105e32c8ef13d4d001923c1a43a8849d069fc4adebe48e5e6a9e726eb605ce31

Analysis

max time kernel
148s
max time network
149s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
07-03-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/b/a
Size

157B
MD5

17dfec62acb9bc298bb333fbe391f486
SHA1

960fdc0a9c8dd4879c96ec76f69a9dedc6ec9795
SHA256

dc43fdfbb5f7e8ecc80353dcd85889c0c08483c99acbce35b3ed8f399c936920
SHA512

21d49249ca656d3f6ce7a77876796590ae66d31963a6cdf65bb294ca45372e68686f8f7fd846035ed53f1155962447a8054bf2ea081e02fbb4b3fa1b6e376881

Score

7^/10

Malware Config

Signatures

Changes its process name 2 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	rsync	1636	perl
Changes the process name, possibly in an attempt to hide itself	rsync	1641	perl

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 19 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/605/stat	killall
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/606/cmdline	pkill
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/491/cmdline	pkill
File opened for reading	/proc/180/cmdline	pkill
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/1038/cmdline	ps
File opened for reading	/proc/175/stat	killall
File opened for reading	/proc/1190/status	pkill
File opened for reading	/proc/167/cmdline	pkill
File opened for reading	/proc/1289/stat	ps
File opened for reading	/proc/1303/status	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/1089/cmdline	pkill
File opened for reading	/proc/1075/cmdline	pkill
File opened for reading	/proc/721/cmdline	ps
File opened for reading	/proc/1013/stat	ps
File opened for reading	/proc/494/cmdline	pkill
File opened for reading	/proc/28/cmdline	ps
File opened for reading	/proc/1018/status	ps
File opened for reading	/proc/177/stat	killall
File opened for reading	/proc/172/cmdline	pkill
File opened for reading	/proc/705/stat	ps
File opened for reading	/proc/1249/status	ps
File opened for reading	/proc/679/status	ps
File opened for reading	/proc/82/cmdline	ps
File opened for reading	/proc/413/stat	ps
File opened for reading	/proc/1155/stat	ps
File opened for reading	/proc/1147/status	pkill
File opened for reading	/proc/1157/cmdline	pkill
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/170/stat	ps
File opened for reading	/proc/177/status	pkill
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/1126/cmdline	ps
File opened for reading	/proc/259/status	pkill
File opened for reading	/proc/24/status	pkill
File opened for reading	/proc/137/cmdline	pkill
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/84/status	ps
File opened for reading	/proc/164/cmdline	ps
File opened for reading	/proc/166/cmdline	pkill
File opened for reading	/proc/35/cmdline	pkill
File opened for reading	/proc/29/stat	killall
File opened for reading	/proc/1098/cmdline	pkill
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/259/cmdline	ps
File opened for reading	/proc/1289/cmdline	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/1143/cmdline	ps
File opened for reading	/proc/30/status	pkill
File opened for reading	/proc/1446/cmdline	pkill
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/1072/status	ps
File opened for reading	/proc/32/status	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/259/cmdline	pkill
File opened for reading	/proc/259/status	pkill
File opened for reading	/proc/84/cmdline	ps
File opened for reading	/proc/1032/status	pkill
File opened for reading	/proc/180/cmdline	pkill

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.rsync/b/dir.dir	a
File opened for modification	/tmp/.rsync/b/sync	a
File opened for modification	/tmp/.rsync/b/.out	stop

/tmp/.rsync/b/a
/tmp/.rsync/b/a
1⤵
- Writes file to tmp directory
PID:1544
- /bin/cat
  cat dir.dir
  2⤵
  PID:1545
- /tmp/.rsync/b/stop
  ./stop
  2⤵
  PID:1546
- /bin/chmod
  chmod u+x sync
  2⤵
  PID:1547
- /bin/chmod
  chmod u+x stop
  2⤵
  PID:1548
- /bin/chmod
  chmod u+x ps
  2⤵
  PID:1549
- /bin/chmod
  chmod u+x run
  2⤵
  PID:1550
- /tmp/.rsync/b/run
  ./run
  2⤵
  PID:1551
- - /bin/sleep
    sleep 5
    3⤵
    PID:1553
- - /usr/bin/nohup
    nohup ./stop
    3⤵
    PID:1552
- - /tmp/.rsync/b/stop
    ./stop
    3⤵
    - Writes file to tmp directory
    PID:1552
  - - /usr/bin/killall
      killall -9 rsync
      4⤵
      PID:1554
  - - /usr/bin/killall
      killall -9 sync
      4⤵
      PID:1555
  - - /usr/bin/killall
      killall -9 perl
      4⤵
      Reads runtime system information
      PID:1556
  - - /usr/bin/killall
      killall -9 ps
      4⤵
      PID:1557
  - - /usr/bin/killall
      killall -9 pool
      4⤵
      Reads runtime system information
      PID:1558
  - - /usr/bin/killall
      killall -9 nginx
      4⤵
      PID:1559
  - - /usr/bin/killall
      killall -9 ecryptfs
      4⤵
      PID:1560
  - - /usr/bin/killall
      killall -9 xmr
      4⤵
      Reads runtime system information
      PID:1561
  - - /usr/bin/pkill
      pkill -9 ps
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1562
  - - /usr/bin/pkill
      pkill -9 pool
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1566
  - - /usr/bin/pkill
      pkill -9 nginx
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1567
  - - /usr/bin/pkill
      pkill -9 ecryptfs
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1568
  - - /usr/bin/pkill
      pkill -9 xmr
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1569
  - - /usr/bin/pkill
      pkill -9 sync
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1570
  - - /usr/bin/pkill
      pkill -9 rsync
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1624
  - - /usr/bin/pkill
      pkill -9 perl
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1625
  - - /usr/bin/pkill
      pkill -9 ps
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:1626
  - - /bin/rm
      rm -rf .proc .out
      4⤵
      PID:1627
- - /usr/bin/perl
    perl
    3⤵
    - Changes its process name
    PID:1636
  - - /usr/local/sbin/uname
      uname -a
      4⤵
      PID:1637
  - - /usr/local/bin/uname
      uname -a
      4⤵
      PID:1637
  - - /usr/sbin/uname
      uname -a
      4⤵
      PID:1637
  - - /usr/bin/uname
      uname -a
      4⤵
      PID:1637
  - - /sbin/uname
      uname -a
      4⤵
      PID:1637
  - - /bin/uname
      uname -a
      4⤵
      PID:1637
- - /usr/bin/base64
    base64 --decode
    3⤵
    PID:1635
- - /usr/bin/perl
    perl
    3⤵
    - Changes its process name
    PID:1641
  - - /usr/local/sbin/uname
      uname -a
      4⤵
      PID:1642
  - - /usr/local/bin/uname
      uname -a
      4⤵
      PID:1642
  - - /usr/sbin/uname
      uname -a
      4⤵
      PID:1642
  - - /usr/bin/uname
      uname -a
      4⤵
      PID:1642
  - - /sbin/uname
      uname -a
      4⤵
      PID:1642
  - - /bin/uname
      uname -a
      4⤵
      PID:1642
- - /usr/bin/base64
    base64 --decode
    3⤵
    PID:1640

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1575

/bin/grep
grep -v grep
1⤵
PID:1574

/bin/grep
grep ps
1⤵
PID:1573

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1572

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1580

/bin/grep
grep -v grep
1⤵
PID:1579

/bin/grep
grep sync
1⤵
PID:1578

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1577

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1585

/bin/grep
grep -v grep
1⤵
PID:1584

/bin/grep
grep nginx
1⤵
PID:1583

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1582

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1590

/bin/grep
grep -v grep
1⤵
PID:1589

/bin/grep
grep ecryptfs
1⤵
PID:1588

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1587

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1595

/bin/grep
grep -v grep
1⤵
PID:1594

/bin/grep
grep xmr
1⤵
PID:1593

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1592

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1600

/bin/grep
grep -v grep
1⤵
PID:1599

/bin/grep
grep perl
1⤵
PID:1598

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1597

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1605

/bin/grep
grep -v grep
1⤵
PID:1604

/bin/grep
grep rsync
1⤵
PID:1603

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1602

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:1615

/bin/grep
grep rsync
1⤵
PID:1614

/bin/ps
ps -ef
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1613

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:1619

/bin/grep
grep sync
1⤵
PID:1618

/bin/ps
ps -ef
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1617

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:1623

/bin/grep
grep ps
1⤵
PID:1622

/bin/ps
ps -ef
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1621

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.rsync/b/dir.dir

Filesize
14B

MD5
e21fb1889e57316ccbd97f98e1282a54

SHA1
ee8de521fb7ae11f81615ce31a45b5f7a79feee8

SHA256
8e0465a977658aca8fe06bec84742ed7c298db88cba64fc87de85409c6c909e8

SHA512
3ac5bf18363442ea8e4f478b2595a5e13199d80378c82f2ffeacb03cf64cf30c5e82c9a618d2a0f2d9d5386aeb1576e154e654eb20fc6967a43472f3f5047445

Download Submit
/tmp/.rsync/b/sync

Filesize
33B

MD5
a0eea5d0b1c4743cc7b8c798399581e0

SHA1
bf30ba5824c9ec612aa4654eb895e3cb738b4e18

SHA256
7602dd04cbfa214345d0ae0b2ee26ed6475ea4d9053575cb99e29b956f536d0e

SHA512
9e70bc0608f42b83712d5e2911d21e6ab627c830d0ae4b8fa5e0eeea6555bc4cce49d7fafdea28a1888b55b28461cab34153dee3746bc084c1e8a296f849d06f

Download Submit