Overview

overview

7

Static

static

1

.rsync/c/go

ubuntu-18.04-amd64

3

.rsync/c/go

debian-9-armhf

3

.rsync/c/go

debian-9-mips

3

.rsync/c/go

debian-9-mipsel

3

.rsync/c/l...c.so.6

ubuntu-18.04-amd64

.rsync/c/l...l.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...s.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...s.so.2

ubuntu-20.04-amd64

1

.rsync/c/l...d.so.0

ubuntu-18.04-amd64

.rsync/c/l....23.so

ubuntu-20.04-amd64

1

.rsync/c/l...v.so.2

ubuntu-18.04-amd64

1

.rsync/c/lib/32/tsm

ubuntu-20.04-amd64

1

.rsync/c/l...c.so.6

ubuntu-18.04-amd64

1

.rsync/c/l...l.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...s.so.2

ubuntu-20.04-amd64

1

.rsync/c/l...s.so.2

ubuntu-18.04-amd64

1

.rsync/c/l...d.so.0

ubuntu-18.04-amd64

1

.rsync/c/l....23.so

ubuntu-18.04-amd64

1

.rsync/c/l...v.so.2

ubuntu-18.04-amd64

1

.rsync/c/lib/64/tsm

ubuntu-20.04-amd64

1

.rsync/c/run

ubuntu-18.04-amd64

6

.rsync/c/run

debian-9-armhf

6

.rsync/c/run

debian-9-mips

6

.rsync/c/run

debian-9-mipsel

6

.rsync/c/slow

ubuntu-18.04-amd64

1

.rsync/c/slow

debian-9-armhf

1

.rsync/c/slow

debian-9-mips

1

.rsync/c/slow

debian-9-mipsel

1

.rsync/c/start

ubuntu-18.04-amd64

7

.rsync/c/start

debian-9-armhf

7

.rsync/c/start

debian-9-mips

7

.rsync/c/start

debian-9-mipsel

7

Analysis

  • max time kernel
    21s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240226-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    19/03/2024, 00:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .rsync/c/start

  • Size

    203B

  • MD5

    ffd387bdf3adab8969941693d3a86ee7

  • SHA1

    3f49c18c7cdcf808882dfd8ca5271e361aaeea00

  • SHA256

    9dbbc9b5d7793425968e42e995226c5f9fe32e502a0a694320a5e838d57c8836

  • SHA512

    e633aecfcb41582bf37d7dbcd0b9423872a4ee99e7049e8a80b23e4ae559444321fb1522690fdd78ad20f6b520bcfa185425216012cedd2ed38ad7d884fb3322

Score
7/10
antivm

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.rsync/c/start
    /tmp/.rsync/c/start
    1⤵
    • Writes file to tmp directory
    PID:656
    • /bin/cat
      cat dir.dir
      2⤵
        PID:658
      • /bin/chmod
        chmod 777 dir.dir go lib run slow start tsm tsm32 tsm64 watchdog
        2⤵
          PID:662
        • /bin/rm
          rm -rf n
          2⤵
            PID:663
          • /bin/chmod
            chmod u+x aptitude
            2⤵
              PID:665
            • /bin/chmod
              chmod 777 aptitude dir.dir go lib n run slow start tsm tsm32 tsm64 watchdog
              2⤵
                PID:666
            • /tmp/.rsync/c/aptitude
              ./aptitude
              1⤵
              • Executes dropped EXE
              PID:668
            • /tmp/.rsync/c/run
              ./run
              1⤵
                PID:669
                • /bin/sleep
                  sleep 15
                  2⤵
                    PID:677
                  • /tmp/.rsync/c/stop
                    ./stop
                    2⤵
                      PID:756
                    • /bin/sleep
                      sleep 3
                      2⤵
                        PID:757
                      • /bin/sleep
                        sleep 199
                        2⤵
                          PID:758
                      • /bin/grep
                        grep model
                        1⤵
                          PID:673
                        • /bin/grep
                          grep name
                          1⤵
                            PID:674
                          • /bin/cat
                            cat /proc/cpuinfo
                            1⤵
                            • Checks CPU configuration
                            PID:672
                          • /usr/bin/wc
                            wc -l
                            1⤵
                              PID:675

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • /tmp/.rsync/c/aptitude
                              Filesize

                              45B

                              MD5

                              7fe1e0b056286ea25cf04692f1013053

                              SHA1

                              a99584a99ef59d1a707707c96ac5f64681acee29

                              SHA256

                              24ffdaa80dc543f1cf68e35f0977096e4cc20ca05245008366a3d24dc9bbe31e

                              SHA512

                              d5b1882907e26060a78d4181ccd1b4d980e8f7bd9b7ec5acc9865b620df76247f1822eb987c8e64fd9a58433915618a6245c2ee808bb29d37e3f5920d88d7608

                              Download Submit

                            • /tmp/.rsync/c/dir.dir
                              Filesize

                              14B

                              MD5

                              d05965cfc0c0565553560b8b7b333278

                              SHA1

                              70244a712971c4f69dee8ca87e8d42e4c233c420

                              SHA256

                              3a8d06d954d378e5e7dccb826ba19b974c3c7a040e32fd7f2d7e3e92ae11e936

                              SHA512

                              314a511cc21bfc5db9081b85f3316658e0df761c03219e84d1e1430137018c54cf30a994254b03fd89076a98026958225c61ebf0522e61715184d83709e3fa6e

                              Download Submit

                            • /tmp/.rsync/c/n
                              Filesize

                              2B

                              MD5

                              b026324c6904b2a9cb4b88d6d61c81d1

                              SHA1

                              e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

                              SHA256

                              4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

                              SHA512

                              3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

                              Download Submit