729

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:736

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:743

/usr/sbin/sendmail
sendmail -t
1⤵
- Reads runtime system information
PID:684

/usr/sbin/exim4
/usr/sbin/exim4 -Mc 1rX0vI-0000B2-Uk
2⤵
- Reads CPU attributes
PID:695

/usr/sbin/sendmail
sendmail -t
1⤵
- Reads runtime system information
PID:687

/usr/sbin/exim4
/usr/sbin/exim4 -Mc 1rX0vJ-0000B5-7M
2⤵
- Reads CPU attributes
PID:697

/bin/ls
ls -latrh /proc/1
1⤵
- Reads runtime system information
PID:702

/bin/grep
grep exe
1⤵
PID:703

/bin/ls
ls -latrh /proc/10
1⤵
- Reads runtime system information
PID:707

/bin/grep
grep exe
1⤵
PID:708

/bin/grep
grep exe
1⤵
PID:717

/bin/ls
ls -latrh /proc/105
1⤵
- Reads runtime system information
PID:716

/bin/ls
ls -latrh /proc/107
1⤵
- Reads runtime system information
PID:721

/bin/grep
grep exe
1⤵
PID:722

/bin/ls
ls -latrh /proc/108
1⤵
- Reads runtime system information
PID:726

/bin/grep
grep exe
1⤵
PID:727

/bin/ls
ls -latrh /proc/11
1⤵
- Reads runtime system information
PID:732

/bin/grep
grep exe
1⤵
PID:733

/bin/ls
ls -latrh /proc/12
1⤵
- Reads runtime system information
PID:739

/bin/grep
grep exe
1⤵
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot
Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/mail/user
Filesize
820B

MD5
7515eec6c67426e420d002800bbab947

SHA1
800758f9cdb4f653fdf3045b5f8f42e0dd7eb779

SHA256
a3fecb84b246adba2c79d180db1a9e45bae1d6c23bfb2b6010490118de7cc145

SHA512
d6d7ba4e680ecf99dc267bae98a663f30199d7050af3cdbfa4859896a8d62590c96b964548a2421860d45890ded621995e28061ab09182ba4416c55a09d48d4a

Download Submit
/var/mail/user
Filesize
1KB

MD5
74aeafa75559768bc9deb3bfa112414a

SHA1
0431fad5efb76e5323c7d50da2b8e61ab7734c30

SHA256
6ee05699b874c730798fa419bc9ba10e33cc4d18d3cdbabf7e0ca628d99a2454

SHA512
72415cdb56be8076d061358c887197f2bbf7f959e6fe320132fdce286621ea0bc8d62ed7c3855b02aff42db465e73f3de5e4d0f5816c36cc49a974ef5401deda

Download Submit
/var/spool/exim4/input/1rX0vI-0000B2-Uk-D
Filesize
126B

MD5
f8bf9eadfb2f0d74c0fbfb4d651f3a48

SHA1
58a4a0ef4a64199968c315a38ac99c5209a50185

SHA256
33b8a0741864ffa262a3d5bf9a92a7714d12c5cb4c2eb5c444d1336fd15f9369

SHA512
940fd0c3a3f0a6ecbc994bad74e823b2a5d0fc5149dd26e9b176313df21927f97a44c64920240ef3ca3a80f57ff4cffb200e55aaf74ca0b6a97c0c98920cd410

Download Submit
/var/spool/exim4/input/1rX0vI-0000B2-Uk-J
Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1rX0vJ-0000B5-7M-D
Filesize
145B

MD5
6a9608dd95967ec27129987920c0ba27

SHA1
0585031e2d1030476b043fdf63d4f269fc27e8d5

SHA256
8570224504fba66d23551b8c05226b0d86df0286f28a6d637db19af969cef3e8

SHA512
4736f0dc8e72ab7477537b486b051cc84364ee4cf00861e2b0793f34a6b66dcbf56b4010fc621b3c2420c3164f013e07303f9af078c42a16b463b76b309e495a

Download Submit
/var/spool/exim4/input/hdr.684
Filesize
912B

MD5
89f0934a24d7256c4e5adc504c540631

SHA1
945552d2a4c2bef4cdaf2ec4b4fb861893576a68

SHA256
9742ff1bb8f51b783198d210ee9cbc98b9af8966fe5d751f3958886fdbb120b6

SHA512
4bafb1a2da509af5a8d3f9fa0d652228a3906f9bba893d978189d637fe3bf0a41baf68e6bf13ba968d6ef02679deb1d8e0461c2341d30f609cf5247a747154b3

Download Submit
/var/spool/exim4/input/hdr.687
Filesize
912B

MD5
9d04cdbb20070a851b72d43664e1abe9

SHA1
79d711973fd7b013d13f3e104f210e96a07ba183

SHA256
826cb6324b21f679ceaf8ac3188914797093d79a24224969013825789aaeae67

SHA512
aa45f1be22b1cae8ca04e3f9e948cb2ee9b2bb6147419fdced662922548a6ade3c5a51379b61427f4c775c0efd6e1e6bca905599e7741485037fb95b35b9b645

Download Submit
/var/spool/exim4/msglog/1rX0vI-0000B2-Uk
Filesize
288B

MD5
8983432b9a3eafc920028f0d16c7f3fa

SHA1
242fcc7b1b65d2151d2a0e7538cc1e416a7eb716

SHA256
11cc86d947124fd436364a1e2a0dc2dbe196deeb80371893ae0833aaa3e9dba9

SHA512
d595e0f7d9f2a01b60331ba8745701ba08d37fba5b81af63dfee6a461c4008d05c18591a02e58fed6f05339aee3fed6b39c48d1e9c6b324199edd62bab0aee25

Download Submit
/var/spool/exim4/msglog/1rX0vI-0000B2-Uk
Filesize
89B

MD5
eb7ef05fa1cd83e36bcd377a738f7a41

SHA1
ad3f444679bb8ed5c4038f05215bcac20b376036

SHA256
8312c39c828d6eb46ce012a9823ec46567c4e8966096311af70027deab134772

SHA512
ed63a4d0dadb8b68476700a3839d4edd1df44052eead3a1183b52a0893a11587e75ff1eeddf973e3600df217363abeb5a38d37488003f49100affd097b0e9ccd

Download Submit
/var/spool/exim4/msglog/1rX0vJ-0000B5-7M
Filesize
288B

MD5
a5ea5a01c14d58e292964a796cbcb26f

SHA1
552a65f58bff6f4de41ebbb56ff49fd17f9b4ce3

SHA256
210d26e4803ec689f230503e9029bbf37edcef7bbc2b2976671972072090917d

SHA512
5a76cf5bd8b917671c18f48632456abe54f5e684e6c18bb3a5e1d38836872d0d1d9814feba236a1959fd533391fd1202b813bb1306c38dccd16467d4537b59cd

Download Submit
/var/spool/exim4/msglog/1rX0vJ-0000B5-7M
Filesize
89B

MD5
3527c2481917a5c2d53f432982dc7e8f

SHA1
e4cdb3156622c7f220f21872c6c2cf6b81787b6f

SHA256
31dd2ff8d805ef9715a1bfe8984c1aa9bf93a51c5a5e7e61ff1b59a57be3f1ea

SHA512
9984fce96a4c4c0ade2c19b399ae49317cbf907cceb6def4f640c64287954d0c6fc084af4ec3ee5bbc91cfbe29e714dcffeb7e07d0e7e8782b43c6fa10a9400e

Download Submit