Analysis Overview
SHA256
1f0323eda8e0ecb09deaaf9200d1c985d431813e19e4d31dd2898d8ad15f8c2d
Threat Level: Shows suspicious behavior
The file vac was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Creates/modifies Cron job
Writes file to system bin folder
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-05 16:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-05 16:52
Reported
2024-09-05 16:55
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
25s
Max time network
132s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/fileAF7FQ3 | /tmp/fileAF7FQ3 | N/A |
| N/A | /tmp/fileU4Rzi1 | /tmp/fileU4Rzi1 | N/A |
| N/A | /tmp/fileSxrHKb | /tmp/fileSxrHKb | N/A |
| N/A | /tmp/fileg6zEL3 | /tmp/fileg6zEL3 | N/A |
| N/A | /tmp/filePMz3ZE | /tmp/filePMz3ZE | N/A |
| N/A | /tmp/filepJxRGQ | /tmp/filepJxRGQ | N/A |
| N/A | /tmp/filenZSgAW | /tmp/filenZSgAW | N/A |
| N/A | /tmp/fileTQN1Lt | /tmp/fileTQN1Lt | N/A |
| N/A | /tmp/fileS6KAKj | /tmp/fileS6KAKj | N/A |
| N/A | /tmp/fileBj5isw | /tmp/fileBj5isw | N/A |
| N/A | /tmp/file1g7ULM | /tmp/file1g7ULM | N/A |
| N/A | /tmp/fileCKmZGX | /tmp/fileCKmZGX | N/A |
| N/A | /tmp/fileZgKFj7 | /tmp/fileZgKFj7 | N/A |
| N/A | /tmp/fileS8itZt | /tmp/fileS8itZt | N/A |
| N/A | /tmp/fileO6wFvo | /tmp/fileO6wFvo | N/A |
| N/A | /tmp/file2X8kcE | /tmp/file2X8kcE | N/A |
| N/A | /tmp/filebOFqHL | /tmp/filebOFqHL | N/A |
| N/A | /tmp/filetcpIC9 | /tmp/filetcpIC9 | N/A |
| N/A | /tmp/fileqxKp1u | /tmp/fileqxKp1u | N/A |
| N/A | /tmp/file3EBczs | /tmp/file3EBczs | N/A |
| N/A | /tmp/fileJMVBq1 | /tmp/fileJMVBq1 | N/A |
| N/A | /tmp/fileGLKqkj | /tmp/fileGLKqkj | N/A |
| N/A | /tmp/file4gLyCS | /tmp/file4gLyCS | N/A |
| N/A | /tmp/filejPGAol | /tmp/filejPGAol | N/A |
| N/A | /tmp/file4mMfbk | /tmp/file4mMfbk | N/A |
| N/A | /tmp/filempT3ra | /tmp/filempT3ra | N/A |
| N/A | /tmp/fileFUKEei | /tmp/fileFUKEei | N/A |
| N/A | /tmp/file6KqtXc | /tmp/file6KqtXc | N/A |
| N/A | /tmp/fileJouaWa | /tmp/fileJouaWa | N/A |
| N/A | /tmp/fileJhj06p | /tmp/fileJhj06p | N/A |
| N/A | /tmp/filecMdt1N | /tmp/filecMdt1N | N/A |
| N/A | /tmp/fileCKspTP | /tmp/fileCKspTP | N/A |
| N/A | /tmp/filehliO5e | /tmp/filehliO5e | N/A |
| N/A | /tmp/fileTgSnFn | /tmp/fileTgSnFn | N/A |
| N/A | /tmp/filete2sxA | /tmp/filete2sxA | N/A |
| N/A | /tmp/file5zSbzk | /tmp/file5zSbzk | N/A |
| N/A | /tmp/file7wm7Oi | /tmp/file7wm7Oi | N/A |
| N/A | /tmp/fileaG0N1q | /tmp/fileaG0N1q | N/A |
| N/A | /tmp/filevi53qv | /tmp/filevi53qv | N/A |
| N/A | /tmp/filesUbXGn | /tmp/filesUbXGn | N/A |
| N/A | /tmp/filePcnbJJ | /tmp/filePcnbJJ | N/A |
| N/A | /tmp/fileRA3xEx | /tmp/fileRA3xEx | N/A |
| N/A | /tmp/filekgddqe | /tmp/filekgddqe | N/A |
| N/A | /tmp/fileB3WqHI | /tmp/fileB3WqHI | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filePMz3ZE | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileBj5isw | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filesUbXGn | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileFUKEei | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file5zSbzk | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filevi53qv | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileSxrHKb | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileTQN1Lt | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileS6KAKj | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileZgKFj7 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileqxKp1u | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filePcnbJJ | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filekgddqe | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileg6zEL3 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filepJxRGQ | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileS8itZt | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file3EBczs | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileaG0N1q | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileO6wFvo | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file2X8kcE | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filetcpIC9 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileCKspTP | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filenZSgAW | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileGLKqkj | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filete2sxA | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file6KqtXc | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileJhj06p | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileTgSnFn | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/vac | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileAF7FQ3 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file1g7ULM | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file4gLyCS | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file4mMfbk | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/file7wm7Oi | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileRA3xEx | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filebOFqHL | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileJMVBq1 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filempT3ra | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileJouaWa | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filecMdt1N | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileU4Rzi1 | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/fileCKmZGX | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filejPGAol | N/A |
| File opened for modification | /etc/cron.hourly/0 | /tmp/filehliO5e | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/ls | /tmp/vac | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/exe | /tmp/file2X8kcE | N/A |
| File opened for reading | /proc/self/exe | /tmp/file4gLyCS | N/A |
| File opened for reading | /proc/self/exe | /tmp/filempT3ra | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileTgSnFn | N/A |
| File opened for reading | /proc/self/exe | /tmp/filete2sxA | N/A |
| File opened for reading | /proc/self/exe | /tmp/file7wm7Oi | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileAF7FQ3 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileU4Rzi1 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filePcnbJJ | N/A |
| File opened for reading | /proc/self/exe | /tmp/filejPGAol | N/A |
| File opened for reading | /proc/self/exe | /tmp/filecMdt1N | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileaG0N1q | N/A |
| File opened for reading | /proc/self/exe | /tmp/filesUbXGn | N/A |
| File opened for reading | /proc/self/exe | /tmp/filekgddqe | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileTQN1Lt | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileO6wFvo | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileS6KAKj | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileBj5isw | N/A |
| File opened for reading | /proc/self/exe | /tmp/vac | N/A |
| File opened for reading | /proc/self/exe | /tmp/filenZSgAW | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileJhj06p | N/A |
| File opened for reading | /proc/self/exe | /tmp/file5zSbzk | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileCKmZGX | N/A |
| File opened for reading | /proc/self/exe | /tmp/file3EBczs | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileS8itZt | N/A |
| File opened for reading | /proc/self/exe | /tmp/filetcpIC9 | N/A |
| File opened for reading | /proc/self/exe | /tmp/file6KqtXc | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileCKspTP | N/A |
| File opened for reading | /proc/self/exe | /tmp/filevi53qv | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileB3WqHI | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileSxrHKb | N/A |
| File opened for reading | /proc/self/exe | /tmp/filePMz3ZE | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileGLKqkj | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileFUKEei | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileJouaWa | N/A |
| File opened for reading | /proc/self/exe | /tmp/filehliO5e | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileRA3xEx | N/A |
| File opened for reading | /proc/self/exe | /tmp/filebOFqHL | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileJMVBq1 | N/A |
| File opened for reading | /proc/self/exe | /tmp/filepJxRGQ | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileZgKFj7 | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileqxKp1u | N/A |
| File opened for reading | /proc/self/exe | /tmp/file4mMfbk | N/A |
| File opened for reading | /proc/self/exe | /tmp/fileg6zEL3 | N/A |
| File opened for reading | /proc/self/exe | /tmp/file1g7ULM | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/file1g7ULM | /tmp/fileBj5isw | N/A |
| File opened for modification | /tmp/filecMdt1N | /tmp/fileJhj06p | N/A |
| File opened for modification | /tmp/fileJMVBq1 | /tmp/file3EBczs | N/A |
| File opened for modification | /tmp/filempT3ra | /tmp/file4mMfbk | N/A |
| File opened for modification | /tmp/filesUbXGn | /tmp/filevi53qv | N/A |
| File opened for modification | /tmp/filePcnbJJ | /tmp/filesUbXGn | N/A |
| File opened for modification | /tmp/fileU4Rzi1 | /tmp/fileAF7FQ3 | N/A |
| File opened for modification | /tmp/fileS6KAKj | /tmp/fileTQN1Lt | N/A |
| File opened for modification | /tmp/fileBj5isw | /tmp/fileS6KAKj | N/A |
| File opened for modification | /tmp/filePMz3ZE | /tmp/fileg6zEL3 | N/A |
| File opened for modification | /tmp/fileCKmZGX | /tmp/file1g7ULM | N/A |
| File opened for modification | /tmp/fileGLKqkj | /tmp/fileJMVBq1 | N/A |
| File opened for modification | /tmp/file4gLyCS | /tmp/fileGLKqkj | N/A |
| File opened for modification | /tmp/file6KqtXc | /tmp/fileFUKEei | N/A |
| File opened for modification | /tmp/fileAF7FQ3 | /tmp/vac | N/A |
| File opened for modification | /tmp/fileSxrHKb | /tmp/fileU4Rzi1 | N/A |
| File opened for modification | /tmp/fileg6zEL3 | /tmp/fileSxrHKb | N/A |
| File opened for modification | /tmp/fileTgSnFn | /tmp/filehliO5e | N/A |
| File opened for modification | /tmp/filevi53qv | /tmp/fileaG0N1q | N/A |
| File opened for modification | /tmp/file4mMfbk | /tmp/filejPGAol | N/A |
| File opened for modification | /tmp/fileJhj06p | /tmp/fileJouaWa | N/A |
| File opened for modification | /tmp/file5zSbzk | /tmp/filete2sxA | N/A |
| File opened for modification | /tmp/fileaG0N1q | /tmp/file7wm7Oi | N/A |
| File opened for modification | /tmp/filenZSgAW | /tmp/filepJxRGQ | N/A |
| File opened for modification | /tmp/fileTQN1Lt | /tmp/filenZSgAW | N/A |
| File opened for modification | /tmp/filebOFqHL | /tmp/file2X8kcE | N/A |
| File opened for modification | /tmp/filetcpIC9 | /tmp/filebOFqHL | N/A |
| File opened for modification | /tmp/fileCKspTP | /tmp/filecMdt1N | N/A |
| File opened for modification | /tmp/fileRA3xEx | /tmp/filePcnbJJ | N/A |
| File opened for modification | /tmp/fileB3WqHI | /tmp/filekgddqe | N/A |
| File opened for modification | /tmp/fileZgKFj7 | /tmp/fileCKmZGX | N/A |
| File opened for modification | /tmp/fileO6wFvo | /tmp/fileS8itZt | N/A |
| File opened for modification | /tmp/file2X8kcE | /tmp/fileO6wFvo | N/A |
| File opened for modification | /tmp/file7wm7Oi | /tmp/file5zSbzk | N/A |
| File opened for modification | /tmp/fileS8itZt | /tmp/fileZgKFj7 | N/A |
| File opened for modification | /tmp/filejPGAol | /tmp/file4gLyCS | N/A |
| File opened for modification | /tmp/fileJouaWa | /tmp/file6KqtXc | N/A |
| File opened for modification | /tmp/filehliO5e | /tmp/fileCKspTP | N/A |
| File opened for modification | /tmp/filekgddqe | /tmp/fileRA3xEx | N/A |
| File opened for modification | /tmp/fileo2F9BV | /tmp/fileB3WqHI | N/A |
| File opened for modification | /tmp/filepJxRGQ | /tmp/filePMz3ZE | N/A |
| File opened for modification | /tmp/fileqxKp1u | /tmp/filetcpIC9 | N/A |
| File opened for modification | /tmp/fileFUKEei | /tmp/filempT3ra | N/A |
| File opened for modification | /tmp/file3EBczs | /tmp/fileqxKp1u | N/A |
| File opened for modification | /tmp/filete2sxA | /tmp/fileTgSnFn | N/A |
Processes
/tmp/vac
[/tmp/vac]
/tmp/fileAF7FQ3
[/tmp/vac]
/tmp/fileU4Rzi1
[/tmp/vac]
/tmp/fileSxrHKb
[/tmp/vac]
/tmp/fileg6zEL3
[/tmp/vac]
/tmp/filePMz3ZE
[/tmp/vac]
/tmp/filepJxRGQ
[/tmp/vac]
/tmp/filenZSgAW
[/tmp/vac]
/tmp/fileTQN1Lt
[/tmp/vac]
/tmp/fileS6KAKj
[/tmp/vac]
/tmp/fileBj5isw
[/tmp/vac]
/tmp/file1g7ULM
[/tmp/vac]
/tmp/fileCKmZGX
[/tmp/vac]
/tmp/fileZgKFj7
[/tmp/vac]
/tmp/fileS8itZt
[/tmp/vac]
/tmp/fileO6wFvo
[/tmp/vac]
/tmp/file2X8kcE
[/tmp/vac]
/tmp/filebOFqHL
[/tmp/vac]
/tmp/filetcpIC9
[/tmp/vac]
/tmp/fileqxKp1u
[/tmp/vac]
/tmp/file3EBczs
[/tmp/vac]
/tmp/fileJMVBq1
[/tmp/vac]
/tmp/fileGLKqkj
[/tmp/vac]
/tmp/file4gLyCS
[/tmp/vac]
/tmp/filejPGAol
[/tmp/vac]
/tmp/file4mMfbk
[/tmp/vac]
/tmp/filempT3ra
[/tmp/vac]
/tmp/fileFUKEei
[/tmp/vac]
/tmp/file6KqtXc
[/tmp/vac]
/tmp/fileJouaWa
[/tmp/vac]
/tmp/fileJhj06p
[/tmp/vac]
/tmp/filecMdt1N
[/tmp/vac]
/tmp/fileCKspTP
[/tmp/vac]
/tmp/filehliO5e
[/tmp/vac]
/tmp/fileTgSnFn
[/tmp/vac]
/tmp/filete2sxA
[/tmp/vac]
/tmp/file5zSbzk
[/tmp/vac]
/tmp/file7wm7Oi
[/tmp/vac]
/tmp/fileaG0N1q
[/tmp/vac]
/tmp/filevi53qv
[/tmp/vac]
/tmp/filesUbXGn
[/tmp/vac]
/tmp/filePcnbJJ
[/tmp/vac]
/tmp/fileRA3xEx
[/tmp/vac]
/tmp/filekgddqe
[/tmp/vac]
/tmp/fileB3WqHI
[/tmp/vac]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
/tmp/fileAF7FQ3
| MD5 | 48805d6b82345b2bbb57b35eca8bacf4 |
| SHA1 | 403f8b330080d7ea3e07201710961d1bad872fcd |
| SHA256 | aee1832e7cf60032f2aa3394db506857f2bca4065bf6444eae1426cc6d9c6037 |
| SHA512 | ce361ac513ab1593d18981022d5771e9500b945473b4fa54255cb07650092d7dc679c1b8528a61d8a8b32de61e261e198503f2b8069eb02bab8232d144cffbff |
/etc/cron.hourly/0
| MD5 | 3f006f7f81fc17be7f4a0d3da0fad5de |
| SHA1 | 97a94d3d0654c6551057af3809b52572bd7f9f5d |
| SHA256 | 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf |
| SHA512 | 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0 |
/tmp/fileAF7FQ3
| MD5 | b1d1639bf838956f5a587ff28615de40 |
| SHA1 | a28c606b566f6c71626a71d90d7a0b7cd79a86b4 |
| SHA256 | 1f0323eda8e0ecb09deaaf9200d1c985d431813e19e4d31dd2898d8ad15f8c2d |
| SHA512 | 2d1c2f021a053b2d24974c992bb912c2cc581ab0fdccd81d43b3819610cc88a27beff7e5923e94495a2b0d0ea4c2ff50455f1260d8ca1c73c9594c8b0c9cc4fe |