Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    24/10/2024, 15:05

General

  • Target

    node-linux

  • Size

    46.0MB

  • MD5

    9200b2b85b8c70afe3f61a3827220842

  • SHA1

    2addf6ef678f9f663b00e13e3bb2fa0a37299dd0

  • SHA256

    0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17

  • SHA512

    99ea084abd2798875a4ed7cddc41005b701ce4874e534fa1c9c34f392de8c71bfe376f7bffa28d27ba2b52780c9a73536d54c6b9519452d1b660c97fb7047e99

  • SSDEEP

    786432:FuyPtsgt1j9ubslD/3+WTjnCD2WllgQdSrY+feI4Q:fGgFubslD/3+WTjnCD2WllgQdEHV1

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • OS Credential Dumping 1 TTPs 4 IoCs

    Adversaries may attempt to dump credentials to use it in password cracking.

  • Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 4 IoCs

    Abuse sudo or cached sudo credentials to execute code.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Creates .desktop file 2 TTPs 1 IoCs

    Linux desktops like GNOME require .desktop files to register applications. Sometimes abused by malware for persistence.

  • Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs

    Execute scripts via Unix Shell.

  • Enumerates kernel/hardware configuration 1 TTPs 38 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Peripheral Device Discovery 1 TTPs 1 IoCs

    Adversaries may attempt to discover attached peripheral devices.

  • Reads runtime system information 22 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/node-linux
    /tmp/node-linux
    1⤵
    • Checks CPU configuration
    • Creates .desktop file
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:1567
    • /bin/sh
      /bin/sh -c "sudo -n true"
      2⤵
      • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
      PID:1573
      • /usr/bin/sudo
        sudo -n true
        3⤵
        • OS Credential Dumping
        • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
        • Reads runtime system information
        PID:1574
        • /usr/bin/true
          true
          4⤵
            PID:1575
      • /bin/sh
        /bin/sh -c "sudo mkdir -p \"/opt\" && sudo cp \"/tmp/node-linux\" \"/opt/node-linux\" && sudo chmod +x \"/opt/node-linux\""
        2⤵
        • File and Directory Permissions Modification
        PID:1576
        • /usr/bin/sudo
          sudo mkdir -p /opt
          3⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          • Reads runtime system information
          PID:1577
          • /usr/bin/mkdir
            mkdir -p /opt
            4⤵
            • Reads runtime system information
            PID:1578
        • /usr/bin/sudo
          sudo cp /tmp/node-linux /opt/node-linux
          3⤵
          • OS Credential Dumping
          • Abuse Elevation Control Mechanism: Sudo and Sudo Caching
          • Reads runtime system information
          PID:1579
          • /usr/bin/cp
            cp /tmp/node-linux /opt/node-linux
            4⤵
            • Reads runtime system information
            PID:1580
        • /usr/bin/sudo
          3⤵
          • OS Credential Dumping
          • Reads runtime system information
          PID:1590
          • /usr/bin/chmod
            chmod +x /opt/node-linux
            4⤵
            • File and Directory Permissions Modification
            PID:1591
      • /bin/sh
        /bin/sh -c "chmod +x /root/.config/autostart/startup-script.desktop"
        2⤵
        • File and Directory Permissions Modification
        PID:1592
        • /usr/bin/chmod
          chmod +x /root/.config/autostart/startup-script.desktop
          3⤵
          • File and Directory Permissions Modification
          PID:1593
      • /bin/sh
        /bin/sh -c "lspci | grep VGA"
        2⤵
        • Command and Scripting Interpreter: Unix Shell
        PID:1598
        • /usr/bin/grep
          grep VGA
          3⤵
          • Reads runtime system information
          PID:1600
        • /usr/bin/lspci
          lspci
          3⤵
          • Enumerates kernel/hardware configuration
          • Peripheral Device Discovery
          PID:1599

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /opt/node-linux

      Filesize

      43.9MB

      MD5

      532091f563565f41017aee62ebb321ef

      SHA1

      88971cc3b72775b230a67f51c534059db97c1f2a

      SHA256

      66db1c560a489b5df573009823bc2462e1bd827d2d12c64a372bd9b6bba59c47

      SHA512

      0432ed954f69c0741b29675f9390e3089bae25c22d1bf192cfb01a51575bbbc4b870ec65b11bfa40696e8750a29d943e3811566e46d6a0ed72be3acfdff1da0b

    • /root/.config/autostart/startup-script.desktop

      Filesize

      254B

      MD5

      d5fa1fdabc16eac09c0af61aa8f614d8

      SHA1

      df01c4c06f80a6acf53e8806f1a82b32c2094311

      SHA256

      2d33b970ef01e6e893305bcacd823b4c37754ce64a826c65945461a4aec48de1

      SHA512

      0e05b494fb3fcf1cf06394076308577e5c1fea6fb465697af83158c71b1baf6f549d37dc71d6b85a7a09e0838635221689decb8dd237240dfb3269adb83eba0e