Analysis Overview
SHA256
0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17
Threat Level: Shows suspicious behavior
The file node-linux was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
OS Credential Dumping
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Checks CPU configuration
Creates .desktop file
Reads runtime system information
Command and Scripting Interpreter: Unix Shell
Enumerates kernel/hardware configuration
Peripheral Device Discovery
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-24 15:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-24 15:05
Reported
2024-10-24 15:08
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
OS Credential Dumping
| Description | Indicator | Process | Target |
| File opened for reading | /etc/shadow | /usr/bin/sudo | N/A |
| File opened for reading | /etc/shadow | /usr/bin/sudo | N/A |
| File opened for reading | /etc/shadow | /usr/bin/sudo | N/A |
| File opened for reading | /etc/shadow | /usr/bin/sudo | N/A |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/node-linux | N/A |
Creates .desktop file
| Description | Indicator | Process | Target |
| File opened for modification | /root/.config/autostart/startup-script.desktop | /tmp/node-linux | N/A |
Command and Scripting Interpreter: Unix Shell
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/config | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/vendor | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/device | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/config | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/config | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/class | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/config | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/device | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/config | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/vendor | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:05.0/class | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/config | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/class | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/device | /usr/bin/lspci | N/A |
| File opened for reading | /sys/fs/cgroup/memory/memory.limit_in_bytes | /tmp/node-linux | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/vendor | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/device | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/device | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/class | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/config | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.0/class | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/class | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/class | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/device | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.1/device | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/config | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:04.0/vendor | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/vendor | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:02.0/class | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:06.0/vendor | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/device | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/vendor | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/vendor | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/class | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:03.0/vendor | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:01.3/device | /usr/bin/lspci | N/A |
| File opened for reading | /sys/bus/pci/devices/0000:00:00.0/config | /usr/bin/lspci | N/A |
Peripheral Device Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/lspci | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/sudo | N/A |
| File opened for reading | /proc/self/stat | /usr/bin/sudo | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/sudo | N/A |
| File opened for reading | /proc/self/stat | /usr/bin/sudo | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/sudo | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sudo | N/A |
| File opened for reading | /proc/1/limits | /usr/bin/sudo | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/meminfo | /tmp/node-linux | N/A |
| File opened for reading | /proc/self/maps | /tmp/node-linux | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sudo | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/sudo | N/A |
| File opened for reading | /proc/self/stat | /usr/bin/sudo | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sudo | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/sudo | N/A |
| File opened for reading | /proc/self/stat | /usr/bin/sudo | N/A |
| File opened for reading | /proc/1/limits | /usr/bin/sudo | N/A |
| File opened for reading | /proc/stat | /tmp/node-linux | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/grep | N/A |
| File opened for reading | /proc/1/limits | /usr/bin/sudo | N/A |
| File opened for reading | /proc/1/limits | /usr/bin/sudo | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
Processes
/tmp/node-linux
[/tmp/node-linux]
/bin/sh
[/bin/sh -c sudo -n true]
/usr/bin/sudo
[sudo -n true]
/usr/bin/true
[true]
/bin/sh
[/bin/sh -c sudo mkdir -p "/opt" && sudo cp "/tmp/node-linux" "/opt/node-linux" && sudo chmod +x "/opt/node-linux"]
/usr/bin/sudo
[sudo mkdir -p /opt]
/usr/bin/mkdir
[mkdir -p /opt]
/usr/bin/sudo
[sudo cp /tmp/node-linux /opt/node-linux]
/usr/bin/cp
[cp /tmp/node-linux /opt/node-linux]
/usr/bin/sudo
/usr/bin/chmod
[chmod +x /opt/node-linux]
/bin/sh
[/bin/sh -c chmod +x /root/.config/autostart/startup-script.desktop]
/usr/bin/chmod
[chmod +x /root/.config/autostart/startup-script.desktop]
/bin/sh
[/bin/sh -c lspci | grep VGA]
/usr/bin/grep
[grep VGA]
/usr/bin/lspci
[lspci]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | api.etherscan.io | udp |
| US | 8.8.8.8:53 | api.etherscan.io | udp |
| US | 8.8.8.8:53 | eth-mainnet.alchemyapi.io | udp |
| US | 8.8.8.8:53 | eth-mainnet.alchemyapi.io | udp |
| US | 217.79.240.58:443 | api.etherscan.io | tcp |
| US | 8.8.8.8:53 | ethereum-mainnet.core.chainstack.com | udp |
| US | 8.8.8.8:53 | ethereum-mainnet.core.chainstack.com | udp |
| US | 8.8.8.8:53 | cloudflare-eth.com | udp |
| US | 8.8.8.8:53 | cloudflare-eth.com | udp |
| US | 104.16.33.243:443 | eth-mainnet.alchemyapi.io | tcp |
| US | 8.8.8.8:53 | mainnet.infura.io | udp |
| US | 8.8.8.8:53 | mainnet.infura.io | udp |
| US | 104.18.4.35:443 | ethereum-mainnet.core.chainstack.com | tcp |
| US | 8.8.8.8:53 | ethers.quiknode.pro | udp |
| US | 8.8.8.8:53 | ethers.quiknode.pro | udp |
| US | 104.18.11.112:443 | cloudflare-eth.com | tcp |
| US | 8.8.8.8:53 | monorepo-production-edge-alb-985829473.us-east-1.elb.amazonaws.com | udp |
| GB | 141.147.104.155:443 | ethers.quiknode.pro | tcp |
| US | 18.214.115.73:443 | mainnet.infura.io | tcp |
| US | 8.8.8.8:53 | monorepo-production-edge-alb-985829473.us-east-1.elb.amazonaws.com | udp |
| US | 104.18.11.112:443 | cloudflare-eth.com | tcp |
| US | 67.202.55.58:443 | mainnet.infura.io | tcp |
| US | 8.8.8.8:53 | ethers.quiknode.pro | udp |
| US | 104.18.4.35:443 | ethereum-mainnet.core.chainstack.com | tcp |
| GB | 141.147.104.155:443 | ethers.quiknode.pro | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
| EE | 193.233.201.21:3001 | 193.233.201.21 | tcp |
Files
/opt/node-linux
| MD5 | 532091f563565f41017aee62ebb321ef |
| SHA1 | 88971cc3b72775b230a67f51c534059db97c1f2a |
| SHA256 | 66db1c560a489b5df573009823bc2462e1bd827d2d12c64a372bd9b6bba59c47 |
| SHA512 | 0432ed954f69c0741b29675f9390e3089bae25c22d1bf192cfb01a51575bbbc4b870ec65b11bfa40696e8750a29d943e3811566e46d6a0ed72be3acfdff1da0b |
/root/.config/autostart/startup-script.desktop
| MD5 | d5fa1fdabc16eac09c0af61aa8f614d8 |
| SHA1 | df01c4c06f80a6acf53e8806f1a82b32c2094311 |
| SHA256 | 2d33b970ef01e6e893305bcacd823b4c37754ce64a826c65945461a4aec48de1 |
| SHA512 | 0e05b494fb3fcf1cf06394076308577e5c1fea6fb465697af83158c71b1baf6f549d37dc71d6b85a7a09e0838635221689decb8dd237240dfb3269adb83eba0e |