9100bc0eb0bce4f5f7fc314fa820b4dee00db8d31892ec6fdb4fccca801a40d0

Resubmissions

27-04-2024 08:47

240427-kp68nsff9w 8

15-03-2024 10:27

240315-mg4hxseb4t 8

Analysis

max time kernel
131s
max time network
131s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
27-04-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.ELF.Armbar-B.13586.26645.elf
Size

2.7MB
MD5

9e0d1124dae07a104dcb93b2e27e8ddc
SHA1

c310ec9924e2371402e8d3df66624a126a673996
SHA256

9100bc0eb0bce4f5f7fc314fa820b4dee00db8d31892ec6fdb4fccca801a40d0
SHA512

755fd513c180c1f803d437caf90c06ed7dbf521c0440941cbd028f134b4eda41772d97ff19e13a234c6e99c32661c1ca68aa5c5a7c43964e04ff0631221e4aba
SSDEEP

49152:icuP/zBmSnI8WX/Pjoc53lvzjbOzcWn52bPT:ruPb0n3jRVvzwpM

Score

8^/10

persistence

Malware Config

Signatures

Modifies password files for system users/ groups 4 IoCs

Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

Processes:

useradd

description	ioc	process
File opened for modification	/etc/shadow	useradd
File opened for modification	/etc/passwd	useradd
File opened for modification	/etc/group	useradd
File opened for modification	/etc/gshadow	useradd

Adds a user to the system 1 IoCs

Processes:

useradd

pid process

1474 useradd
Creates/modifies environment variables 1 TTPs 2 IoCs
Creating/modifying environment variables is a common persistence mechanism.
persistence

Hijack Execution Flow
T1574

Processes:

useradd

description ioc process

File opened for modification /home/RZ0cT6n1/.profile useradd
File opened for modification /home/RZ0cT6n1/.bashrc useradd
Modifies Bash startup script 1 TTPs 2 IoCs
persistence

Boot or Logon Autostart Execution
T1547

Processes:

useradd

description ioc process

File opened for modification /home/RZ0cT6n1/.profile useradd
File opened for modification /home/RZ0cT6n1/.bashrc useradd
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery
T1082

Processes:

SecuriteInfo.com.ELF.Armbar-B.13586.26645.elf

description ioc process

File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size SecuriteInfo.com.ELF.Armbar-B.13586.26645.elf

pid	process
1474	useradd

description	ioc	process
File opened for modification	/home/RZ0cT6n1/.profile	useradd
File opened for modification	/home/RZ0cT6n1/.bashrc	useradd

description	ioc	process
File opened for modification	/home/RZ0cT6n1/.profile	useradd
File opened for modification	/home/RZ0cT6n1/.bashrc	useradd

description	ioc	process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	SecuriteInfo.com.ELF.Armbar-B.13586.26645.elf

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

Processes:

sudouseradd

description	ioc	process
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/filesystems	useradd
File opened for reading	/proc/sys/kernel/ngroups_max	useradd
File opened for reading	/proc/sys/kernel/random/boot_id	useradd
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo

/tmp/SecuriteInfo.com.ELF.Armbar-B.13586.26645.elf
/tmp/SecuriteInfo.com.ELF.Armbar-B.13586.26645.elf
1⤵
- Enumerates kernel/hardware configuration
PID:1467

/usr/bin/openssl
openssl passwd -6 vyqUNXAyzVNm
2⤵
PID:1471

/usr/bin/sudo
sudo useradd -m -p "\$6\$j0kJX0kgREEbgpzt\$xVovf3cVM1LZMtC9t.nMHKZRP2arfc00D3miIdY8FUGN5qy3G9C79FiUm0rEXL5tsZCANwDn0cFyFk4z9GKBS1" -G sudo RZ0cT6n1
2⤵
- Reads runtime system information
PID:1472

/usr/sbin/useradd
useradd -m -p "\$6\$j0kJX0kgREEbgpzt\$xVovf3cVM1LZMtC9t.nMHKZRP2arfc00D3miIdY8FUGN5qy3G9C79FiUm0rEXL5tsZCANwDn0cFyFk4z9GKBS1" -G sudo RZ0cT6n1
3⤵
- Modifies password files for system users/ groups
- Adds a user to the system
- Creates/modifies environment variables
- Modifies Bash startup script
- Reads runtime system information
PID:1474

/sbin/zsysctl
zsysctl userdata create RZ0cT6n1 /home/RZ0cT6n1
4⤵
PID:1478

/usr/sbin/nscd
nscd -i passwd
4⤵
PID:1479

/usr/sbin/nscd
nscd -i group
4⤵
PID:1480

/usr/sbin/sss_cache
sss_cache -UG
4⤵
PID:1481

/sbin/pam_tally2
pam_tally2 --user RZ0cT6n1 --reset --quiet
4⤵
PID:1482

/usr/sbin/nscd
nscd -i passwd
4⤵
PID:1483

/usr/sbin/nscd
nscd -i group
4⤵
PID:1484

/usr/sbin/sss_cache
sss_cache -UG
4⤵
PID:1485

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/group+

Filesize
1KB

MD5
6a50a0c5fd750a504054d6e2092b396f

SHA1
d8b5ccdc6070db7f9b952d774b60647cabd9f1e8

SHA256
15814d43cc5a1af3fdbd53638f58d1748080ce8028442f4d0947dd954e880ff3

SHA512
fbd01cdde501f8557dcd0c37e0d7216dfaa0a284f268358191d16bf1ffcf39d5986d15916eabca276b50f93162d0116c4e03e208764dbe8b1419ab8603376ade

Download Submit
/etc/gshadow+

Filesize
893B

MD5
0f958e4a0cab233c2a3a85096a1dd113

SHA1
ac993a5cdea9826195e2b5504175f82b2d65753c

SHA256
6a9ed86d3744cacb391da832735d9c06657772ce554ce80d233a9e40957fd1cc

SHA512
bd34f852f1b0875275b6b9c7520f1f9bb4ea814ce6391ca1eb87219a6212cd27ab7227ff52aa227d0a0e4772c0995c8b544c88b0a49c6912c29d6efa4fb3bf05

Download Submit
/etc/passwd+

Filesize
2KB

MD5
2ff89342dedd9e09f94cabae174f5c1e

SHA1
7570aac936c8dc520d0bfbcf3ade5c3647de1699

SHA256
7556ef1aa7ee38de38fbe7ead75a221c804116843908cd6b31d272f802daf734

SHA512
3674202f593dd1777e4babaf9e15c8d731dff17745074bedc49e3561bfd54512037b30fbfb507cd7df311feb31850acf66b2f577bb0f18efa03e103582de5436

Download Submit
/etc/shadow+

Filesize
1KB

MD5
2aee110298a3c05a3e25e8f7c6009259

SHA1
f737c44d7707a28f418812395d63b99c9d6d825e

SHA256
3f25311a86def0e879495df2f469137d863bcff6bdb67ecb9b8cdf5e61182164

SHA512
bff76ff0d0b9b2e718ffd73a895c32c419d71d7ad60131cfb536a5baa0e03c4a7618c08ba5a58c7df818e3591ce0108ed2af937130a349a3e74e20afb218903e

Download Submit
/etc/subuid+

Filesize
40B

MD5
4cf8d2e2f472e91b5dd3d80cab48f452

SHA1
75fc714060c418c9f53c75f8117ea782b6cd870b

SHA256
aafc1ba2bd37d607b60f5ea6e4dcfb584a2046760a3f84230f587f7b523d722a

SHA512
72b306c597fec72ee0eb6b01e6bd15dd114f467472507a340533dc8d0c8ece195c9ffb8a18b077ca1a357163d1b38803f2ef565225ce36569c7a30f28cef7f04

Download Submit
/home/RZ0cT6n1/.bash_logout

Filesize
220B

MD5
22bfb8c1dd94b5f3813a2b25da67463f

SHA1
dc216ac4a4c232815731979db6e494f315b507dd

SHA256
26882b79471c25f945c970f8233d8ce29d54e9d5eedcd2884f88affa84a18f56

SHA512
c3d739f4934824d81f561c9b626b494e3c256b5a97642667882632db030fc1a8c7d23eb1ae5db7e9f63ae46ee84dbee69d15130dd1482a2c1e8aade1dfc545a2

Download Submit
/home/RZ0cT6n1/.bashrc

Filesize
3KB

MD5
1f98b8f3f3c8f8927eca945d59dcc1c6

SHA1
c4d853993e323432cb84359de2c319b9a767b729

SHA256
342099da4dd28c394d3f8782d90d7465cb2eaa611193f8f378d6918261cb9bb8

SHA512
33bb97936e54fe797b5046ece9c04313306fdc1470c959593f5cc2c641066372f2aee759db3a1bf45470b10c98ca964388172ded77eacaf2500e428d4f00331f

Download Submit
/home/RZ0cT6n1/.profile

Filesize
807B

MD5
f4e81ade7d6f9fb342541152d08e7a97

SHA1
2b9ee6d446f8f9ffccaab42b6df5649f749a9a07

SHA256
28b4a453b68dde64f814e94bab14ee651f4f162e15dd9920490aa1d49f05d2a4

SHA512
26544e0b85ca6d7cca3b8ace7d01f712e24020f07b6a6ad54a6942909040221f09bf922a4d0da555ce64ceebb4934b28719a23a0e6401337a69d4a0170bd8e4c

Download Submit