7a7bfa4f84e073d45b33ca6d4e5f263d31aa512d124bc6c682029f2b831c7c08

Analysis

max time kernel
2s
platform
debian-9_mips
resource
debian9-mipsbe-20240418-en
resource tags

arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
28-06-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/a/stop
Size

114B
MD5

b726837db1e4d3a05a4749fdc7a4f9d5
SHA1

793d9bb347cdc6bf99a1a6eeff2a210a6f149734
SHA256

ad46ee339c92694f3d8b072b74eec325e416bbbf305803345d6fc4e787832af6
SHA512

ce24fcc586b0172409352020c07bb49069fa8ffe7e4fb9c3f350c6b2f02c5a997b83dfb6ce6ac35db168434c7f68d0cd95f1ab198d25f2ee6ab9b13067a7ecc4

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system
Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery
T1082

Processes:

pkillps

description ioc process

File opened for reading /sys/devices/system/cpu/online pkill
File opened for reading /sys/devices/system/cpu/online ps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkillpskillall

description	ioc	process
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/695/status	pkill
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/37/status	ps
File opened for reading	/proc/69/stat	ps
File opened for reading	/proc/240/cmdline	ps
File opened for reading	/proc/362/stat	ps
File opened for reading	/proc/12/cmdline	pkill
File opened for reading	/proc/159/cmdline	ps
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/70/cmdline	pkill
File opened for reading	/proc/404/cmdline	pkill
File opened for reading	/proc/20/stat	killall
File opened for reading	/proc/159/stat	killall
File opened for reading	/proc/240/stat	killall
File opened for reading	/proc/668/stat	killall
File opened for reading	/proc/694/cmdline	killall
File opened for reading	/proc/362/stat	killall
File opened for reading	/proc/74/stat	ps
File opened for reading	/proc/700/cmdline	ps
File opened for reading	/proc/159/status	pkill
File opened for reading	/proc/68/stat	killall
File opened for reading	/proc/filesystems	ps
File opened for reading	/proc/722/cmdline	ps
File opened for reading	/proc/733/status	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/240/status	pkill
File opened for reading	/proc/668/status	pkill
File opened for reading	/proc/721/cmdline	pkill
File opened for reading	/proc/724/status	ps
File opened for reading	/proc/15/stat	killall
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/69/status	ps
File opened for reading	/proc/718/status	ps
File opened for reading	/proc/1/status	pkill
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/4/stat	killall
File opened for reading	/proc/681/status	ps
File opened for reading	/proc/726/cmdline	ps
File opened for reading	/proc/166/cmdline	pkill
File opened for reading	/proc/336/status	pkill
File opened for reading	/proc/336/cmdline	pkill
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/695/cmdline	killall
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/17/status	pkill
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/694/status	pkill
File opened for reading	/proc/722/stat	killall
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/733/cmdline	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/37/cmdline	ps
File opened for reading	/proc/394/cmdline	ps
File opened for reading	/proc/668/cmdline	ps
File opened for reading	/proc/180/cmdline	pkill
File opened for reading	/proc/8/stat	killall
File opened for reading	/proc/718/cmdline	pkill
File opened for reading	/proc/74/stat	killall
File opened for reading	/proc/735/cmdline	ps

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

stop

description ioc process

File opened for modification /tmp/.rsync/a/.proc stop

description	ioc	process
File opened for modification	/tmp/.rsync/a/.proc	stop

/tmp/.rsync/a/stop
/tmp/.rsync/a/stop
1⤵
- Writes file to tmp directory
PID:724
- /usr/bin/pkill
  pkill -9 cron
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:725
- /usr/bin/killall
  killall -9 cron
  2⤵
  - Reads runtime system information
  PID:728
- /bin/ps
  ps x
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:733
- /bin/grep
  grep -v grep
  2⤵
  PID:735
- /bin/grep
  grep cron
  2⤵
  PID:734
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:736
- /bin/rm
  rm -rf .proc
  2⤵
  PID:737

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads