Analysis

  • max time kernel
    0s
  • max time network
    129s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    08-11-2024 11:36

General

  • Target

    .systemd/.run

  • Size

    415B

  • MD5

    4c7b4fb257df508abb56e1202d63fb9c

  • SHA1

    b490c80ca53c03ad04adc3ac024cb58ae2456161

  • SHA256

    19cb430a8f94daf1e4ff121e28814cc3f11493d640e555105c604702980b9117

  • SHA512

    2f44151a628f8b94911db42a5d9a83d2ae7b828ab45854954c0579be898843016595da5cfdbe0d882853c6626f6519de3dfeb79eed196a6b008ef5e14132651d

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads CPU attributes 1 TTPs 3 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.systemd/.run
    /tmp/.systemd/.run
    1⤵
      PID:1516
      • /bin/grep
        grep "ssh "
        2⤵
          PID:1518
        • /bin/grep
          grep -v R
          2⤵
            PID:1519
          • /bin/grep
            grep -v grep
            2⤵
              PID:1520
            • /bin/ps
              ps x
              2⤵
              • Reads CPU attributes
              • Reads runtime system information
              PID:1517
            • /usr/bin/awk
              awk "{print \$1}"
              2⤵
                PID:1521
              • /usr/bin/awk
                awk "{print \$1}"
                2⤵
                  PID:1527
                • /bin/grep
                  grep -v grep
                  2⤵
                    PID:1526
                  • /bin/grep
                    grep -v R
                    2⤵
                      PID:1525
                    • /bin/grep
                      grep "ssh\$"
                      2⤵
                        PID:1524
                      • /bin/ps
                        ps x
                        2⤵
                        • Reads CPU attributes
                        • Reads runtime system information
                        PID:1523
                      • /usr/bin/awk
                        awk "{print \$1}"
                        2⤵
                          PID:1533
                        • /bin/grep
                          grep -v grep
                          2⤵
                            PID:1532
                          • /bin/grep
                            grep -v R
                            2⤵
                              PID:1531
                            • /bin/grep
                              grep " sh\$"
                              2⤵
                                PID:1530
                              • /bin/ps
                                ps x
                                2⤵
                                • Reads CPU attributes
                                • Reads runtime system information
                                PID:1529
                              • /bin/uname
                                uname -m
                                2⤵
                                  PID:1535
                                • /bin/cp
                                  cp -f -- .x86_64 -bash
                                  2⤵
                                  • Writes file to tmp directory
                                  PID:1536
                                • /tmp/.systemd/-bash
                                  ./-bash
                                  2⤵
                                  • Executes dropped EXE
                                  PID:1537

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • /tmp/.systemd/-bash

                                Filesize

                                184KB

                                MD5

                                92dc30d449f563a5bdbba08d4a9d57fc

                                SHA1

                                ff609eed2df786396203a8806400566df079cc7f

                                SHA256

                                86db0330a233efe6e11f944833f9e9b7472d7f34595cf693f001d99df641513b

                                SHA512

                                573fa375ddcb6a49690f5168d791af2529a89233d3bf0ff50c2b88686c27e4cef59432e0f6ae71745fecfa2657c23248ad33ea50ac8b9f1c96721f38e3325097