Overview

overview

8

Static

static

1

9100bc0eb0...d0.elf

ubuntu-18.04-amd64

8

Analysis

  • max time kernel
    1s
  • max time network
    130s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    16-03-2024 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9100bc0eb0bce4f5f7fc314fa820b4dee00db8d31892ec6fdb4fccca801a40d0.elf

  • Size

    2.7MB

  • MD5

    9e0d1124dae07a104dcb93b2e27e8ddc

  • SHA1

    c310ec9924e2371402e8d3df66624a126a673996

  • SHA256

    9100bc0eb0bce4f5f7fc314fa820b4dee00db8d31892ec6fdb4fccca801a40d0

  • SHA512

    755fd513c180c1f803d437caf90c06ed7dbf521c0440941cbd028f134b4eda41772d97ff19e13a234c6e99c32661c1ca68aa5c5a7c43964e04ff0631221e4aba

  • SSDEEP

    49152:icuP/zBmSnI8WX/Pjoc53lvzjbOzcWn52bPT:ruPb0n3jRVvzwpM

Score
8/10
persistence

Malware Config

Signatures

  • Modifies password files for system users/ groups 4 IoCs

    Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

  • Adds a user to the system 1 IoCs
  • Creates/modifies environment variables 1 TTPs 2 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

    persistence
  • Modifies Bash startup script 1 TTPs 2 IoCs
    persistence
  • Creates .desktop file 1 TTPs 1 IoCs

    Linux desktops like GNOME require .desktop files to register applications. Sometimes abused by malware for persistence.

    persistence
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 6 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/9100bc0eb0bce4f5f7fc314fa820b4dee00db8d31892ec6fdb4fccca801a40d0.elf
    /tmp/9100bc0eb0bce4f5f7fc314fa820b4dee00db8d31892ec6fdb4fccca801a40d0.elf
    1⤵
    • Enumerates kernel/hardware configuration
    PID:1547
    • /usr/bin/openssl
      openssl passwd -6 NyckHBWZbdsv
      2⤵
        PID:1551
      • /usr/bin/sudo
        sudo useradd -m -p "\$6\$twLSAHdAoN3i//ei\$pQKrj748bTu8vrhFhi7twmhB4CkO9D56Z3bmq79ME8dTUj/PR6v7KxVWJoHh8V0RBugQ4GfIeGRStxa8nUulE1" -G sudo C2UK0JFl
        2⤵
        • Reads runtime system information
        PID:1552
        • /usr/sbin/useradd
          useradd -m -p "\$6\$twLSAHdAoN3i//ei\$pQKrj748bTu8vrhFhi7twmhB4CkO9D56Z3bmq79ME8dTUj/PR6v7KxVWJoHh8V0RBugQ4GfIeGRStxa8nUulE1" -G sudo C2UK0JFl
          3⤵
          • Modifies password files for system users/ groups
          • Adds a user to the system
          • Creates/modifies environment variables
          • Modifies Bash startup script
          • Creates .desktop file
          • Reads runtime system information
          PID:1553
          • /usr/sbin/nscd
            nscd -i passwd
            4⤵
              PID:1554
            • /usr/sbin/nscd
              nscd -i group
              4⤵
                PID:1555
              • /sbin/pam_tally2
                pam_tally2 --user C2UK0JFl --reset --quiet
                4⤵
                  PID:1556
                • /usr/sbin/nscd
                  nscd -i passwd
                  4⤵
                    PID:1557
                  • /usr/sbin/nscd
                    nscd -i group
                    4⤵
                      PID:1558

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              User Execution

              1
              T1204

              Persistence

              Hijack Execution Flow

              1
              T1574

              Boot or Logon Autostart Execution

              1
              T1547

              Privilege Escalation

              Hijack Execution Flow

              1
              T1574

              Boot or Logon Autostart Execution

              1
              T1547

              Defense Evasion

              Hijack Execution Flow

              1
              T1574

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /etc/group+
                Filesize

                942B

                MD5

                096bf12b8d9d2ab27b22340230ce92e0

                SHA1

                d6abbbf9305f9072235d306176e3312af26b66b3

                SHA256

                6c7ac2b057338b14a9fd7e131b6af1dea060c26646c325f6071f0b694bbe231c

                SHA512

                07503685ccc0314d141d0a3bc0572804185d9a6c6dd736a26b3fb7c13172ce8a2e9a75b2de86d0da7409634283c102b5c4d0776bd1bbad1370ed05ee7aca324d

                Download Submit
              • /etc/gshadow+
                Filesize

                784B

                MD5

                654766f924c710d97c87064bf744edad

                SHA1

                0a296cbb5f614eba74ec954e4f967a6a240d70c3

                SHA256

                b1f9d8f50be29c928d2ba7fcb79d4afc547a1e2c66859920f1671471f2ae677e

                SHA512

                1bdefb9305965e4c31104702b46bc395890a780b78311fdacbffb890544cbe74165b928aca382049f50cbfc31e0bfb51e8dfa6e6c906575efafd8da29365b82c

                Download Submit
              • /etc/passwd+
                Filesize

                2KB

                MD5

                58393251d0f89a8c1818134f92fb83d7

                SHA1

                711000eddb0ded9f3951e438bf8f38b706d6eec0

                SHA256

                af73e804bd2b5bab60735735d25e8fa3e88527ea806d4c06b353e835711e4012

                SHA512

                7ec0908955a432665284997559b292854589a7bef3445c858c59b2750d440fdca7ae1eb24c1a2df9abf2832eb7ef635309311f4a6b93ace3bf8c6633b340835a

                Download Submit
              • /etc/shadow+
                Filesize

                1KB

                MD5

                feb8f156f9a393378e5f5eac510f02c1

                SHA1

                48faa1f5f9400a2bdab48b2fc3aa93ad528c2d5b

                SHA256

                924c13eb611c6ed94b3bcd2e3a93a5698f73f1e7294588176e96b8f3d02b6a5a

                SHA512

                bfdc3768332cab3dbb2ca28bcd366f01dad5760ac0b1486822ef033b138a053d61a75458fa30c674d2fb9df8665f4476ff7f9664170aa7207d73879b6af840e0

                Download Submit
              • /etc/subuid+
                Filesize

                40B

                MD5

                d27a348b91de4d21afaf8adb4ed033cd

                SHA1

                5e7a0a1ab83a7414765df87b034361d7926e0ecf

                SHA256

                655e6281715071f005005b17c0285c21fe5c8a69f269e729fd5e7390d1a9430b

                SHA512

                cdabaa42c75c5e86673f97dba3a5eae18da1bbfae014db4ebb26afeabefcbdc670a29fd0e8b6c6394c981c7ef324d0e2895e0978f20446964fba5a4447cb0bb6

                Download Submit
              • /home/C2UK0JFl/.bash_logout
                Filesize

                220B

                MD5

                22bfb8c1dd94b5f3813a2b25da67463f

                SHA1

                dc216ac4a4c232815731979db6e494f315b507dd

                SHA256

                26882b79471c25f945c970f8233d8ce29d54e9d5eedcd2884f88affa84a18f56

                SHA512

                c3d739f4934824d81f561c9b626b494e3c256b5a97642667882632db030fc1a8c7d23eb1ae5db7e9f63ae46ee84dbee69d15130dd1482a2c1e8aade1dfc545a2

                Download Submit
              • /home/C2UK0JFl/.bashrc
                Filesize

                3KB

                MD5

                1f98b8f3f3c8f8927eca945d59dcc1c6

                SHA1

                c4d853993e323432cb84359de2c319b9a767b729

                SHA256

                342099da4dd28c394d3f8782d90d7465cb2eaa611193f8f378d6918261cb9bb8

                SHA512

                33bb97936e54fe797b5046ece9c04313306fdc1470c959593f5cc2c641066372f2aee759db3a1bf45470b10c98ca964388172ded77eacaf2500e428d4f00331f

                Download Submit
              • /home/C2UK0JFl/.profile
                Filesize

                807B

                MD5

                f4e81ade7d6f9fb342541152d08e7a97

                SHA1

                2b9ee6d446f8f9ffccaab42b6df5649f749a9a07

                SHA256

                28b4a453b68dde64f814e94bab14ee651f4f162e15dd9920490aa1d49f05d2a4

                SHA512

                26544e0b85ca6d7cca3b8ace7d01f712e24020f07b6a6ad54a6942909040221f09bf922a4d0da555ce64ceebb4934b28719a23a0e6401337a69d4a0170bd8e4c

                Download Submit
              • /home/C2UK0JFl/examples.desktop
                Filesize

                8KB

                MD5

                189e725f4587b679740f0f7783745056

                SHA1

                a64e9fede92c55932ce82d77891f77a1f015a9f1

                SHA256

                913b87897ffb6dca07e9f17e280aa8ecb9886dffeda8a15efeafec11dec0d108

                SHA512

                6735821e976fecfaad9bfd35d4669373f396055a88fdabbc68bea9066fb7d05ebb249a25490148b681b499fbfc6e502077a659c5e562fa9e0d7fbe90de8c449d

                Download Submit