Overview
overview
10Static
static
5.systemd/.i686
ubuntu-22.04-amd64
3.systemd/.run
ubuntu-18.04-amd64
7.systemd/.run
debian-9-armhf
6.systemd/.run
debian-9-mips
6.systemd/.run
debian-9-mipsel
6.systemd/.x86_64
ubuntu-24.04-amd64
10.systemd/auto
ubuntu-18.04-amd64
7.systemd/auto
debian-9-armhf
7.systemd/auto
debian-9-mips
7.systemd/auto
debian-9-mipsel
7.systemd/clean
ubuntu-18.04-amd64
1.systemd/clean
debian-9-armhf
1.systemd/clean
debian-9-mips
1.systemd/clean
debian-9-mipsel
1.systemd/go
ubuntu-18.04-amd64
1.systemd/go
debian-9-armhf
1.systemd/go
debian-9-mips
1.systemd/go
debian-9-mipsel
1.systemd/ntpdate
ubuntu-18.04-amd64
7.systemd/ntpdate
debian-9-armhf
7.systemd/ntpdate
debian-9-mips
7.systemd/ntpdate
debian-9-mipsel
7.update/.i686
ubuntu-20.04-amd64
6.update/.run
ubuntu-18.04-amd64
3.update/.run
debian-9-armhf
3.update/.run
debian-9-mips
3.update/.run
debian-9-mipsel
3.update/.x86_64
ubuntu-22.04-amd64
10.update/auth
ubuntu-18.04-amd64
8.update/auth
debian-9-armhf
8.update/auth
debian-9-mips
8.update/auth
debian-9-mipsel
8Analysis
-
max time kernel
0s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
08-11-2024 11:36
Behavioral task
behavioral1
Sample
.systemd/.i686
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
.systemd/.run
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral3
Sample
.systemd/.run
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
.systemd/.run
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral5
Sample
.systemd/.run
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
.systemd/.x86_64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral7
Sample
.systemd/auto
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral8
Sample
.systemd/auto
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral9
Sample
.systemd/auto
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral10
Sample
.systemd/auto
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral11
Sample
.systemd/clean
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral12
Sample
.systemd/clean
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral13
Sample
.systemd/clean
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral14
Sample
.systemd/clean
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral15
Sample
.systemd/go
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral16
Sample
.systemd/go
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral17
Sample
.systemd/go
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral18
Sample
.systemd/go
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral19
Sample
.systemd/ntpdate
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral20
Sample
.systemd/ntpdate
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral21
Sample
.systemd/ntpdate
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral22
Sample
.systemd/ntpdate
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral23
Sample
.update/.i686
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral24
Sample
.update/.run
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral25
Sample
.update/.run
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral26
Sample
.update/.run
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral27
Sample
.update/.run
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral28
Sample
.update/.x86_64
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral29
Sample
.update/auth
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral30
Sample
.update/auth
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral31
Sample
.update/auth
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral32
Sample
.update/auth
Resource
debian9-mipsel-20240729-en
General
-
Target
.systemd/.run
-
Size
415B
-
MD5
4c7b4fb257df508abb56e1202d63fb9c
-
SHA1
b490c80ca53c03ad04adc3ac024cb58ae2456161
-
SHA256
19cb430a8f94daf1e4ff121e28814cc3f11493d640e555105c604702980b9117
-
SHA512
2f44151a628f8b94911db42a5d9a83d2ae7b828ab45854954c0579be898843016595da5cfdbe0d882853c6626f6519de3dfeb79eed196a6b008ef5e14132651d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/.systemd/-bash 1537 -bash -
Enumerates running processes
Discovers information about currently running processes on the system
-
resource yara_rule behavioral2/files/fstream-1.dat upx -
Reads CPU attributes 1 TTPs 3 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
description ioc Process File opened for reading /proc/648/cmdline ps File opened for reading /proc/679/cmdline ps File opened for reading /proc/476/status ps File opened for reading /proc/1119/stat ps File opened for reading /proc/174/cmdline ps File opened for reading /proc/414/cmdline ps File opened for reading /proc/183/cmdline ps File opened for reading /proc/533/stat ps File opened for reading /proc/1141/stat ps File opened for reading /proc/1091/stat ps File opened for reading /proc/668/cmdline ps File opened for reading /proc/1518/status ps File opened for reading /proc/30/cmdline ps File opened for reading /proc/31/status ps File opened for reading /proc/1336/cmdline ps File opened for reading /proc/1253/cmdline ps File opened for reading /proc/1284/stat ps File opened for reading /proc/18/status ps File opened for reading /proc/964/stat ps File opened for reading /proc/1136/status ps File opened for reading /proc/14/stat ps File opened for reading /proc/681/stat ps File opened for reading /proc/2/cmdline ps File opened for reading /proc/1067/status ps File opened for reading /proc/1064/stat ps File opened for reading /proc/12/stat ps File opened for reading /proc/1237/cmdline ps File opened for reading /proc/182/cmdline ps File opened for reading /proc/964/status ps File opened for reading /proc/29/cmdline ps File opened for reading /proc/1253/status ps File opened for reading /proc/967/status ps File opened for reading /proc/1225/stat ps File opened for reading /proc/1237/cmdline ps File opened for reading /proc/25/stat ps File opened for reading /proc/1485/status ps File opened for reading /proc/35/status ps File opened for reading /proc/170/stat ps File opened for reading /proc/610/status ps File opened for reading /proc/679/status ps File opened for reading /proc/1/cmdline ps File opened for reading /proc/6/status ps File opened for reading /proc/278/status ps File opened for reading /proc/1284/stat ps File opened for reading /proc/1119/cmdline ps File opened for reading /proc/1178/status ps File opened for reading /proc/187/stat ps File opened for reading /proc/559/cmdline ps File opened for reading /proc/15/cmdline ps File opened for reading /proc/187/status ps File opened for reading /proc/1181/status ps File opened for reading /proc/179/cmdline ps File opened for reading /proc/417/status ps File opened for reading /proc/1305/cmdline ps File opened for reading /proc/32/cmdline ps File opened for reading /proc/445/status ps File opened for reading /proc/460/status ps File opened for reading /proc/679/stat ps File opened for reading /proc/1225/status ps File opened for reading /proc/30/stat ps File opened for reading /proc/1078/cmdline ps File opened for reading /proc/1141/cmdline ps File opened for reading /proc/717/cmdline ps File opened for reading /proc/2/stat ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.systemd/-bash cp
Processes
-
/tmp/.systemd/.run/tmp/.systemd/.run1⤵PID:1516
-
/bin/grepgrep "ssh "2⤵PID:1518
-
-
/bin/grepgrep -v R2⤵PID:1519
-
-
/bin/grepgrep -v grep2⤵PID:1520
-
-
/bin/psps x2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1517
-
-
/usr/bin/awkawk "{print \$1}"2⤵PID:1521
-
-
/usr/bin/awkawk "{print \$1}"2⤵PID:1527
-
-
/bin/grepgrep -v grep2⤵PID:1526
-
-
/bin/grepgrep -v R2⤵PID:1525
-
-
/bin/grepgrep "ssh\$"2⤵PID:1524
-
-
/bin/psps x2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1523
-
-
/usr/bin/awkawk "{print \$1}"2⤵PID:1533
-
-
/bin/grepgrep -v grep2⤵PID:1532
-
-
/bin/grepgrep -v R2⤵PID:1531
-
-
/bin/grepgrep " sh\$"2⤵PID:1530
-
-
/bin/psps x2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1529
-
-
/bin/unameuname -m2⤵PID:1535
-
-
/bin/cpcp -f -- .x86_64 -bash2⤵
- Writes file to tmp directory
PID:1536
-
-
/tmp/.systemd/-bash./-bash2⤵
- Executes dropped EXE
PID:1537
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD592dc30d449f563a5bdbba08d4a9d57fc
SHA1ff609eed2df786396203a8806400566df079cc7f
SHA25686db0330a233efe6e11f944833f9e9b7472d7f34595cf693f001d99df641513b
SHA512573fa375ddcb6a49690f5168d791af2529a89233d3bf0ff50c2b88686c27e4cef59432e0f6ae71745fecfa2657c23248ad33ea50ac8b9f1c96721f38e3325097