efb0ae6de36cfc028e88342348def8694bcbfdf3f06dee47d2ab342678ec33cd

Analysis

max time kernel
143s
max time network
151s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
25/07/2024, 10:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
Size

95KB
MD5

ae605aef5a4cf0d975f3ad05dec8aa76
SHA1

365a3b3dc25942cafaffa476b754897d5513b069
SHA256

efb0ae6de36cfc028e88342348def8694bcbfdf3f06dee47d2ab342678ec33cd
SHA512

2eedf1ee3fc8a3d4f485a3d52b2a51ba8a6ed6844637a767b80bff6e011ac348ba90fa16498e1cc95405dd2e269ab9451756b0b018da26c91e0e860f0a8d18fc
SSDEEP

1536:dEG6zPYAm0kh6azhyTC9yfbh1+V+LeDdfCJCW9k358ppk+9WGFFc2mHxZ8XoL5lV:dEJKfzhyTWy11A+LeDdECW65kI2mRZ8i

Score

7^/10

persistence

Malware Config

Signatures

Renames itself 1 IoCs

pid
1559

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.bisDCe	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1259/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1582/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/5/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/16/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1219/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/14/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/19/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1108/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1584/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/97/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/213/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1218/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/524/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/984/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/77/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/78/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/85/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1134/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/90/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/594/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/656/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/852/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1059/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/98/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/205/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1453/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/92/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/768/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1165/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/10/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1127/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/15/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/20/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/91/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/660/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/79/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/219/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/224/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1066/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1499/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1334/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1515/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/314/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1262/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1307/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/4/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1111/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/748/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/830/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1063/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/218/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/426/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/610/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/868/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1235/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1440/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/88/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/498/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/632/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/93/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/313/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/614/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/972/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
File opened for reading	/proc/1158/cmdline	2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT

/tmp/2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
/tmp/2cpQFAm7HV04FsKexa9uMBzKlDGABg5fBT
1⤵
- Reads runtime system information
PID:1558
- /bin/sh
  sh -c "crontab -l"
  2⤵
  PID:1560
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:1561
- /bin/sh
  sh -c "crontab -"
  2⤵
  PID:1562
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:1563

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.bisDCe

Filesize
210B

MD5
30b32aa81073ed90f67311cb7de43981

SHA1
d16ba813dcfd3917dfedd9932c7708f4a4bd757d

SHA256
29ffbe22dcc5c04586a17c196dc4729c304305e59ec356a756ecfcdb6f49fe53

SHA512
ac63a90946bcc65b71dcc6fd26605ea9d78e33f4b71fd06c17bfe0216e4a0791fdba60bea3d3cc289c203b4533c51737eb0101390e636540983522ff7db27112

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads