c0634f254bcf7e22e9c185b7b19468f636e055bb2f914b7e510a9f0bcb3069a0 | Triage

Analysis

max time kernel
137s
max time network
139s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
24-06-2024 19:46

Sharing

Report Analysis Logs

General

Target

.rsync/c/go
Size

396B
MD5

3994503335d9fbcd31036ab1ffadb991
SHA1

487e9e37399497c92f3f54c6a9aa70bc22b781bd
SHA256

d08571c4ff07b1fa285262f5fc5afbe710636cebb1b43f60edc0c9f1a0d7e5c1
SHA512

252af48da5467b089d62f3d80f15bb0b3bb79884b86c232c978284266f0dbcf1df8da7b8e8fb73cba8350406cc15f3bd9b9ecd6120a71566524cede08b8a603d

Score

3^/10

Malware Config

Signatures

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

Processes:

touchtouchtouchtouchtouchtouchtouchtouchtouchtouch

description	ioc	process
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch

/tmp/.rsync/c/go
/tmp/.rsync/c/go
1⤵
PID:1508

/bin/uname
uname -m
2⤵
PID:1510

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1511

/bin/rm
rm -rf p
2⤵
PID:1512

/bin/rm
rm -rf ip
2⤵
PID:1513

/bin/rm
rm -rf "xtr*"
2⤵
PID:1514

/bin/rm
rm -rf a "a.*"
2⤵
PID:1515

/bin/rm
rm -rf b "b.*"
2⤵
PID:1516

/bin/sleep
sleep 5s
2⤵
PID:1517

/usr/bin/timeout
timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
2⤵
PID:1521

/tmp/.rsync/c/tsm
./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
3⤵
PID:1522

/bin/sleep
sleep 3
2⤵
PID:1523

/bin/rm
rm -rf "xtr*"
2⤵
PID:1524

/bin/rm
rm -rf ip
2⤵
PID:1525

/bin/rm
rm -rf p
2⤵
PID:1526

/bin/rm
rm -rf .out
2⤵
PID:1527

/bin/rm
rm -rf "/tmp/t*"
2⤵
PID:1528

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1529

/bin/rm
rm -rf p
2⤵
PID:1530

/bin/rm
rm -rf ip
2⤵
PID:1531

/bin/rm
rm -rf "xtr*"
2⤵
PID:1532

/bin/rm
rm -rf a "a.*"
2⤵
PID:1533

/bin/rm
rm -rf b "b.*"
2⤵
PID:1534

/bin/sleep
sleep 25s
2⤵
PID:1535

/usr/bin/timeout
timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
2⤵
PID:1539

/tmp/.rsync/c/tsm
./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
3⤵
PID:1540

/bin/sleep
sleep 3
2⤵
PID:1541

/bin/rm
rm -rf "xtr*"
2⤵
PID:1542

/bin/rm
rm -rf ip
2⤵
PID:1543

/bin/rm
rm -rf p
2⤵
PID:1544

/bin/rm
rm -rf .out
2⤵
PID:1545

/bin/rm
rm -rf "/tmp/t*"
2⤵
PID:1546

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1547

/bin/rm
rm -rf p
2⤵
PID:1548

/bin/rm
rm -rf ip
2⤵
PID:1549

/bin/rm
rm -rf "xtr*"
2⤵
PID:1550

/bin/rm
rm -rf a "a.*"
2⤵
PID:1551

/bin/rm
rm -rf b "b.*"
2⤵
PID:1552

/bin/sleep
sleep 16s
2⤵
PID:1553

/usr/bin/timeout
timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
2⤵
PID:1554

/tmp/.rsync/c/tsm
./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
3⤵
PID:1555

/bin/sleep
sleep 3
2⤵
PID:1556

/bin/rm
rm -rf "xtr*"
2⤵
PID:1557

/bin/rm
rm -rf ip
2⤵
PID:1558

/bin/rm
rm -rf p
2⤵
PID:1559

/bin/rm
rm -rf .out
2⤵
PID:1560

/bin/rm
rm -rf "/tmp/t*"
2⤵
PID:1561

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1562

/bin/rm
rm -rf p
2⤵
PID:1563

/bin/rm
rm -rf ip
2⤵
PID:1564

/bin/rm
rm -rf "xtr*"
2⤵
PID:1565

/bin/rm
rm -rf a "a.*"
2⤵
PID:1566

/bin/rm
rm -rf b "b.*"
2⤵
PID:1567

/bin/sleep
sleep 1s
2⤵
PID:1568

/usr/bin/timeout
timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
2⤵
PID:1569

/tmp/.rsync/c/tsm
./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
3⤵
PID:1570

/bin/sleep
sleep 3
2⤵
PID:1571

/bin/rm
rm -rf "xtr*"
2⤵
PID:1572

/bin/rm
rm -rf ip
2⤵
PID:1573

/bin/rm
rm -rf p
2⤵
PID:1574

/bin/rm
rm -rf .out
2⤵
PID:1575

/bin/rm
rm -rf "/tmp/t*"
2⤵
PID:1576

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1577

/bin/rm
rm -rf p
2⤵
PID:1578

/bin/rm
rm -rf ip
2⤵
PID:1579

/bin/rm
rm -rf "xtr*"
2⤵
PID:1580

/bin/rm
rm -rf a "a.*"
2⤵
PID:1581

/bin/rm
rm -rf b "b.*"
2⤵
PID:1582

/bin/sleep
sleep 14s
2⤵
PID:1583

/usr/bin/timeout
timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
2⤵
PID:1584

/tmp/.rsync/c/tsm
./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
3⤵
PID:1585

/bin/sleep
sleep 3
2⤵
PID:1586

/bin/rm
rm -rf "xtr*"
2⤵
PID:1587

/bin/rm
rm -rf ip
2⤵
PID:1588

/bin/rm
rm -rf p
2⤵
PID:1589

/bin/rm
rm -rf .out
2⤵
PID:1590

/bin/rm
rm -rf "/tmp/t*"
2⤵
PID:1591

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1592

/bin/rm
rm -rf p
2⤵
PID:1593

/bin/rm
rm -rf ip
2⤵
PID:1594

/bin/rm
rm -rf "xtr*"
2⤵
PID:1595

/bin/rm
rm -rf a "a.*"
2⤵
PID:1596

/bin/rm
rm -rf b "b.*"
2⤵
PID:1597

/bin/sleep
sleep 8s
2⤵
PID:1598

/usr/bin/timeout
timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
2⤵
PID:1599

/tmp/.rsync/c/tsm
./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
3⤵
PID:1600

/bin/sleep
sleep 3
2⤵
PID:1601

/bin/rm
rm -rf "xtr*"
2⤵
PID:1602

/bin/rm
rm -rf ip
2⤵
PID:1603

/bin/rm
rm -rf p
2⤵
PID:1604

/bin/rm
rm -rf .out
2⤵
PID:1605

/bin/rm
rm -rf "/tmp/t*"
2⤵
PID:1606

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1607

/bin/rm
rm -rf p
2⤵
PID:1608

/bin/rm
rm -rf ip
2⤵
PID:1609

/bin/rm
rm -rf "xtr*"
2⤵
PID:1610

/bin/rm
rm -rf a "a.*"
2⤵
PID:1611

/bin/rm
rm -rf b "b.*"
2⤵
PID:1612

/bin/sleep
sleep 15s
2⤵
PID:1613

/usr/bin/timeout
timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
2⤵
PID:1614

/tmp/.rsync/c/tsm
./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
3⤵
PID:1615

/bin/sleep
sleep 3
2⤵
PID:1616

/bin/rm
rm -rf "xtr*"
2⤵
PID:1617

/bin/rm
rm -rf ip
2⤵
PID:1618

/bin/rm
rm -rf p
2⤵
PID:1619

/bin/rm
rm -rf .out
2⤵
PID:1620

/bin/rm
rm -rf "/tmp/t*"
2⤵
PID:1621

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1622

/bin/rm
rm -rf p
2⤵
PID:1623

/bin/rm
rm -rf ip
2⤵
PID:1624

/bin/rm
rm -rf "xtr*"
2⤵
PID:1625

/bin/rm
rm -rf a "a.*"
2⤵
PID:1626

/bin/rm
rm -rf b "b.*"
2⤵
PID:1627

/bin/sleep
sleep 11s
2⤵
PID:1628

/usr/bin/timeout
timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
2⤵
PID:1629

/tmp/.rsync/c/tsm
./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
3⤵
PID:1630

/bin/sleep
sleep 3
2⤵
PID:1631

/bin/rm
rm -rf "xtr*"
2⤵
PID:1632

/bin/rm
rm -rf ip
2⤵
PID:1633

/bin/rm
rm -rf p
2⤵
PID:1634

/bin/rm
rm -rf .out
2⤵
PID:1635

/bin/rm
rm -rf "/tmp/t*"
2⤵
PID:1636

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1637

/bin/rm
rm -rf p
2⤵
PID:1638

/bin/rm
rm -rf ip
2⤵
PID:1639

/bin/rm
rm -rf "xtr*"
2⤵
PID:1640

/bin/rm
rm -rf a "a.*"
2⤵
PID:1641

/bin/rm
rm -rf b "b.*"
2⤵
PID:1642

/bin/sleep
sleep 15s
2⤵
PID:1643

/usr/bin/timeout
timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
2⤵
PID:1644

/tmp/.rsync/c/tsm
./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
3⤵
PID:1645

/bin/sleep
sleep 3
2⤵
PID:1646

/bin/rm
rm -rf "xtr*"
2⤵
PID:1647

/bin/rm
rm -rf ip
2⤵
PID:1648

/bin/rm
rm -rf p
2⤵
PID:1649

/bin/rm
rm -rf .out
2⤵
PID:1650

/bin/rm
rm -rf "/tmp/t*"
2⤵
PID:1651

/usr/bin/touch
touch v
2⤵
- Writes file to tmp directory
PID:1652

/bin/rm
rm -rf p
2⤵
PID:1653

/bin/rm
rm -rf ip
2⤵
PID:1654

/bin/rm
rm -rf "xtr*"
2⤵
PID:1655

/bin/rm
rm -rf a "a.*"
2⤵
PID:1656

/bin/rm
rm -rf b "b.*"
2⤵
PID:1657

/bin/sleep
sleep 24s
2⤵
PID:1658

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...