342a96d5a78f82288e79124b161eedddb6544a9aa17f4af1b07452eae538cec2 | Triage

Analysis

max time kernel
0s
max time network
133s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
24-05-2024 12:56

Sharing

Report Analysis Logs

General

Target

init_dt.sh
Size

3KB
MD5

570d69297e5273305790a59c65d9fa5a
SHA1

7bb95c5616c22741fc169e8c14cd281daa9331b1
SHA256

342a96d5a78f82288e79124b161eedddb6544a9aa17f4af1b07452eae538cec2
SHA512

4a98540c1e2123c1a9288a4fee72047cb142025d4ae8a67012bf226d3d5007e5661002a19007382efb7c3e01b8db4630a698cd543c72cb8d0e8ad280e3db51e7

Score

8^/10

persistence

Malware Config

Signatures

Adds new SSH keys 1 IoCs

Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

description	ioc	Process
File opened for modification	/root/.ssh/authorized_keys	init_dt.sh

Reads runtime system information 18 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	hostnamectl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	hostnamectl
File opened for reading	/proc/sys/kernel/osrelease	hostnamectl
File opened for reading	/proc/1/environ	hostnamectl
File opened for reading	/proc/cmdline	hostnamectl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	hostnamectl

/tmp/init_dt.sh
/tmp/init_dt.sh
1⤵
- Adds new SSH keys
PID:1479
- /usr/bin/hostnamectl
  hostnamectl set-hostname
  2⤵
  - Reads runtime system information
  PID:1480
- /bin/systemctl
  systemctl stop rpcbind
  2⤵
  - Reads runtime system information
  PID:1483
- /bin/systemctl
  systemctl disable rpcbind
  2⤵
  - Reads runtime system information
  PID:1487

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads