Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240226-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    07-03-2024 18:02

General

  • Target

    .rsync/b/run

  • Size

    72KB

  • MD5

    6ab073e5a6183bcef1d5262a9616ebfe

  • SHA1

    f6ffce31ffff78c28c3485255571459fce17a09e

  • SHA256

    d7a659b2af55a17679e84654ba42d483a0cf5a9e237c7dd5a1dc1976678fa542

  • SHA512

    884ff3c43ec10010b368c03696cbcc47fa9f84ca18658bb20ebdefd82282079027096526561db71cdac38c905d730fa02925294e864128f3be237e307ea1235b

  • SSDEEP

    768:Erk30DgUjDjpk88P1HkEssrOZOHVeu0BlGc67Bkezl5DTwHpohGTW2Zi+GvMKRa7:EfbpT8PqfZOHV2lyG6dkLpUqE3VuQz7a

Score
7/10

Malware Config

Signatures

  • Changes its process name 2 IoCs

Processes

  • /tmp/.rsync/b/run
    /tmp/.rsync/b/run
    1⤵
      PID:676
      • /usr/bin/nohup
        nohup ./stop
        2⤵
          PID:678
        • /bin/sleep
          sleep 5
          2⤵
            PID:679
          • /tmp/.rsync/b/stop
            ./stop
            2⤵
              PID:678
            • /usr/bin/base64
              base64 --decode
              2⤵
                PID:733
              • /usr/bin/perl
                perl
                2⤵
                • Changes its process name
                PID:734
                • /usr/local/sbin/uname
                  uname -a
                  3⤵
                    PID:742
                  • /usr/local/bin/uname
                    uname -a
                    3⤵
                      PID:742
                    • /usr/sbin/uname
                      uname -a
                      3⤵
                        PID:742
                      • /usr/bin/uname
                        uname -a
                        3⤵
                          PID:742
                        • /sbin/uname
                          uname -a
                          3⤵
                            PID:742
                          • /bin/uname
                            uname -a
                            3⤵
                              PID:742
                          • /usr/bin/base64
                            base64 --decode
                            2⤵
                              PID:746
                            • /usr/bin/perl
                              perl
                              2⤵
                              • Changes its process name
                              PID:747
                              • /usr/local/sbin/uname
                                uname -a
                                3⤵
                                  PID:754
                                • /usr/local/bin/uname
                                  uname -a
                                  3⤵
                                    PID:754
                                  • /usr/sbin/uname
                                    uname -a
                                    3⤵
                                      PID:754
                                    • /usr/bin/uname
                                      uname -a
                                      3⤵
                                        PID:754
                                      • /sbin/uname
                                        uname -a
                                        3⤵
                                          PID:754
                                        • /bin/uname
                                          uname -a
                                          3⤵
                                            PID:754

                                      Network

                                      MITRE ATT&CK Matrix

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads