29095ae1431f6c1f158fdd6976c5505df56bc0a31bc05d0ccb6bb591ed48e0ac

Resubmissions

23/07/2024, 21:32

240723-1d16aazdjk 1

23/07/2024, 21:32

240723-1dsh5ssgkh 6

23/07/2024, 21:10

240723-z1hrsasakd 1

Analysis

max time kernel
0s
max time network
387s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
23/07/2024, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.s/autorun
Size

317B
MD5

9729c037cb0a32811ba3eb15e3c8a789
SHA1

6e67d4929c0b87dd05afe1b3f5f0aed2852885c4
SHA256

5f03b45dc87f35120fd01f18150d2c3c807c9dc22d9433208d1bd14d5d581260
SHA512

ed9131f48df4f3f6503b38f064ef07c7d9a235280ecf03a0a2852f268b98e42b8b445931536bd4a4a4344fefb8a05594dae094e7e7795c9690ab5ca568b1ff8c

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.fHdqea	crontab

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/maps	grep

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.s/update	autorun
File opened for modification	/tmp/.s/mech.dir	autorun
File opened for modification	/tmp/.s/cron.d	autorun

/tmp/.s/autorun
/tmp/.s/autorun
1⤵
- Writes file to tmp directory
PID:1558
- /usr/bin/cat
  cat mech.dir
  2⤵
  PID:1562
- /usr/bin/crontab
  crontab cron.d
  2⤵
  - Creates/modifies Cron job
  PID:1567
- /usr/bin/grep
  grep update
  2⤵
  - Reads runtime system information
  PID:1573
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1572
- /usr/bin/chmod
  chmod u+x update
  2⤵
  PID:1581

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.s/cron.d

Filesize
41B

MD5
918bb22c9d8f4d6bc48bbde6451067b6

SHA1
54672c3089566f969a99e3fab0f5996d73d0a581

SHA256
3e8a094fbd96df43a789a0bcc8f0b833a8bbc575e25d901dfc6871a7a374aaa8

SHA512
8297d93803154fca7f0f3fde540ba0eadab94d8c2c8a76e00f3820bf86aaaea61de5cbf4705542f08472eb79fff0161f91791ee73c744624a16669ae9b500416

Download Submit
/tmp/.s/mech.dir

Filesize
8B

MD5
0cdf25c6050af6758248cee5159d3502

SHA1
19877818f5c5154938a826f44090dae3df4fcd32

SHA256
fbbf1a760bb420db43d7620fa0183d9f130c96ab699d806e0c4793f9cdf38603

SHA512
7cca255e79513d07a620a09153016f8e51521b7bb7b664a32a9ef1824e8158946263ec422dbdc4fcaa96c0f72c23b42e445e02fa1acbff9797e1b390238910d5

Download Submit
/tmp/.s/update

Filesize
151B

MD5
bd2595e193a1d3d81987a61cd02ae755

SHA1
5d62c0609217b26d970ead328027fa45524450d1

SHA256
247fe2ff6c4c7bd0fb7ce3bbe67c827f225a3764f388b2ef5dc7547afaf4230e

SHA512
7938717b1c06d1caccf61cbb3c1a45ac5ae4f27f0bf2f0b2959658795971b6242ffdc8cd141541ad4efa6ea433a8660f5862dfbf83898e99f3c1f37a95ea32a7

Download Submit
/var/spool/cron/crontabs/tmp.fHdqea

Filesize
221B

MD5
ceb2a5445dffc9e87ef39e9bce2ed324

SHA1
08f4ba10cee8b85217acb1393202cc293a5c209b

SHA256
6f403cd89299973d263ae44f06907d029a951fd6c85fbd47f2b45ac9fa76eb8b

SHA512
6a3fb99f3455a61f5c50b4a42397e1b86e754ffaec1185c4df90114d6c91805927b82c32f5e57c876b99b7d3383531164fced6a8956a922361c8b8ff17655e53

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads