8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

General

Target

8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
Size

35KB
MD5

2550990d2d52581b213e7c9305c392d3
SHA1

f7f069915c9b97550dc1fb6cf631f6222416dcf5
SHA256

8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
SHA512

a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50
SSDEEP

768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

Score

7^/10

defense_evasion discovery evasion privilege_escalation

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Clear Linux or Mac System Logs
T1070.002

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 1 TTPs 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
defense_evasion

Disable or Modify System Firewall
T1562.004

Processes:

iptables

pid process

690 iptables
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

697 sudo
Attempts to change immutable files 6 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrchattrchattrchattrchattrchattr

pid process

686 chattr
708 chattr
710 chattr
677 chattr
680 chattr
684 chattr

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
690	iptables

pid	process
697	sudo

pid	process
686	chattr
708	chattr
710	chattr
677	chattr
680	chattr
684	chattr

Reads runtime system information 30 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

lslslslslslsuserdellslslslssudolslslsuserdel

description	ioc	process
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/12	ls
File opened for reading	/proc/1	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/13	ls
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/108	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/145	ls
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/137	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/10	ls
File opened for reading	/proc/106	ls
File opened for reading	/proc/109	ls
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/14	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/149	ls
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/11	ls

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

description ioc process

File opened for modification /tmp/log_rot 8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

description	ioc	process
File opened for modification	/tmp/log_rot	8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

/tmp/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
/tmp/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
1⤵
- Writes file to tmp directory
PID:674

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:675

/usr/bin/chattr
chattr -iua /tmp/
2⤵
- Attempts to change immutable files
PID:677

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
- Attempts to change immutable files
PID:680

/usr/bin/chattr
chattr -R -i /var/spool/cron
2⤵
- Attempts to change immutable files
PID:684

/usr/bin/chattr
chattr -i /etc/crontab
2⤵
- Attempts to change immutable files
PID:686

/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:690

/usr/bin/sudo
sudo sysctl "kernel.nmi_watchdog=0"
2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:697

/usr/sbin/userdel
userdel akay
2⤵
- Reads runtime system information
PID:702

/usr/sbin/userdel
userdel vfinder
2⤵
- Reads runtime system information
PID:706

/usr/bin/chattr
chattr -iae /root/.ssh/
2⤵
- Attempts to change immutable files
PID:708

/usr/bin/chattr
chattr -iae /root/.ssh/authorized_keys
2⤵
- Attempts to change immutable files
PID:710

/bin/rm
rm -rf "/tmp/addres*"
2⤵
PID:711

/bin/rm
rm -rf "/tmp/walle*"
2⤵
PID:713

/bin/rm
rm -rf /tmp/keys
2⤵
PID:714

/bin/grep
grep exe
2⤵
PID:717

/bin/ls
ls -latrh /proc/1
2⤵
- Reads runtime system information
PID:716

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:720

/bin/grep
grep exe
2⤵
PID:725

/bin/ls
ls -latrh /proc/10
2⤵
- Reads runtime system information
PID:724

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:727

/bin/ls
ls -latrh /proc/106
2⤵
- Reads runtime system information
PID:730

/bin/grep
grep exe
2⤵
PID:731

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:733

/bin/ls
ls -latrh /proc/108
2⤵
- Reads runtime system information
PID:735

/bin/grep
grep exe
2⤵
PID:736

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:739

/bin/grep
grep exe
2⤵
PID:742

/bin/ls
ls -latrh /proc/109
2⤵
- Reads runtime system information
PID:741

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:744

/bin/grep
grep exe
2⤵
PID:747

/bin/ls
ls -latrh /proc/11
2⤵
- Reads runtime system information
PID:746

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:749

/bin/grep
grep exe
2⤵
PID:752

/bin/ls
ls -latrh /proc/12
2⤵
- Reads runtime system information
PID:751

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:754

/bin/grep
grep exe
2⤵
PID:757

/bin/ls
ls -latrh /proc/13
2⤵
- Reads runtime system information
PID:756

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:759

/bin/grep
grep exe
2⤵
PID:762

/bin/ls
ls -latrh /proc/137
2⤵
- Reads runtime system information
PID:761

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:764

/bin/grep
grep exe
2⤵
PID:767

/bin/ls
ls -latrh /proc/14
2⤵
- Reads runtime system information
PID:766

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:769

/bin/grep
grep exe
2⤵
PID:772

/bin/ls
ls -latrh /proc/145
2⤵
- Reads runtime system information
PID:771

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:774

/bin/grep
grep exe
2⤵
PID:777

/bin/ls
ls -latrh /proc/149
2⤵
- Reads runtime system information
PID:776

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:779

/bin/grep
grep exe
2⤵
PID:783

/bin/ls
ls -latrh /proc/15
2⤵
- Reads runtime system information
PID:782

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:786

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Sudo and Sudo Caching

1

T1548.003

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Indicator Removal

1

T1070

Clear Linux or Mac System Logs

1

T1070.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit

Analysis

Sharing