faf075c5e7302c3901016a83f8a6d98462b1bdfb08116ae14cfe5f115b716972

Analysis

max time kernel
0s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
22/08/2024, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tester/autorun
Size

317B
MD5

9729c037cb0a32811ba3eb15e3c8a789
SHA1

6e67d4929c0b87dd05afe1b3f5f0aed2852885c4
SHA256

5f03b45dc87f35120fd01f18150d2c3c807c9dc22d9433208d1bd14d5d581260
SHA512

ed9131f48df4f3f6503b38f064ef07c7d9a235280ecf03a0a2852f268b98e42b8b445931536bd4a4a4344fefb8a05594dae094e7e7795c9690ab5ca568b1ff8c

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.lpxiaj	crontab

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/filesystems	crontab

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/tester/mech.dir	autorun
File opened for modification	/tmp/tester/cron.d	autorun
File opened for modification	/tmp/tester/update	autorun

/tmp/tester/autorun
/tmp/tester/autorun
1⤵
- Writes file to tmp directory
PID:657
- /bin/cat
  cat mech.dir
  2⤵
  PID:658
- /usr/bin/crontab
  crontab cron.d
  2⤵
  - Creates/modifies Cron job
  - Reads runtime system information
  PID:660
- /bin/grep
  grep update
  2⤵
  PID:671
- /usr/bin/crontab
  crontab -l
  2⤵
  - Reads runtime system information
  PID:670
- /bin/chmod
  chmod u+x update
  2⤵
  PID:675

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/tester/cron.d

Filesize
45B

MD5
a275da406434473f3e5712053a38d5c2

SHA1
faf622d40fc722349f177f2c8554b3565817570c

SHA256
61733c8b81c0764fab5313dbebe900d5d48099872414e058f5ddb31f6960e47e

SHA512
e7ae5e048544013e3b8b7df8475a147a5dd219a218bb7ba07dc883c0168e9a0e3c9b4572f06f35a31bfebc5b616f85567cf63c0bf98c5ad86c7659de5a88d482

Download Submit
/tmp/tester/mech.dir

Filesize
12B

MD5
40b07cb4d30c0d07400477cc3e92ec27

SHA1
fec1aecbc853d4db1e50fedb97cc1c837fe2092f

SHA256
706ae146173a1b30f3fe83d9622cb6402ed4bd0ab4e87e9739ccedd83537cf17

SHA512
09f46d20da1efc2ef20d201275f5a7911c2c847ba9ef24543800a4e3d59c8ddeeef97e091b3d849d21bfb017e4e275c5aded01862b4e475794630726706b3ff0

Download Submit
/tmp/tester/update

Filesize
163B

MD5
7b30771736c3a8c86b9b965affac602a

SHA1
16c28dacb5c74878f39fc690d1ffc7cebcd30fd7

SHA256
143ac169f184a3373f142bcb0d8f7b5e83d30ef7f02db65c8ad28d4471ad1c51

SHA512
8677da7c71e261e0f4b62c433a8889752a02f3b229ebc98251f2285137318e9eb0840bfd5f282ec33c79ad510d607268d8429ee0687dd0d88fd2808dbe6594c4

Download Submit
/var/spool/cron/crontabs/tmp.lpxiaj

Filesize
225B

MD5
9279861baffcc7b4b34691d23aeef9bc

SHA1
5dcd15b6315f5e4b90429d08120ab5c5c9ec52d2

SHA256
60d07c8558f2285cf25d194b03fac2673ece6655f61803fd7a58e8d096eb27ef

SHA512
6c9556e3822f78b3094c45533406d2e48c0f28555f48a7956d6f30060f802cf0789f89db89f7dfa0ce0f5b9aec928f73438fa650e87f2634e5191fd511d2d915

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads