71eed0656bcb2ca1f2f6af4cf073e14f17dadec7af9cd93153299c0fd4aa07c0

General

Target

afd986e0754c07002e764f8038a5fbf8
Size

8.2MB
MD5

afd986e0754c07002e764f8038a5fbf8
SHA1

bc18d23c16bbbadd6aa4ba226ff9cac0a9aafa20
SHA256

71eed0656bcb2ca1f2f6af4cf073e14f17dadec7af9cd93153299c0fd4aa07c0
SHA512

7ae76dd88f22ecc529d07606dba5cddd89f733980dccbed0e4dde83109775ea685d5bbc4813a5338666b12206a9ca6ffe66ff85024e76374c8c8b8c2625466ac
SSDEEP

49152:bK2IsqJ6+KCdOF87M6ee8ry770lDlzroschqayHQDx7XF/6jcRO8FYefPudx5zqn:vD+wFwz8raOVc76/6VfVf5rNOX

Score

6^/10

antivm discovery execution persistence privilege_escalatio

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.E69hu4	crontab

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/net/core/somaxconn	afd986e0754c07002e764f8038a5fbf8
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	afd986e0754c07002e764f8038a5fbf8
File opened for reading	/proc/version	cat

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1506	crontab

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.pids	afd986e0754c07002e764f8038a5fbf8
File opened for modification	/tmp/nip9iNeiph5chee	afd986e0754c07002e764f8038a5fbf8
File opened for modification	/tmp/[stea].pid	afd986e0754c07002e764f8038a5fbf8

/tmp/afd986e0754c07002e764f8038a5fbf8
/tmp/afd986e0754c07002e764f8038a5fbf8
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1482
- /usr/bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:1490
- /usr/bin/cat
  cat /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:1492
- /usr/bin/uname
  uname -a
  2⤵
  PID:1494
- /usr/bin/getconf
  getconf LONG_BIT
  2⤵
  PID:1495
- /tmp/afd986e0754c07002e764f8038a5fbf8
  "[stea]"
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1496
- - /usr/bin/cat
    cat /proc/version
    3⤵
    - Reads runtime system information
    PID:1500
- - /usr/bin/cat
    cat /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:1502
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1503
- - /usr/bin/getconf
    getconf LONG_BIT
    3⤵
    PID:1505
- - /usr/bin/crontab
    /usr/bin/crontab /tmp/nip9iNeiph5chee
    3⤵
    - Creates/modifies Cron job
    - System Network Configuration Discovery
    PID:1506

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Persistence

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Privilege Escalation

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

1

T1016

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pids

Filesize
4B

MD5
1415db70fe9ddb119e23e9b2808cde38

SHA1
e9c340478ebb17ed024e217d7013275de0fabf8a

SHA256
d732f39159e67eb62327ae853dfec69db69ec85b23a8b1f840db1959d32acced

SHA512
5c8b6ebcd1482c6906bcff847818ea47403d35dc8c0ac73cb6398d05f641cfea17cf9c6ef823fabd35e7d1e891ac982388eb0e96084cc24df8ce54866934b2c6

Download Submit
/tmp/nip9iNeiph5chee

Filesize
66B

MD5
bc64d6fb2b1d3531e6373ff6cf4abafb

SHA1
60b6cab271d14dea85e2da664c0388a2cf558162

SHA256
5b55450a9fc311ad13cd47f4b4e69e86d154103804a531bd98ffade16cd49db3

SHA512
af7019fcb4b5dcc4571c2910c6bd3d327ce08e850a8ffc3450e7cade3e62449c44f0df47169b1a6461470c308e072021eb685e0655896bbf1562f18c011ce00e

Download Submit
/var/spool/cron/crontabs/tmp.E69hu4

Filesize
260B

MD5
24547fff4cabe798e23f9d7f03db42d3

SHA1
4d4e311e6653c8d981647ac6d40fb44339cf0059

SHA256
5f6b794feaeb88509aa3c0476e4beeaf0fcc7e1780fb67bfe0ca79e11add5670

SHA512
1f92233244eab88eb4d3bd35c265dd118d310b5d4fbe092e24b34f0fc0690a5663c669772802d8b567beec6ae376956eb2d7243e4c0f55cfaa84a7fbd192b972

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads