c0634f254bcf7e22e9c185b7b19468f636e055bb2f914b7e510a9f0bcb3069a0

Analysis

max time kernel
137s
max time network
139s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
24-06-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/c/go
Size

396B
MD5

3994503335d9fbcd31036ab1ffadb991
SHA1

487e9e37399497c92f3f54c6a9aa70bc22b781bd
SHA256

d08571c4ff07b1fa285262f5fc5afbe710636cebb1b43f60edc0c9f1a0d7e5c1
SHA512

252af48da5467b089d62f3d80f15bb0b3bb79884b86c232c978284266f0dbcf1df8da7b8e8fb73cba8350406cc15f3bd9b9ecd6120a71566524cede08b8a603d

Score

3^/10

Malware Config

Signatures

Writes file to tmp directory 10 IoCs

Malware often drops required files in the /tmp directory.

Processes:

touchtouchtouchtouchtouchtouchtouchtouchtouchtouch

description	ioc	process
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch
File opened for modification	/tmp/.rsync/c/v	touch

/tmp/.rsync/c/go
/tmp/.rsync/c/go
1⤵
PID:1508
- /bin/uname
  uname -m
  2⤵
  PID:1510
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1511
- /bin/rm
  rm -rf p
  2⤵
  PID:1512
- /bin/rm
  rm -rf ip
  2⤵
  PID:1513
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1514
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1515
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1516
- /bin/sleep
  sleep 5s
  2⤵
  PID:1517
- /usr/bin/timeout
  timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
  2⤵
  PID:1521
- - /tmp/.rsync/c/tsm
    ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
    3⤵
    PID:1522
- /bin/sleep
  sleep 3
  2⤵
  PID:1523
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1524
- /bin/rm
  rm -rf ip
  2⤵
  PID:1525
- /bin/rm
  rm -rf p
  2⤵
  PID:1526
- /bin/rm
  rm -rf .out
  2⤵
  PID:1527
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  PID:1528
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/rm
  rm -rf p
  2⤵
  PID:1530
- /bin/rm
  rm -rf ip
  2⤵
  PID:1531
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1532
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1533
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1534
- /bin/sleep
  sleep 25s
  2⤵
  PID:1535
- /usr/bin/timeout
  timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
  2⤵
  PID:1539
- - /tmp/.rsync/c/tsm
    ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
    3⤵
    PID:1540
- /bin/sleep
  sleep 3
  2⤵
  PID:1541
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1542
- /bin/rm
  rm -rf ip
  2⤵
  PID:1543
- /bin/rm
  rm -rf p
  2⤵
  PID:1544
- /bin/rm
  rm -rf .out
  2⤵
  PID:1545
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  PID:1546
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/rm
  rm -rf p
  2⤵
  PID:1548
- /bin/rm
  rm -rf ip
  2⤵
  PID:1549
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1550
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1551
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1552
- /bin/sleep
  sleep 16s
  2⤵
  PID:1553
- /usr/bin/timeout
  timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
  2⤵
  PID:1554
- - /tmp/.rsync/c/tsm
    ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
    3⤵
    PID:1555
- /bin/sleep
  sleep 3
  2⤵
  PID:1556
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1557
- /bin/rm
  rm -rf ip
  2⤵
  PID:1558
- /bin/rm
  rm -rf p
  2⤵
  PID:1559
- /bin/rm
  rm -rf .out
  2⤵
  PID:1560
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  PID:1561
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1562
- /bin/rm
  rm -rf p
  2⤵
  PID:1563
- /bin/rm
  rm -rf ip
  2⤵
  PID:1564
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1565
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1566
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1567
- /bin/sleep
  sleep 1s
  2⤵
  PID:1568
- /usr/bin/timeout
  timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
  2⤵
  PID:1569
- - /tmp/.rsync/c/tsm
    ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
    3⤵
    PID:1570
- /bin/sleep
  sleep 3
  2⤵
  PID:1571
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1572
- /bin/rm
  rm -rf ip
  2⤵
  PID:1573
- /bin/rm
  rm -rf p
  2⤵
  PID:1574
- /bin/rm
  rm -rf .out
  2⤵
  PID:1575
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  PID:1576
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1577
- /bin/rm
  rm -rf p
  2⤵
  PID:1578
- /bin/rm
  rm -rf ip
  2⤵
  PID:1579
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1580
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1581
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1582
- /bin/sleep
  sleep 14s
  2⤵
  PID:1583
- /usr/bin/timeout
  timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
  2⤵
  PID:1584
- - /tmp/.rsync/c/tsm
    ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
    3⤵
    PID:1585
- /bin/sleep
  sleep 3
  2⤵
  PID:1586
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1587
- /bin/rm
  rm -rf ip
  2⤵
  PID:1588
- /bin/rm
  rm -rf p
  2⤵
  PID:1589
- /bin/rm
  rm -rf .out
  2⤵
  PID:1590
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  PID:1591
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1592
- /bin/rm
  rm -rf p
  2⤵
  PID:1593
- /bin/rm
  rm -rf ip
  2⤵
  PID:1594
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1595
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1596
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1597
- /bin/sleep
  sleep 8s
  2⤵
  PID:1598
- /usr/bin/timeout
  timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
  2⤵
  PID:1599
- - /tmp/.rsync/c/tsm
    ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
    3⤵
    PID:1600
- /bin/sleep
  sleep 3
  2⤵
  PID:1601
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1602
- /bin/rm
  rm -rf ip
  2⤵
  PID:1603
- /bin/rm
  rm -rf p
  2⤵
  PID:1604
- /bin/rm
  rm -rf .out
  2⤵
  PID:1605
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  PID:1606
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1607
- /bin/rm
  rm -rf p
  2⤵
  PID:1608
- /bin/rm
  rm -rf ip
  2⤵
  PID:1609
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1610
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1611
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1612
- /bin/sleep
  sleep 15s
  2⤵
  PID:1613
- /usr/bin/timeout
  timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
  2⤵
  PID:1614
- - /tmp/.rsync/c/tsm
    ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
    3⤵
    PID:1615
- /bin/sleep
  sleep 3
  2⤵
  PID:1616
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1617
- /bin/rm
  rm -rf ip
  2⤵
  PID:1618
- /bin/rm
  rm -rf p
  2⤵
  PID:1619
- /bin/rm
  rm -rf .out
  2⤵
  PID:1620
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  PID:1621
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1622
- /bin/rm
  rm -rf p
  2⤵
  PID:1623
- /bin/rm
  rm -rf ip
  2⤵
  PID:1624
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1625
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1626
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1627
- /bin/sleep
  sleep 11s
  2⤵
  PID:1628
- /usr/bin/timeout
  timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
  2⤵
  PID:1629
- - /tmp/.rsync/c/tsm
    ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
    3⤵
    PID:1630
- /bin/sleep
  sleep 3
  2⤵
  PID:1631
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1632
- /bin/rm
  rm -rf ip
  2⤵
  PID:1633
- /bin/rm
  rm -rf p
  2⤵
  PID:1634
- /bin/rm
  rm -rf .out
  2⤵
  PID:1635
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  PID:1636
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1637
- /bin/rm
  rm -rf p
  2⤵
  PID:1638
- /bin/rm
  rm -rf ip
  2⤵
  PID:1639
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1640
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1641
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1642
- /bin/sleep
  sleep 15s
  2⤵
  PID:1643
- /usr/bin/timeout
  timeout 3h ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
  2⤵
  PID:1644
- - /tmp/.rsync/c/tsm
    ./tsm -t 505 -f 1 -s 9 -S 6 -p 0 -d 1 p ip
    3⤵
    PID:1645
- /bin/sleep
  sleep 3
  2⤵
  PID:1646
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1647
- /bin/rm
  rm -rf ip
  2⤵
  PID:1648
- /bin/rm
  rm -rf p
  2⤵
  PID:1649
- /bin/rm
  rm -rf .out
  2⤵
  PID:1650
- /bin/rm
  rm -rf "/tmp/t*"
  2⤵
  PID:1651
- /usr/bin/touch
  touch v
  2⤵
  - Writes file to tmp directory
  PID:1652
- /bin/rm
  rm -rf p
  2⤵
  PID:1653
- /bin/rm
  rm -rf ip
  2⤵
  PID:1654
- /bin/rm
  rm -rf "xtr*"
  2⤵
  PID:1655
- /bin/rm
  rm -rf a "a.*"
  2⤵
  PID:1656
- /bin/rm
  rm -rf b "b.*"
  2⤵
  PID:1657
- /bin/sleep
  sleep 24s
  2⤵
  PID:1658

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads