conti | 95776f31cbcac08eb3f3e9235d07513a6d7a6bf9f1b7f3d400b2cf0afdb088a7

General

Target

k.elf
Size

1.5MB
MD5

cfb6d21ffe7c4279f761f2351c0810ee
SHA1

ee827023780964574f28c6ba333d800b73eae5c4
SHA256

95776f31cbcac08eb3f3e9235d07513a6d7a6bf9f1b7f3d400b2cf0afdb088a7
SHA512

c24342fe718d9cd8be98741cb7962b39cdf887b855ac0d7d6c0bbdd346fffd3f1dd1bdb91728bd16efe61456792fcc70b17e6f98cc052e229d186f1d7a28a9b8
SSDEEP

24576:t4mEitdoHarsfZqy5hEiefNvF6pVuQYGM:tdE2dxrUqy5ep5F6mQlM

Score

10^/10

conti evasion persistence ransomware

Malware Config

Extracted

Path

/readme.txt

Family

conti

Ransom Note

All of your files are currently encrypted by CONTI strain. If you don't know who we are - just "Google it." As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly. DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However, if you want to try - we recommend choosing the data of the lowest value. DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the police/FBI/investigators, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately. To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/ykCDUCsFcCYo8BNSsvH2TZTvCnEUM30XKoeCZiXUQEjPnzp1nee2ivFY0hAf7frb YOU SHOULD BE AWARE! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!

URLs

http://contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion/ykCDUCsFcCYo8BNSsvH2TZTvCnEUM30XKoeCZiXUQEjPnzp1nee2ivFY0hAf7frb

Signatures

Conti Ransomware
Ransomware generally thought to be a successor to Ryuk.
ransomware conti
Renames multiple (20848) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes journal logs 1 TTPs 2 IoCs
Deletes systemd journal logs. Likely to evade detection.
evasion

Indicator Removal
T1070

Processes:

k.elf

description ioc process

File truncated /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/readme.txt k.elf
File truncated /var/log/journal/readme.txt k.elf

description	ioc	process
File truncated	/var/log/journal/4816dd152e8c48ff97e9117d197c13d8/readme.txt	k.elf
File truncated	/var/log/journal/readme.txt	k.elf

Creates/modifies Cron job 1 TTPs 5 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

k.elf

description	ioc	process
File opened for modification	/var/spool/cron/readme.txt	k.elf
File opened for modification	/var/spool/cron/atspool/readme.txt	k.elf
File opened for modification	/var/spool/cron/crontabs/readme.txt	k.elf
File opened for modification	/var/spool/cron/atjobs/readme.txt	k.elf
File opened for modification	/var/spool/cron/atjobs/.SEQ	k.elf

Deletes log files 1 TTPs 14 IoCs

Deletes log files on the system.

Indicator Removal

T1070

Processes:

k.elf

description	ioc	process
File truncated	/var/log/dist-upgrade/readme.txt	k.elf
File truncated	/var/log/installer/readme.txt	k.elf
File truncated	/var/log/private/readme.txt	k.elf
File truncated	/var/log/readme.txt	k.elf
File truncated	/var/log/hp/tmp/readme.txt	k.elf
File truncated	/var/log/hp/readme.txt	k.elf
File truncated	/var/log/speech-dispatcher/readme.txt	k.elf
File truncated	/var/log/gdm3/readme.txt	k.elf
File truncated	/var/log/installer/cdebconf/readme.txt	k.elf
File truncated	/var/log/openvpn/readme.txt	k.elf
File truncated	/var/log/apt/readme.txt	k.elf
File truncated	/var/log/cups/readme.txt	k.elf
File truncated	/var/log/unattended-upgrades/readme.txt	k.elf
File truncated	/var/log/audit/readme.txt	k.elf

Reads MAC address of network interface 2 TTPs 1 IoCs
Fetches the MAC address of active network interfaces. May be used to detect known values for hypervisors.
evasion

System Network Configuration Discovery
T1016

System Network Connections Discovery
T1049

Processes:

k.elf

description ioc process

File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/address k.elf

description	ioc	process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/address	k.elf

Reads network interface configuration 2 TTPs 64 IoCs

Fetches information about one or more active network interfaces.

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Processes:

k.elf

description	ioc	process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/ifalias	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/xps_rxqs	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/flags	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/carrier_down_count	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/dormant	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/multicast	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power/runtime_active_kids	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/phys_port_name	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/tx_dropped	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/collisions	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/mtu	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/tx_timeout	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power/runtime_usage	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/dev_port	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power/runtime_enabled	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/broadcast	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/xps_cpus	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits/limit	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits/inflight	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/carrier	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/proto_down	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power/async	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/tx_packets	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/carrier_up_count	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/duplex	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/tx_window_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/rx_fifo_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/rx_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/tx_compressed	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/speed	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/rx_length_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/tx_carrier_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/rx_crc_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/addr_len	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power/control	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/operstate	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/rx_packets	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/gro_flush_timeout	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power/autosuspend_delay_ms	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/tx_maxrate	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits/limit_min	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/traffic_class	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/tx_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/tx_heartbeat_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power/runtime_status	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/uevent	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power/runtime_suspended_time	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/link_mode	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/tx_fifo_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits/hold_time	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/tx_bytes	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power/runtime_active_time	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/phys_switch_id	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/rx_frame_errors	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/rx_bytes	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/name_assign_type	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/addr_assign_type	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/carrier_changes	k.elf
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics/rx_nohandler	k.elf

Reads network transmission queue length 2 TTPs 1 IoCs
Fetches the value of the tranmission queue length of the network interface (relevant for DDoS attacks).

System Network Configuration Discovery
T1016

System Network Connections Discovery
T1049

Processes:

k.elf

description ioc process

File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/tx_queue_len k.elf

description	ioc	process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/tx_queue_len	k.elf

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

Processes:

k.elf

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	k.elf
File opened for reading	/sys/devices/system/cpu/power/runtime_active_time	k.elf
File opened for reading	/sys/devices/system/cpu/power/autosuspend_delay_ms	k.elf
File opened for reading	/sys/devices/system/cpu/power/runtime_enabled	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings_list	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/ways_of_associativity	k.elf
File opened for reading	/sys/devices/system/cpu/power/control	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_list	k.elf
File opened for reading	/sys/devices/system/cpu/power/runtime_active_kids	k.elf
File opened for reading	/sys/devices/system/cpu/vulnerabilities/srbds	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus_list	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus_list	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	k.elf
File opened for reading	/sys/devices/system/cpu/smt	k.elf
File opened for reading	/sys/devices/system/cpu/vulnerabilities/retbleed	k.elf
File opened for reading	/sys/devices/system/cpu/uevent	k.elf
File opened for reading	/sys/devices/system/cpu/offline	k.elf
File opened for reading	/sys/devices/system/cpu/power/runtime_usage	k.elf
File opened for reading	/sys/devices/system/cpu/vulnerabilities/mmio_stale_data	k.elf
File opened for reading	/sys/devices/system/cpu/vulnerabilities/l1tf	k.elf
File opened for reading	/sys/devices/system/cpu/vulnerabilities/meltdown	k.elf
File opened for reading	/sys/devices/system/cpu/isolated	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug/target	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/power/async	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_id	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/coherency_line_size	k.elf
File opened for reading	/sys/devices/system/cpu/smt/control	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_list	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/power	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/power/runtime_status	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus_list	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/ways_of_associativity	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	k.elf
File opened for reading	/sys/devices/system/cpu/vulnerabilities/gather_data_sampling	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	k.elf
File opened for reading	/sys/devices/system/cpu/modalias	k.elf
File opened for reading	/sys/devices/system/cpu/power/async	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/uevent	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/ways_of_associativity	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/number_of_sets	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/uevent	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	k.elf
File opened for reading	/sys/devices/system/cpu/power	k.elf
File opened for reading	/sys/devices/system/cpu/vulnerabilities/itlb_multihit	k.elf
File opened for reading	/sys/devices/system/cpu/possible	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/uevent	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug/state	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/power/autosuspend_delay_ms	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus	k.elf
File opened for reading	/sys/devices/system/cpu/cpu0/cache	k.elf

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

k.elf

description	ioc	process
File opened for reading	/sys/kernel/slab/kmalloc-1k/cgroup/kmalloc-1k(369:accounts-daemon.service)/remote_node_defrag_ratio	k.elf
File opened for reading	/sys/kernel/slab/skbuff_head_cache/cgroup/skbuff_head_cache(385:agent.service)/align	k.elf
File opened for reading	/sys/kernel/slab/sighand_cache/cgroup/sighand_cache(553:udisks2.service)/sanity_checks	k.elf
File opened for reading	/sys/kernel/slab/:A-0000256/cgroup/filp(1019:gsd-wwan.service)/partial	k.elf
File opened for reading	/sys/kernel/slab/:A-0000208/cgroup/vm_area_struct(377:acpid.service)/slabs	k.elf
File opened for reading	/sys/kernel/slab/ext4_inode_cache/cgroup/ext4_inode_cache(897:gvfs-gphoto2-volume-monitor.service)/object_size	k.elf
File opened for reading	/sys/kernel/slab/:A-0000192/cgroup/cred_jar(995:gsd-smartcard.service)/order	k.elf
File opened for reading	/sys/kernel/slab/dentry/cgroup/dentry(831:NetworkManager.service)/poison	k.elf
File opened for reading	/sys/kernel/slab/mm_struct/cgroup/mm_struct(1141:fwupd.service)/slabs_cpu_partial	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-rcl-512/cpu_partial	k.elf
File opened for reading	/sys/kernel/slab/skbuff_head_cache/cgroup/skbuff_head_cache(903:gvfs-goa-volume-monitor.service)/trace	k.elf
File opened for reading	/sys/kernel/slab/:A-0000192/cgroup/cred_jar(1025:gsd-xsettings.service)/objects	k.elf
File opened for reading	/sys/kernel/slab/:A-0000080/cgroup/task_delay_info(633:gdm.service)/object_size	k.elf
File opened for reading	/sys/kernel/slab/inode_cache/cgroup/inode_cache(1077:systemd-timedated.service)/cpu_partial	k.elf
File opened for reading	/sys/kernel/slab/:A-0000040/cgroup/pde_opener(715:[email protected])/usersize	k.elf
File opened for reading	/sys/kernel/slab/skbuff_head_cache/cgroup/skbuff_head_cache(953:gsd-keyboard.service)/align	k.elf
File opened for reading	/sys/kernel/slab/:A-0000256/cgroup/filp(971:gsd-print-notifications.service)/object_size	k.elf
File opened for reading	/sys/kernel/slab/RAWv6/cgroup/RAWv6(831:NetworkManager.service)/red_zone	k.elf
File opened for reading	/sys/kernel/slab/dentry/cgroup/dentry(903:gvfs-goa-volume-monitor.service)	k.elf
File opened for reading	/sys/kernel/slab/mm_struct/cgroup/mm_struct(537:switcheroo-control.service)/hwcache_align	k.elf
File opened for reading	/sys/kernel/slab/mm_struct/cgroup/mm_struct(747:dbus.socket)/object_size	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-1k/cgroup/kmalloc-1k(839:xdg-permission-store.service)/hwcache_align	k.elf
File opened for reading	/sys/kernel/slab/skbuff_head_cache/cgroup/skbuff_head_cache(959:gsd-media-keys.service)/slab_size	k.elf
File opened for reading	/sys/kernel/slab/:A-0000128/cgroup/pid(953:gsd-keyboard.service)/align	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-64/cgroup/kmalloc-64(807:gvfs-daemon.service)/sanity_checks	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-64/cgroup/kmalloc-64(649:unattended-upgrades.service)/reclaim_account	k.elf
File opened for reading	/sys/kernel/slab/mm_struct/cgroup/mm_struct(441:dbus.service)/slab_size	k.elf
File opened for reading	/sys/kernel/slab/mm_struct/cgroup/mm_struct(1085:apt-daily.service)/cache_dma	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-2k/cgroup/kmalloc-2k(935:gsd-color.service)/sanity_checks	k.elf
File opened for reading	/sys/kernel/slab/:A-0000128/cgroup/pid(879:gvfs-udisks2-volume-monitor.service)/objects_partial	k.elf
File opened for reading	/sys/kernel/slab/dentry/cgroup/dentry(433:cups.service)/cache_dma	k.elf
File opened for reading	/sys/kernel/slab/anon_vma/cgroup/anon_vma(863:upower.service)/cache_dma	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-1k/cgroup/kmalloc-1k(863:upower.service)/objects	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-1k/cgroup/kmalloc-1k(1149:apt-news.service)/ctor	k.elf
File opened for reading	/sys/kernel/slab/:A-0000040/cgroup/pde_opener(935:gsd-color.service)/slabs	k.elf
File opened for reading	/sys/kernel/slab/:A-0000040/cgroup/pde_opener(1031:colord.service)/reclaim_account	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-256/cpu_slabs	k.elf
File opened for reading	/sys/kernel/slab/:A-0000040/min_partial	k.elf
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mbind	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-64/cgroup/kmalloc-64(857:evolution-addressbook-factory.service)/total_objects	k.elf
File opened for reading	/sys/kernel/slab/:A-0000040/cgroup/pde_opener(839:xdg-permission-store.service)/min_partial	k.elf
File opened for reading	/sys/kernel/slab/mm_struct/cgroup/mm_struct(1065:gvfs-metadata.service)/validate	k.elf
File opened for reading	/sys/kernel/slab/:A-0000072/cgroup/eventpoll_pwq(91:systemd-journald.service)/objs_per_slab	k.elf
File opened for reading	/sys/kernel/slab/TCPv6/cgroup/TCPv6(433:cups.service)/shrink	k.elf
File opened for reading	/sys/kernel/slab/:0000144/validate	k.elf
File opened for reading	/sys/kernel/slab/sock_inode_cache/cgroup/sock_inode_cache(831:NetworkManager.service)	k.elf
File opened for reading	/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(409:atd.service)/total_objects	k.elf
File opened for reading	/sys/kernel/slab/anon_vma/cgroup/anon_vma(795:gnome-session-monitor.service)/objs_per_slab	k.elf
File opened for reading	/sys/kernel/slab/mm_struct/cgroup/mm_struct(441:dbus.service)/slabs_cpu_partial	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-32/cgroup/kmalloc-32(1077:systemd-timedated.service)/validate	k.elf
File opened for reading	/sys/kernel/tracing/events/sched/sched_migrate_task	k.elf
File opened for reading	/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(577:NetworkManager-wait-online.service)/ctor	k.elf
File opened for reading	/sys/kernel/slab/uts_namespace/cgroup/uts_namespace(1077:systemd-timedated.service)/poison	k.elf
File opened for reading	/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(977:gsd-rfkill.service)/cache_dma	k.elf
File opened for reading	/sys/kernel/slab/anon_vma/cgroup/anon_vma(941:gsd-datetime.service)/shrink	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-1k/cgroup/kmalloc-1k(715:[email protected])/alloc_calls	k.elf
File opened for reading	/sys/kernel/slab/:A-0000256/cgroup/filp(795:gnome-session-monitor.service)/validate	k.elf
File opened for reading	/sys/kernel/slab/sock_inode_cache/remote_node_defrag_ratio	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-1k/object_size	k.elf
File opened for reading	/sys/kernel/slab/skbuff_head_cache/cgroup/skbuff_head_cache(609:ssh.service)/destroy_by_rcu	k.elf
File opened for reading	/sys/kernel/slab/skbuff_head_cache/cgroup/skbuff_head_cache(409:atd.service)/object_size	k.elf
File opened for reading	/sys/kernel/slab/:A-0000256/cgroup/filp(609:ssh.service)/cpu_partial	k.elf
File opened for reading	/sys/kernel/slab/:A-0000128/cgroup/pid(289:boot-efi.mount)/poison	k.elf
File opened for reading	/sys/kernel/slab/kmalloc-64/cgroup/kmalloc-64(59:dev-hugepages.mount)/min_partial	k.elf

/tmp/k.elf
/tmp/k.elf sh ./k.elf --path /
1⤵
- Deletes journal logs
- Creates/modifies Cron job
- Deletes log files
- Reads MAC address of network interface
- Reads network interface configuration
- Reads network transmission queue length
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1483

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Indicator Removal

2

T1070

Credential Access

Discovery

System Information Discovery

2

T1082

System Network Configuration Discovery

3

T1016

System Network Connections Discovery

3

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/readme.txt

Filesize
1KB

MD5
f2ec65b6ccc5e28343ce62a48279027f

SHA1
7ef88d7845747810a522b73b48f85774cc3d5d0e

SHA256
a01e047b193671716125c6cf06171b0b0cac332631065ea5320fff4be0971582

SHA512
b48e8c82812e03afbc39f55f59e5110d181b107000c87491eb6adfebe19b7a3679dac6debb5fd0319afb53a12ed476dd4d5212aa5470e8b015ff1abdb3ce1b38

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads