d78f3d1582817ea822a0dd9cf750b5cb32510744dc4521cdd0f1aeef1439c9d7

Analysis

max time kernel
0s
max time network
131s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
13/09/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

powder
Size

6.9MB
MD5

f244c34b5e9d9346b9affc5a8a092fb1
SHA1

251482f4c77c00539580dbfe774dcb5d0fa6b9af
SHA256

d78f3d1582817ea822a0dd9cf750b5cb32510744dc4521cdd0f1aeef1439c9d7
SHA512

badb1f0bd2e4c2cc2461803852f7ff50891f0d8c1a1e60d17078acbc3fcb95d3208335533694ed4a6892fbc784b4e9eaf5d3a5d03404bd38f2eec9d27c9f15d8
SSDEEP

98304:ruv009cWzBGt/8Oh4NIdq/FLLfsF2kUxwv/Cai9vsY9HfMD7zLbuaggKf4xP7RzI:QBcWdEnoIn6xX876pgdP7RzNmx

Score

3^/10

discovery

Malware Config

Signatures

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/apparmor/parameters/enabled	dbus-daemon
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon

Reads runtime system information 9 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/self/fd	dbus-daemon
File opened for reading	/proc/mounts	dbus-daemon
File opened for reading	/proc/self/fd	powder
File opened for reading	/proc/self/fd	dbus-launch
File opened for reading	/proc/2873/attr/apparmor/current	dbus-daemon
File opened for reading	/proc/2867/cmdline	dbus-daemon
File opened for reading	/proc/sys/kernel/cap_last_cap	dbus-daemon
File opened for reading	/proc/2873/status	dbus-daemon

cURL User-Agent 1 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	4	curl/8.5.0

/tmp/powder
/tmp/powder
1⤵
- Reads runtime system information
PID:2867
- /usr/bin/dbus-launch
  dbus-launch --autolaunch 36e6eb39a6fa405996e79cad2731865d --binary-syntax --close-stderr
  2⤵
  - Reads runtime system information
  PID:2869
- - /usr/bin/dbus-daemon
    /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2871

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads