Analysis
-
max time kernel
146s -
max time network
149s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
24/10/2024, 15:05
Static task
static1
Behavioral task
behavioral1
Sample
node-linux
Resource
ubuntu2204-amd64-20240611-en
General
-
Target
node-linux
-
Size
46.0MB
-
MD5
9200b2b85b8c70afe3f61a3827220842
-
SHA1
2addf6ef678f9f663b00e13e3bb2fa0a37299dd0
-
SHA256
0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17
-
SHA512
99ea084abd2798875a4ed7cddc41005b701ce4874e534fa1c9c34f392de8c71bfe376f7bffa28d27ba2b52780c9a73536d54c6b9519452d1b660c97fb7047e99
-
SSDEEP
786432:FuyPtsgt1j9ubslD/3+WTjnCD2WllgQdSrY+feI4Q:fGgFubslD/3+WTjnCD2WllgQdEHV1
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1576 sh 1591 chmod 1592 sh 1593 chmod -
OS Credential Dumping 1 TTPs 4 IoCs
Adversaries may attempt to dump credentials to use it in password cracking.
description ioc Process File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo File opened for reading /etc/shadow sudo -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 4 IoCs
Abuse sudo or cached sudo credentials to execute code.
pid Process 1573 sh 1574 sudo 1577 sudo 1579 sudo -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo node-linux -
Creates .desktop file 2 TTPs 1 IoCs
Linux desktops like GNOME require .desktop files to register applications. Sometimes abused by malware for persistence.
description ioc Process File opened for modification /root/.config/autostart/startup-script.desktop node-linux -
Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs
Execute scripts via Unix Shell.
pid Process 1598 sh -
Enumerates kernel/hardware configuration 1 TTPs 38 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/bus/pci/devices/0000:00:05.0/config lspci File opened for reading /sys/bus/pci/devices/0000:00:05.0/vendor lspci File opened for reading /sys/bus/pci/devices/0000:00:05.0/device lspci File opened for reading /sys/bus/pci/devices/0000:00:02.0/config lspci File opened for reading /sys/bus/pci/devices/0000:00:06.0/config lspci File opened for reading /sys/bus/pci/devices/0000:00:06.0/class lspci File opened for reading /sys/bus/pci/devices/0000:00:01.3/config lspci File opened for reading /sys/bus/pci/devices/0000:00:04.0/device lspci File opened for reading /sys/bus/pci/devices/0000:00:01.0/config lspci File opened for reading /sys/bus/pci/devices/0000:00:01.0/vendor lspci File opened for reading /sys/bus/pci/devices/0000:00:05.0/class lspci File opened for reading /sys/bus/pci/devices/0000:00:01.1/config lspci File opened for reading /sys/bus/pci/devices/0000:00:04.0/class lspci File opened for reading /sys/bus/pci/devices/0000:00:01.0/device lspci File opened for reading /sys/fs/cgroup/memory/memory.limit_in_bytes node-linux File opened for reading /sys/bus/pci/devices/0000:00:01.1/vendor lspci File opened for reading /sys/bus/pci/devices/0000:00:02.0/device lspci File opened for reading /sys/bus/pci/devices/0000:00:06.0/device lspci File opened for reading /sys/bus/pci/devices/0000:00:01.3/class lspci File opened for reading /sys/bus/pci/devices/0000:00:04.0/config lspci File opened for reading /sys/bus/pci/devices/0000:00:01.0/class lspci File opened for reading /sys/bus/pci/devices/0000:00:01.1/class lspci File opened for reading /sys/bus/pci/devices/0000:00:03.0/class lspci File opened for reading /sys/bus/pci/devices/0000:00:00.0/device lspci File opened for reading /sys/bus/pci/devices/0000:00:01.1/device lspci File opened for reading /sys/bus/pci/devices/0000:00:03.0/config lspci File opened for reading /sys/bus/pci/devices/0000:00:04.0/vendor lspci File opened for reading /sys/bus/pci/devices lspci File opened for reading /sys/bus/pci/devices/0000:00:02.0/vendor lspci File opened for reading /sys/bus/pci/devices/0000:00:02.0/class lspci File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor lspci File opened for reading /sys/bus/pci/devices/0000:00:03.0/device lspci File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor lspci File opened for reading /sys/bus/pci/devices/0000:00:00.0/vendor lspci File opened for reading /sys/bus/pci/devices/0000:00:00.0/class lspci File opened for reading /sys/bus/pci/devices/0000:00:03.0/vendor lspci File opened for reading /sys/bus/pci/devices/0000:00:01.3/device lspci File opened for reading /sys/bus/pci/devices/0000:00:00.0/config lspci -
Peripheral Device Discovery 1 TTPs 1 IoCs
Adversaries may attempt to discover attached peripheral devices.
pid Process 1599 lspci -
description ioc Process File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/filesystems sudo File opened for reading /proc/1/limits sudo File opened for reading /proc/filesystems cp File opened for reading /proc/meminfo node-linux File opened for reading /proc/self/maps node-linux File opened for reading /proc/filesystems sudo File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/filesystems sudo File opened for reading /proc/filesystems sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/1/limits sudo File opened for reading /proc/stat node-linux File opened for reading /proc/self/maps grep File opened for reading /proc/1/limits sudo File opened for reading /proc/1/limits sudo File opened for reading /proc/filesystems mkdir
Processes
-
/tmp/node-linux/tmp/node-linux1⤵
- Checks CPU configuration
- Creates .desktop file
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1567 -
/bin/sh/bin/sh -c "sudo -n true"2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1573 -
/usr/bin/sudosudo -n true3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1574 -
/usr/bin/truetrue4⤵PID:1575
-
-
-
-
/bin/sh/bin/sh -c "sudo mkdir -p \"/opt\" && sudo cp \"/tmp/node-linux\" \"/opt/node-linux\" && sudo chmod +x \"/opt/node-linux\""2⤵
- File and Directory Permissions Modification
PID:1576 -
/usr/bin/sudosudo mkdir -p /opt3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1577 -
/usr/bin/mkdirmkdir -p /opt4⤵
- Reads runtime system information
PID:1578
-
-
-
/usr/bin/sudosudo cp /tmp/node-linux /opt/node-linux3⤵
- OS Credential Dumping
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:1579 -
/usr/bin/cpcp /tmp/node-linux /opt/node-linux4⤵
- Reads runtime system information
PID:1580
-
-
-
/usr/bin/sudo3⤵
- OS Credential Dumping
- Reads runtime system information
PID:1590 -
/usr/bin/chmodchmod +x /opt/node-linux4⤵
- File and Directory Permissions Modification
PID:1591
-
-
-
-
/bin/sh/bin/sh -c "chmod +x /root/.config/autostart/startup-script.desktop"2⤵
- File and Directory Permissions Modification
PID:1592 -
/usr/bin/chmodchmod +x /root/.config/autostart/startup-script.desktop3⤵
- File and Directory Permissions Modification
PID:1593
-
-
-
/bin/sh/bin/sh -c "lspci | grep VGA"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:1598 -
/usr/bin/grepgrep VGA3⤵
- Reads runtime system information
PID:1600
-
-
/usr/bin/lspcilspci3⤵
- Enumerates kernel/hardware configuration
- Peripheral Device Discovery
PID:1599
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1User Execution
2Malicious File
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43.9MB
MD5532091f563565f41017aee62ebb321ef
SHA188971cc3b72775b230a67f51c534059db97c1f2a
SHA25666db1c560a489b5df573009823bc2462e1bd827d2d12c64a372bd9b6bba59c47
SHA5120432ed954f69c0741b29675f9390e3089bae25c22d1bf192cfb01a51575bbbc4b870ec65b11bfa40696e8750a29d943e3811566e46d6a0ed72be3acfdff1da0b
-
Filesize
254B
MD5d5fa1fdabc16eac09c0af61aa8f614d8
SHA1df01c4c06f80a6acf53e8806f1a82b32c2094311
SHA2562d33b970ef01e6e893305bcacd823b4c37754ce64a826c65945461a4aec48de1
SHA5120e05b494fb3fcf1cf06394076308577e5c1fea6fb465697af83158c71b1baf6f549d37dc71d6b85a7a09e0838635221689decb8dd237240dfb3269adb83eba0e