Analysis

  • max time kernel
    20s
  • max time network
    22s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240522.1-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    18-07-2024 17:00

General

  • Target

    929efd52db47fe4723fb8532104b612f82414bc2c48639cfbf1dac69378f76fd

  • Size

    1.5MB

  • MD5

    d340b264abd4a6272e5662e848954114

  • SHA1

    e087a05c85b8b9616446373c1b947a39b28ae106

  • SHA256

    929efd52db47fe4723fb8532104b612f82414bc2c48639cfbf1dac69378f76fd

  • SHA512

    f6ed311f00009d6923c292be098c41c9e4b263c1d4c32952824f378abe2a246fdfe89d9d40c6f0680d4fc33831b70e8a6f422fd4c5dcff58fec855907536ce27

  • SSDEEP

    24576:A49F/LoE5zaI1nGMNmgFUJURqisWctLvvBi1qw2l7X0foIJDYCtuip3GC0:AKxLo2GIxtNHUJUUinsrFafTDltuy0

Malware Config

Signatures

  • Contacts a large (140785) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Changes its process name 1 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 45 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 27 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/929efd52db47fe4723fb8532104b612f82414bc2c48639cfbf1dac69378f76fd
    /tmp/929efd52db47fe4723fb8532104b612f82414bc2c48639cfbf1dac69378f76fd
    1⤵
    • Checks hardware identifiers (DMI)
    • Reads hardware information
    • Checks CPU configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:1549
    • /bin/sh
      sh -c "command -v crontab >/dev/null 2>&1"
      2⤵
        PID:1560
      • /bin/sh
        sh -c "crontab -r >/dev/null 2>&1; echo \"@reboot /tmp/929efd52db47fe4723fb8532104b612f82414bc2c48639cfbf1dac69378f76fd\" | crontab -"
        2⤵
          PID:1561
          • /usr/bin/crontab
            crontab -r
            3⤵
              PID:1562
            • /usr/bin/crontab
              crontab -
              3⤵
              • Creates/modifies Cron job
              PID:1564
          • /bin/sh
            sh -c "iptables -I INPUT -p tcp --dport 16082 -j ACCEPT >/dev/null 2>&1"
            2⤵
              PID:1565
            • /bin/sh
              sh -c "command -v php >/dev/null 2>&1"
              2⤵
                PID:1566
              • /bin/sh
                sh -c "command -v nginx >/dev/null 2>&1"
                2⤵
                  PID:1567
                • /bin/sh
                  sh -c "which apache2"
                  2⤵
                    PID:1568
                    • /usr/bin/which
                      which apache2
                      3⤵
                        PID:1569
                    • /bin/sh
                      sh -c "which httpd"
                      2⤵
                        PID:1570
                        • /usr/bin/which
                          which httpd
                          3⤵
                            PID:1571

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • /var/spool/cron/crontabs/tmp.0wODH5

                        Filesize

                        253B

                        MD5

                        48f1b989ee688246f106eeff4b159c88

                        SHA1

                        21eb9e76ae7f65de4c7b04c6c001b9732cfb3d90

                        SHA256

                        7290d519e098c0dabc1c80d760cb34d99e1c2c5f9b295cbb0e76095f4ed157eb

                        SHA512

                        ec2b04d5c2cac851ff86f7a852eb6f82960ab6dcf80eeecf99920d9eb6d48d6e945c519b61f840319a55dd9f165a89d03e81589ad1077c34261357306bc7e4f3