105e32c8ef13d4d001923c1a43a8849d069fc4adebe48e5e6a9e726eb605ce31

Analysis

max time kernel
9s
max time network
481s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
15-04-2024 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/c/stop
Size

1KB
MD5

94724fcd5b10cefc760d556779a95c75
SHA1

c14a7f5117c04e943b1095d42e5ee4541256c7ee
SHA256

0d72d5059120530da9594adae05739cbf9a830bfc7e82409b5efddea64f27f03
SHA512

e3f17e68ed7c422897680b3e8ca00748af9cdf0d94377cf925164fda5248e9edf9d6888de4205780c8983287526dafed9bc2c6959983736ca119f0b4748d7da5

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 21 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/74/status	ps
File opened for reading	/proc/534/status	ps
File opened for reading	/proc/816/status	ps
File opened for reading	/proc/1215/status	pkill
File opened for reading	/proc/1404/status	pkill
File opened for reading	/proc/1487/stat	ps
File opened for reading	/proc/170/stat	killall
File opened for reading	/proc/670/status	ps
File opened for reading	/proc/500/stat	ps
File opened for reading	/proc/1423/cmdline	pkill
File opened for reading	/proc/1581/cmdline	pkill
File opened for reading	/proc/579/status	ps
File opened for reading	/proc/1114/status	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/7/status	pkill
File opened for reading	/proc/688/stat	killall
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/616/stat	ps
File opened for reading	/proc/1094/status	ps
File opened for reading	/proc/901/cmdline	pkill
File opened for reading	/proc/1415/status	pkill
File opened for reading	/proc/16/stat	ps
File opened for reading	/proc/1388/stat	ps
File opened for reading	/proc/532/stat	ps
File opened for reading	/proc/621/stat	ps
File opened for reading	/proc/588/status	pkill
File opened for reading	/proc/492/cmdline	pkill
File opened for reading	/proc/452/cmdline	pkill
File opened for reading	/proc/172/status	ps
File opened for reading	/proc/176/stat	killall
File opened for reading	/proc/172/status	pkill
File opened for reading	/proc/171/status	ps
File opened for reading	/proc/84/status	ps
File opened for reading	/proc/688/cmdline	ps
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/174/cmdline	pkill
File opened for reading	/proc/75/cmdline	pkill
File opened for reading	/proc/79/cmdline	pkill
File opened for reading	/proc/613/cmdline	ps
File opened for reading	/proc/163/cmdline	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/471/cmdline	pkill
File opened for reading	/proc/1413/status	pkill
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/84/stat	killall
File opened for reading	/proc/930/cmdline	pkill
File opened for reading	/proc/1036/cmdline	pkill
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/75/status	ps
File opened for reading	/proc/71/status	pkill
File opened for reading	/proc/172/cmdline	ps
File opened for reading	/proc/85/cmdline	ps
File opened for reading	/proc/1040/status	pkill
File opened for reading	/proc/21/stat	killall
File opened for reading	/proc/613/stat	killall
File opened for reading	/proc/976/stat	killall
File opened for reading	/proc/1146/status	ps
File opened for reading	/proc/171/cmdline	ps
File opened for reading	/proc/497/cmdline	ps
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/445/cmdline	pkill
File opened for reading	/proc/10/status	pkill

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.rsync/c/.out	stop
File opened for modification	/tmp/.rsync/c/.proc	stop

/tmp/.rsync/c/stop
/tmp/.rsync/c/stop
1⤵
- Writes file to tmp directory
PID:1478
- /usr/bin/killall
  killall -9 go
  2⤵
  - Reads runtime system information
  PID:1479
- /usr/bin/pkill
  pkill -9 go
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1483
- /usr/bin/pkill
  pkill -9 httpd
  2⤵
  - Reads CPU attributes
  PID:1484
- /usr/bin/killall
  killall -9 tsm
  2⤵
  - Reads runtime system information
  PID:1490
- /usr/bin/killall
  killall -9 blitz
  2⤵
  - Reads runtime system information
  PID:1491
- /usr/bin/killall
  killall -9 httpd
  2⤵
  - Reads runtime system information
  PID:1492
- /usr/bin/killall
  killall -9 /usr/sbin/http
  2⤵
  PID:1493
- /usr/bin/killall
  killall -9 flash
  2⤵
  - Reads runtime system information
  PID:1494
- /usr/bin/pkill
  pkill -9 flash
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1495
- /usr/bin/pkill
  pkill -9 watch
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1496
- /usr/bin/killall
  killall -9 wget
  2⤵
  - Reads runtime system information
  PID:1535
- /usr/bin/pkill
  pkill -9 http
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1545
- /usr/bin/pkill
  pkill -9 watch
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1554
- /usr/bin/pkill
  pkill -9 tsm
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1561
- /usr/bin/pkill
  pkill -9 blitz
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1564
- /usr/bin/pkill
  pkill -9 httpd
  2⤵
  - Reads CPU attributes
  PID:1565
- /usr/bin/pkill
  pkill -9 go
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1577
- /usr/bin/pkill
  pkill -9 ld-2.23
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1581
- /usr/bin/pkill
  pkill -9 netstat
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1582
- /usr/bin/rm
  rm -rf .proc .out
  2⤵
  PID:1583
- /usr/bin/sleep
  sleep 5
  2⤵
  PID:1584

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1486

/usr/bin/grep
grep -v grep
1⤵
PID:1488

/usr/bin/grep
grep go
1⤵
PID:1487

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1489

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1501

/usr/bin/grep
grep -v grep
1⤵
PID:1500

/usr/bin/grep
grep flash
1⤵
PID:1499

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1498

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1506

/usr/bin/grep
grep -v grep
1⤵
PID:1505

/usr/bin/grep
grep blitz
1⤵
PID:1504

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1503

/usr/bin/grep
grep -v grep
1⤵
PID:1510

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1511

/usr/bin/grep
grep go
1⤵
PID:1509

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1508

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1516

/usr/bin/grep
grep -v grep
1⤵
PID:1515

/usr/bin/grep
grep tsm
1⤵
PID:1514

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1513

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1523

/usr/bin/grep
grep -v grep
1⤵
PID:1522

/usr/bin/grep
grep ntpd
1⤵
PID:1521

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1520

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1528

/usr/bin/grep
grep -v grep
1⤵
PID:1527

/usr/bin/grep
grep khelperd
1⤵
PID:1526

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1525

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1534

/usr/bin/grep
grep -v grep
1⤵
PID:1533

/usr/bin/grep
grep /usr/sbin/http
1⤵
PID:1532

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1531

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:1539

/usr/bin/grep
grep wget
1⤵
PID:1538

/usr/bin/ps
ps x
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1537

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads