031a631b241cd5ab87a08fc6697533f7672b3f9241686b473e6f5df74156d769 | Triage

Analysis

max time kernel
0s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
01-07-2024 07:44

Sharing

Report Analysis Logs

General

Target

.system2/autorun
Size

323B
MD5

c4b224d52fe7b54d48b7c98be4ffd98c
SHA1

a2b545cefdb5cdace314002dd616f4bcb7c506a2
SHA256

528a699fd5986b53cdde84a396c43c5448c552d38518742b6f04ed5dc6abd251
SHA512

aadb23be29a72a59224d237ce9fcf58f3b64d7012bd4e03c460152ee8654772a1a298fc7f34c91ffa35362e1db99267cfa79de2b7827501dc5710a13ac03d699

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task/Job

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.pZHHoP	crontab

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.system2/m.dir	autorun
File opened for modification	/tmp/.system2/cron.d	autorun
File opened for modification	/tmp/.system2/y2kupdate	autorun

/tmp/.system2/autorun
/tmp/.system2/autorun
1⤵
- Writes file to tmp directory
PID:1495
- /bin/cat
  cat m.dir
  2⤵
  PID:1496
- /usr/bin/crontab
  crontab cron.d
  2⤵
  - Creates/modifies Cron job
  PID:1497
- /bin/grep
  grep y2kupdate
  2⤵
  PID:1501
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1500
- /bin/chmod
  chmod u+x y2kupdate
  2⤵
  PID:1502

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.pZHHoP

Filesize
230B

MD5
f21862c4c6e581343f8860e27737b7bd

SHA1
aa1cb37c6026ae2ea6f806fe1bf1fe0b8f8b1136

SHA256
2abacf4d980cafba76dce1d6a227df8900449952aa89ef6013262e40b0a79309

SHA512
8d7dd69648dfc9bbd43c312ed9038505806cc9bf349e1cde2b1e5c7200b79e84c4e74c4c618e0a1acd13a883e610ee9add0aebc3b989376784bf559b977f9abc

Download Submit