a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91

Analysis

max time kernel
149s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-03-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91.elf
Size

315KB
MD5

20b4ac6be041b72862e1645953a951eb
SHA1

dd5f99687aa953b422f27035b13398bcdf8e0401
SHA256

a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91
SHA512

406d15876963426ffc86fa03c931aea63a648ede53ff100c2d570ba3682b20c9ca3a8db6aef443a963f4247f422f83a847a44048fdbe46e59dc839a14372f33b
SSDEEP

6144:SQPczBa3vgEvQN9glnA1wcP5g2GQOO/3xsk0M1l3H99zZnI51z49Q:YBvEvqR1jPKQDZsB2l3H9w

Score

6^/10

persistence

Malware Config

Signatures

Modifies rc script 1 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/rc.local

Modifies systemd 1 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/lib/systemd/system/rc.local.service

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	dmidecode
File opened for reading	/sys/firmware/dmi/tables/DMI	dmidecode

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/version	cat

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91.elf	touch

/tmp/a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91.elf
/tmp/a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91.elf
1⤵
PID:1529

/bin/sh
sh -c "cat /proc/version 2>&1"
1⤵
PID:1531
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:1532

/bin/sh
sh -c "chmod 777 /etc/rc.local"
1⤵
PID:1533
- /bin/chmod
  chmod 777 /etc/rc.local
  2⤵
  PID:1534

/bin/sh
sh -c "/tmp/a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91.elf d 1530"
1⤵
PID:1535
- /tmp/a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91.elf
  /tmp/a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91.elf d 1530
  2⤵
  PID:1536
- - /bin/sh
    sh -c "touch -d \"2010-09-08 12:23:02\" /tmp/a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91.elf"
    3⤵
    PID:1537
  - - /usr/bin/touch
      touch -d "2010-09-08 12:23:02" /tmp/a2c3073fa5587f8a70d7def7fd8355e1f6d20eb906c3cd4df8c744826cb81d91.elf
      4⤵
      Writes file to tmp directory
      PID:1538
- - /bin/sh
    sh -c "ifconfig 2>&1"
    3⤵
    PID:1539
- - /bin/sh
    sh -c "ip a 2>&1"
    3⤵
    PID:1540
  - - /sbin/ip
      ip a
      4⤵
      PID:1541
- - /bin/sh
    sh -c "dmidecode 2>&1"
    3⤵
    PID:1542
  - - /usr/sbin/dmidecode
      dmidecode
      4⤵
      Enumerates kernel/hardware configuration
      PID:1543
- - /bin/sh
    sh -c "touch -d \"2010-09-08 12:23:02\" /etc/.netc.conf"
    3⤵
    PID:1544
  - - /usr/bin/touch
      touch -d "2010-09-08 12:23:02" /etc/.netc.conf
      4⤵
      PID:1545
- - /bin/sh
    sh -c "cat /etc/issue 2>&1"
    3⤵
    PID:1546
  - - /bin/cat
      cat /etc/issue
      4⤵
      PID:1547
- - /bin/sh
    sh -c "getconf LONG_BIT 2>&1"
    3⤵
    PID:1548
  - - /usr/bin/getconf
      getconf LONG_BIT
      4⤵
      PID:1549

/bin/sh
sh -c "who 2>&1"
1⤵
PID:1556
- /usr/bin/who
  who
  2⤵
  PID:1557

/bin/sh
sh -c "who 2>&1"
1⤵
PID:1563
- /usr/bin/who
  who
  2⤵
  PID:1564

/bin/sh
sh -c "who 2>&1"
1⤵
PID:1565
- /usr/bin/who
  who
  2⤵
  PID:1566

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/.netc.conf

Filesize
72B

MD5
539d680a3da4320920e3789f797a1781

SHA1
408b952bac99d9f0df4a77529c0a32c5d13b6598

SHA256
638054c2c4b72ba97772c20bf9238cb7e59ef3ef0885bd88a7da8ad98622ba09

SHA512
b118171091849cf56e92b287f99c4e962b619df4ffbe270a2963c2782029bd11f04b3e8071acd29b5e450c3d47eb1195deefb7220779e15bd401df4d288d8bbe

Download Submit
/etc/rc.local

Filesize
93B

MD5
d0596ace429e5243334c255904235290

SHA1
c6272970566a22f991d742e85f506ad111d32d2a

SHA256
0f389a6aee69ef1d4881f07860a9ade11e3a48ca004124cc0f058b76cc17a86b

SHA512
ac58622b4b7630fa1fdac1964b28e74cdfe357d6ad604883964fe4d0b7d6639df0a7346ae61ec4d1127e12f9ec936bcef550ad3cd2694138dc61fdaa19c27986

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads