29f2a7e4500ae2f34dd7b62d6616e2de3ca89d5c87b1e76184f2e4ab52e002f5

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
18-10-2024 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

490eb7a7e1e1ed361801e18128206ab9
Size

1.2MB
MD5

490eb7a7e1e1ed361801e18128206ab9
SHA1

ed40d1d0313b032b5cf12ed43fbf01e3d4a83bbe
SHA256

29f2a7e4500ae2f34dd7b62d6616e2de3ca89d5c87b1e76184f2e4ab52e002f5
SHA512

605fc001e7cc8cfe1346e9e0cd2ad544b0834d49b3023d4ab58bf574d53cc52ce5d0e853a8e4acadffd948bed1f7ec936cf919a714a2fa91e163d546325d8fd8
SSDEEP

24576:e845rGHu6gVJKG75oFpA0VWeX462y1q2rJp0:745vRVJKGtSA0VWeo5u9p0

Score

7^/10

defense_evasion discovery persistence rootkit

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 6 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmod

pid	Process
2560	chmod
2570	chmod
2580	chmod
2590	chmod
2598	chmod
2606	chmod

Executes dropped EXE 2 IoCs

Processes:

getty.sshd

ioc	pid	Process
/usr/bin/bsd-port/getty	2528	getty
/usr/bin/.sshd	2547	.sshd

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

490eb7a7e1e1ed361801e18128206ab9getty.sshd

pid	Process
2486	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2504	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2506	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2508	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2510	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2512	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2520	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2522	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2524	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2526	490eb7a7e1e1ed361801e18128206ab9
2527	490eb7a7e1e1ed361801e18128206ab9
2528	getty
2526	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2530	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2532	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2534	490eb7a7e1e1ed361801e18128206ab9
2489	490eb7a7e1e1ed361801e18128206ab9
2529	getty
2536	getty
2529	getty
2529	getty
2538	getty
2529	getty
2529	getty
2540	getty
2529	getty
2529	getty
2542	getty
2544	490eb7a7e1e1ed361801e18128206ab9
2545	490eb7a7e1e1ed361801e18128206ab9
2529	getty
2529	getty
2546	getty
2547	.sshd
2529	getty
2529	getty
2549	getty
2529	getty
2529	getty
2551	getty
2529	getty
2529	getty
2553	getty

Write file to user bin folder 8 IoCs

persistence

Processes:

cpcpcpcpcpcpcpcp

description	ioc	Process
File opened for modification	/usr/bin/dpkgd/ss	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/ss	cp
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp

Writes file to system bin folder 3 IoCs

Processes:

cpcpcp

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp
File opened for modification	/bin/ss	cp

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

insmodinsmod

description	ioc	Process
File opened for reading	/sys/module/compression	insmod
File opened for reading	/sys/module/compression	insmod

Reads runtime system information 30 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

mkdircpcpcpmkdirmkdirmkdirmkdirmkdirmkdircpcpmkdircpcpmkdirmkdirmkdirmkdirmkdirinsmodmkdircpmkdircpcpmkdircpmkdirinsmod

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod

/tmp/490eb7a7e1e1ed361801e18128206ab9
/tmp/490eb7a7e1e1ed361801e18128206ab9
1⤵
- Loads a kernel module
PID:2486
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:2505
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:2507
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:2509
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:2511
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:2513
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:2521
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:2523
- /usr/bin/cp
  cp -f /tmp/490eb7a7e1e1ed361801e18128206ab9 /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2525
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2528
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
    3⤵
    PID:2537
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
    3⤵
    PID:2539
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
    3⤵
    PID:2541
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
    3⤵
    PID:2543
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
    3⤵
    PID:2548
- - /usr/bin/mkdir
    mkdir -p /usr/bin/dpkgd
    3⤵
    - Reads runtime system information
    PID:2550
- - /usr/bin/cp
    cp -f /bin/lsof /usr/bin/dpkgd/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2552
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2554
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2556
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/lsof
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2558
- - /usr/bin/chmod
    chmod 0755 /bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2560
- - /usr/bin/cp
    cp -f /bin/ps /usr/bin/dpkgd/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2562
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2564
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2566
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/ps
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2568
- - /usr/bin/chmod
    chmod 0755 /bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2570
- - /usr/bin/cp
    cp -f /bin/ss /usr/bin/dpkgd/ss
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2572
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2574
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2576
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/ss
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2578
- - /usr/bin/chmod
    chmod 0755 /bin/ss
    3⤵
    - File and Directory Permissions Modification
    PID:2580
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2582
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2584
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2587
- - /usr/bin/chmod
    chmod 0755 /usr/bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2590
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2592
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2594
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2596
- - /usr/bin/chmod
    chmod 0755 /usr/bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2598
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2600
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2602
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/ss
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2604
- - /usr/bin/chmod
    chmod 0755 /usr/bin/ss
    3⤵
    - File and Directory Permissions Modification
    PID:2606
- - /usr/sbin/insmod
    insmod /usr/bin/bsd-port/xpacket.ko
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2618
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:2531
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:2533
- /usr/bin/cp
  cp -f /tmp/490eb7a7e1e1ed361801e18128206ab9 /usr/bin/.sshd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2535
- /usr/bin/.sshd
  /usr/bin/.sshd
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2547
- /usr/sbin/insmod
  insmod /tmp/xpacket.ko
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
50B

MD5
96329015732cac37c9654718bc42a394

SHA1
fa254af7cb1937fa3df97e936c310d2fd51c4c5d

SHA256
a07abcf19047e7a8be54826c6137c46644f6962bef0a47200c5a0a70bfc31baa

SHA512
c769d8b91245a5c1f83eacfe9e4aea5d13ed06f4c06a6430af55194180130dd9f4b5f38741815a0dc641d74a35fac83c7346e3019cdc45a2c670fd8f134c0b15

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/conf.n

Filesize
73B

MD5
74efbb3606608a8d5dbc8c9dd7267b8c

SHA1
0559beb1c25400b33187bce43a529be55a77d981

SHA256
9deed24cd195b934e0162766aa19c11e8ebb8ebe6d73af6f2fdcd23e80ce1a68

SHA512
95eb0d723142c128acd7c2a8291fb35d136254abc5f8a18c4ed0aa7e684aee4897f4f3343084c67e21283658b0a8d7cf983ac5c54dcc464f326b4f3f710d6810

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
3430095c577593aad3c39c701712bcfe

SHA1
d892229a4b224bd077941152ae8f73836f5066fc

SHA256
9a1cfcffdce419d6f29a75e409e7777545f08520c667e460803db230c2ab3830

SHA512
7f852af98268c140ca25db521608ab5e64500e7adeb460362fc312c4fb553492cb90e041d0399357585e91dc7ae30e7907221fc5ef09cb52f56a02d91580da69

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
36e729ec173b94133d8fa552e4029f8b

SHA1
e6549306ad041a692cb3143eb8ef7d59092d3479

SHA256
385ad5955fc20f7fd6544898222a92a22c0142d87f737e5ca06b4e837a037d7f

SHA512
c8bbfc4783979befaeb35ef63094276abc055fe1481eafbb5f8eb83cf832d326263b3821aec171261b38f27f6cf3c621e51cb5b2f74bf439713c2116a027f0aa

Download Submit
/tmp/notify.file

Filesize
37B

MD5
208b0b2deb0d2ba289a442701d88da0c

SHA1
bd3378fd142502c318e8e14f4a5f1bd3ca5c76d3

SHA256
2547c737e04449b7a4bfecd92cb3e6b36f726be476e70da9242555641cfa70bb

SHA512
72d96fbecd9f948ad38e669448a726a8055ade88b64c8628260d182e8173e8a807994caf0f6dd045d913fe33415a828ade5d4c12b233696110625813c06d88f7

Download Submit