General
-
Target
ss
-
Size
403B
-
Sample
241027-l8xn1svkaw
-
MD5
89f95ab872178a2c1e14126848498548
-
SHA1
ea84533d5b4096482a6525f3c776108688349236
-
SHA256
19fa932e33bf68543553f439308e7827e45d99aee85ed91016d4a368c802d019
-
SHA512
6a21cb868aaa4c3733ab1872f4b993991f5ea8f7667e7d4013a429a14cc793ba33c6051c22e4415839232c77c084e9e3f577d0b5374c8aa6fa5c551407d78283
Static task
static1
Behavioral task
behavioral1
Sample
ss
Resource
ubuntu2404-amd64-20240523-en
Malware Config
Targets
-
-
Target
ss
-
Size
403B
-
MD5
89f95ab872178a2c1e14126848498548
-
SHA1
ea84533d5b4096482a6525f3c776108688349236
-
SHA256
19fa932e33bf68543553f439308e7827e45d99aee85ed91016d4a368c802d019
-
SHA512
6a21cb868aaa4c3733ab1872f4b993991f5ea8f7667e7d4013a429a14cc793ba33c6051c22e4415839232c77c084e9e3f577d0b5374c8aa6fa5c551407d78283
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
OS Credential Dumping
Adversaries may attempt to dump credentials to use it in password cracking.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse sudo or cached sudo credentials to execute code.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Checks mountinfo of local process
Checks mountinfo of running processes which indicate if it is running in chroot jail.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder
-
Reads process memory
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Indicator Removal
1Clear Linux or Mac System Logs
1Virtualization/Sandbox Evasion
3System Checks
3Credential Access
OS Credential Dumping
2/etc/passwd and /etc/shadow
1Proc Filesystem
1