Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    01/07/2024, 07:44

General

  • Target

    .system2/autorun

  • Size

    323B

  • MD5

    c4b224d52fe7b54d48b7c98be4ffd98c

  • SHA1

    a2b545cefdb5cdace314002dd616f4bcb7c506a2

  • SHA256

    528a699fd5986b53cdde84a396c43c5448c552d38518742b6f04ed5dc6abd251

  • SHA512

    aadb23be29a72a59224d237ce9fcf58f3b64d7012bd4e03c460152ee8654772a1a298fc7f34c91ffa35362e1db99267cfa79de2b7827501dc5710a13ac03d699

Score
6/10

Malware Config

Signatures

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.system2/autorun
    /tmp/.system2/autorun
    1⤵
    • Writes file to tmp directory
    PID:713
    • /bin/cat
      cat m.dir
      2⤵
        PID:715
      • /usr/bin/crontab
        crontab cron.d
        2⤵
        • Creates/modifies Cron job
        • Reads runtime system information
        PID:717
      • /bin/grep
        grep y2kupdate
        2⤵
          PID:723
        • /usr/bin/crontab
          crontab -l
          2⤵
          • Reads runtime system information
          PID:722
        • /bin/chmod
          chmod u+x y2kupdate
          2⤵
            PID:728

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /var/spool/cron/crontabs/tmp.XRH3Hx

          Filesize

          230B

          MD5

          f21862c4c6e581343f8860e27737b7bd

          SHA1

          aa1cb37c6026ae2ea6f806fe1bf1fe0b8f8b1136

          SHA256

          2abacf4d980cafba76dce1d6a227df8900449952aa89ef6013262e40b0a79309

          SHA512

          8d7dd69648dfc9bbd43c312ed9038505806cc9bf349e1cde2b1e5c7200b79e84c4e74c4c618e0a1acd13a883e610ee9add0aebc3b989376784bf559b977f9abc