105e32c8ef13d4d001923c1a43a8849d069fc4adebe48e5e6a9e726eb605ce31

Analysis

max time kernel
31s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
07-03-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/a/a
Size

2KB
MD5

b067abc476505eea79d2233ee3585626
SHA1

15f7c9af535f4390b14ba03ddb990c732212dde8
SHA256

ed9330e1594e73097dc6c8bf9f157de0d3799171a1967aaa43f9cd8629092f07
SHA512

95211823aadc69ca8145339188cf90094afb28948ec8729fd4e208fdb0bff4fa3a5435574a12c51618c87916e3ecccfa8c4621b4e6f26c8c42ec8dd13a285fab

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/.rsync/a/upd	743	upd

Attempts to change immutable files 1 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
746	chattr

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 13 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc
File opened for reading	/sys/devices/system/node

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/522/status	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/723/status	pkill
File opened for reading	/proc/703/cmdline	ps
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/105/cmdline	ps
File opened for reading	/proc/70/status	ps
File opened for reading	/proc/72/status	ps
File opened for reading	/proc/21/stat	killall
File opened for reading	/proc/702/cmdline	pkill
File opened for reading	/proc/71/stat	killall
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/383/status	pkill
File opened for reading	/proc/473/cmdline	pkill
File opened for reading	/proc/699/stat	killall
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/744/status	pkill
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/384/status	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/146/status	pkill
File opened for reading	/proc/2/cmdline	pkill
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/781/cmdline	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/80/status	ps
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/383/cmdline	ps
File opened for reading	/proc/744/cmdline	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/344/stat	killall
File opened for reading	/proc/699/stat	killall
File opened for reading	/proc/115/cmdline	pkill
File opened for reading	/proc/745/status	ps
File opened for reading	/proc/105/status	pkill
File opened for reading	/proc/702/cmdline	pkill
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/699/cmdline	pkill
File opened for reading	/proc/7/stat	killall
File opened for reading	/proc/116/status	pkill
File opened for reading	/proc/775/cmdline	ps
File opened for reading	/proc/77/status	ps
File opened for reading	/proc/76/cmdline	ps
File opened for reading	/proc/23/stat	killall
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/74/status	pkill
File opened for reading	/proc/700/cmdline	pkill
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/705/status	ps
File opened for reading	/proc/74/status	ps
File opened for reading	/proc/24/cmdline	pkill
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/70/cmdline	pkill
File opened for reading	/proc/105/cmdline	pkill

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.rsync/a/dir.dir	a
File opened for modification	/tmp/.rsync/a/upd	a
File opened for modification	/tmp/.rsync/a/.proc	stop
File opened for modification	/tmp/.rsync/a/dir.dir	run
File opened for modification	/tmp/.rsync/a/bash.pid	run

/tmp/.rsync/a/a
/tmp/.rsync/a/a
1⤵
- Writes file to tmp directory
PID:718
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:720
- /bin/cat
  cat dir.dir
  2⤵
  PID:727
- /usr/bin/id
  id -u
  2⤵
  PID:729
- /sbin/modprobe
  modprobe msr "allow_writes=on"
  2⤵
  PID:730
- /bin/grep
  grep -E "AMD Ryzen|AMD EPYC" /proc/cpuinfo
  2⤵
  PID:731
- /bin/grep
  grep Intel /proc/cpuinfo
  2⤵
  PID:733
- /usr/bin/nproc
  nproc
  2⤵
  PID:735
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=1"
  2⤵
  - Reads CPU attributes
  PID:736
- /usr/bin/find
  find "/sys/devices/system/node/node*" -maxdepth 0 -type d
  2⤵
  PID:737
- /bin/chmod
  chmod u+x upd
  2⤵
  PID:739
- /bin/chmod
  chmod 777 a dir.dir init0 kswapd0 run stop upd
  2⤵
  PID:741
- /tmp/.rsync/a/upd
  ./upd
  2⤵
  - Executes dropped EXE
  PID:743
- - /tmp/.rsync/a/run
    ./run
    3⤵
    - Writes file to tmp directory
    PID:744
  - - /tmp/.rsync/a/stop
      ./stop
      4⤵
      Writes file to tmp directory
      PID:745
    - - /usr/bin/chattr
        
        chattr -ia "~/.xmrig.json"
        5⤵
        Attempts to change immutable files
        
        PID:746
    - - /bin/rm
        
        rm -rf "~/.xmrig.json"
        5⤵
        
        PID:747
    - - /usr/bin/pkill
        
        pkill -9 cron
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:749
    - - /usr/bin/killall
        
        killall -9 cron
        5⤵
        Reads runtime system information
        
        PID:751
    - - /usr/bin/pkill
        
        pkill -9 kswapd0
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:758
    - - /usr/bin/killall
        
        killall -9 kswapd0
        5⤵
        Reads runtime system information
        
        PID:759
    - - /usr/bin/pkill
        
        pkill -9 ld-linux
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:765
    - - /usr/bin/killall
        
        killall -9 ld-linux
        5⤵
        Reads runtime system information
        
        PID:766
    - - /usr/bin/pkill
        
        pkill -9 Donald
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:772
    - - /usr/bin/killall
        
        killall -9 Donald
        5⤵
        Reads runtime system information
        
        PID:773
    - - /usr/bin/pkill
        
        pkill -9 xmr
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:779
    - - /usr/bin/killall
        
        killall -9 xmr
        5⤵
        
        PID:780
    - - /usr/bin/pkill
        
        pkill -9 xm64
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:786
    - - /usr/bin/killall
        
        killall -9 xm64
        5⤵
        Reads runtime system information
        
        PID:787
    - - /bin/rm
        
        rm -rf .proc
        5⤵
        
        PID:793
  - - /bin/sleep
      sleep 10
      4⤵
      PID:794
  - - /bin/cat
      cat dir.dir
      4⤵
      PID:843
  - - /usr/bin/nohup
      nohup ./kswapd0
      4⤵
      PID:844

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:753

/bin/grep
grep cron
1⤵
PID:754

/bin/grep
grep -v grep
1⤵
PID:755

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:756

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:761

/bin/grep
grep kswapd0
1⤵
PID:762

/bin/grep
grep -v grep
1⤵
PID:763

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:764

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:768

/bin/grep
grep ld-linux
1⤵
PID:769

/bin/grep
grep -v grep
1⤵
PID:770

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:771

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:775

/bin/grep
grep Donald
1⤵
PID:776

/bin/grep
grep -v grep
1⤵
PID:777

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:778

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:782

/bin/grep
grep xmr
1⤵
PID:783

/bin/grep
grep -v grep
1⤵
PID:784

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:785

/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:789

/bin/grep
grep -v grep
1⤵
PID:791

/bin/grep
grep xm64
1⤵
PID:790

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:792

/tmp/.rsync/a/kswapd0
./kswapd0
1⤵
PID:844

/bin/sh
/bin/sh ./kswapd0
1⤵
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.rsync/a/bash.pid

Filesize
4B

MD5
1c24e269477c78656fc2ce806d34ba6f

SHA1
944a9a044188db7f7a2b3154e31e0b10d8c68774

SHA256
650fb46b422406b2b0fc89c674bfb4e6df41548629110322a00690ab39b37133

SHA512
1cdaab5fd2bbc64d43118b1fad861e79a92aaebebd0310c25fd4e052437314c5227abe7e2572429504941f3d5eb7aab4706929735ae99ff43ca90b107dec59a0

Download Submit
/tmp/.rsync/a/dir.dir

Filesize
14B

MD5
b3d878adcf4672bbd1f31cffac10c769

SHA1
ce5798837933ece35a7e26a0a3dc06cab19c6275

SHA256
ea5fce19c5fbbbc6c3c36eb9e8e295dfb525e9669aafaf8abe9ddb4e00e345c7

SHA512
019d21a618b3ccc70c0c7ede225cbbb704e2b448048586c44c74c81a747129da9f3f9675f2a29363af320d2684974a1ff00ac608c53de4458aeacd3ed4f9da2c

Download Submit
/tmp/.rsync/a/upd

Filesize
175B

MD5
a136fbe534c2487d3c89bd6a26847bd0

SHA1
11b9362ba79b67dd5d5baf7cf11e0003f049d6e0

SHA256
419a443ff93475ef3abb6e71e5a94e56aea8b7c1f1c4402b3662425815432d46

SHA512
85047cf9d22037d2581ae41275107b243c0bb3259b57fe46bd3fd04a1abe75a7fdeace8a9eae1fae31349a00183206b40259ab3957db8f4f16a79e67133485e9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads