0de9266af49aab24256c289d39e86649d978d5a4c9d0ff2041a22140b88ea688

Analysis

max time kernel
2s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
08-11-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.systemd/ntpdate
Size

4KB
MD5

e1e04a6303387665ef0db838157d63d6
SHA1

ebb08e424ce4251827c0ddea5ac91f971a1a8f73
SHA256

af0b766bcffc9bf2e2a1a6059515d0bc58e60d4de3fe19598de7411fb619b65d
SHA512

f2eea4ac06e9cb750e36a35a10e22cdd60403982f9d1597cd96002972b7fe3228c8ae3caf5f7cc028221a36d81615be4369a9f34fa4c81ae84dd1dd0f5cf4f76
SSDEEP

48:QuH1wKQWqaT2WHKBNCNN12WHNS4g2WHEoeXa5J2WH95J2WHT:1V4WH+C4WHNRWHEoeRWHsWHT

Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmod

pid process

682 chmod
692 chmod
700 chmod
711 chmod
Attempts to change immutable files 9 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrchattrchattrchattrchattrchattrchattrchattrchattr

pid process

693 chattr
695 chattr
683 chattr
684 chattr
701 chattr
703 chattr
713 chattr
677 chattr
687 chattr

pid	process
682	chmod
692	chmod
700	chmod
711	chmod

pid	process
693	chattr
695	chattr
683	chattr
684	chattr
701	chattr
703	chattr
713	chattr
677	chattr
687	chattr

Creates/modifies Cron job 1 TTPs 5 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

tee

description	ioc	process
File opened for modification	/etc/cron.d/ntpdate	tee
File opened for modification	/etc/cron.daily/ntpdate	tee
File opened for modification	/etc/cron.hourly/ntpdate	tee
File opened for modification	/etc/cron.monthly/ntpdate	tee
File opened for modification	/etc/cron.weekly/ntpdate	tee

Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

RC Scripts
T1037.004

Processes:

tee

description ioc process

File opened for modification /etc/init.d/ntpdate tee
Writes file to system bin folder 2 IoCs

Processes:

teetee

description ioc process

File opened for modification /sbin/entpdate tee
File opened for modification /sbin/lntpdate tee

description	ioc	process
File opened for modification	/etc/init.d/ntpdate	tee

description	ioc	process
File opened for modification	/sbin/entpdate	tee
File opened for modification	/sbin/lntpdate	tee

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

mkdircpcpcpcp

description	ioc	process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

ntpdate

description ioc process

File opened for modification /tmp/.systemd/systemd.dir ntpdate

description	ioc	process
File opened for modification	/tmp/.systemd/systemd.dir	ntpdate

/tmp/.systemd/ntpdate
/tmp/.systemd/ntpdate
1⤵
- Writes file to tmp directory
PID:668
- /bin/uname
  uname -m
  2⤵
  PID:669
- /bin/cat
  cat systemd.dir
  2⤵
  PID:673
- /bin/mkdir
  mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
  2⤵
  - Reads runtime system information
  PID:676
- /usr/bin/chattr
  chattr -i -a "/etc/cron.*/ntpdate" /sbin/bcrond
  2⤵
  - Attempts to change immutable files
  PID:677
- /bin/rm
  rm -rf /sbin/bcrond
  2⤵
  PID:678
- /bin/cp
  cp -f -r -- /tmp/.systemd/.armv7l /sbin/bcrond
  2⤵
  - Reads runtime system information
  PID:679
- /usr/bin/tee
  tee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate
  2⤵
  - Creates/modifies Cron job
  PID:681
- /bin/chmod
  chmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond
  2⤵
  - File and Directory Permissions Modification
  PID:682
- /usr/bin/chattr
  chattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond
  2⤵
  - Attempts to change immutable files
  PID:683
- /usr/bin/chattr
  chattr -a -i /sbin/bsysd
  2⤵
  - Attempts to change immutable files
  PID:684
- /bin/rm
  rm -rf /sbin/bsysd
  2⤵
  PID:685
- /usr/bin/which
  which systemctl
  2⤵
  PID:686
- /usr/bin/chattr
  chattr -i -a /sbin/entpdate /sbin/bsysde
  2⤵
  - Attempts to change immutable files
  PID:687
- /bin/rm
  rm -rf /sbin/bsysde
  2⤵
  PID:688
- /bin/cp
  cp -f -r -- /tmp/.systemd/.armv7l /sbin/bsysde
  2⤵
  - Reads runtime system information
  PID:689
- /usr/bin/tee
  tee -a /sbin/entpdate
  2⤵
  - Writes file to system bin folder
  PID:691
- /bin/chmod
  chmod +x /sbin/entpdate
  2⤵
  - File and Directory Permissions Modification
  PID:692
- /usr/bin/chattr
  chattr +i +a /sbin/entpdate /sbin/bsysde
  2⤵
  - Attempts to change immutable files
  PID:693
- /usr/bin/which
  which systemctl
  2⤵
  PID:694
- /usr/bin/chattr
  chattr -i -a /sbin/lntpdate /sbin/bsysdl
  2⤵
  - Attempts to change immutable files
  PID:695
- /bin/rm
  rm -rf /sbin/bsysdl
  2⤵
  PID:696
- /bin/cp
  cp -f -r -- /tmp/.systemd/.armv7l /sbin/bsysdl
  2⤵
  - Reads runtime system information
  PID:697
- /usr/bin/tee
  tee -a /sbin/lntpdate
  2⤵
  - Writes file to system bin folder
  PID:699
- /bin/chmod
  chmod +x /sbin/lntpdate
  2⤵
  - File and Directory Permissions Modification
  PID:700
- /usr/bin/chattr
  chattr +i +a /sbin/lntpdate /sbin/bsysdl
  2⤵
  - Attempts to change immutable files
  PID:701
- /usr/bin/which
  which update-rc.d
  2⤵
  PID:702
- /usr/bin/chattr
  chattr -i -a /etc/init.d/ntpdate /sbin/binitd
  2⤵
  - Attempts to change immutable files
  PID:703
- /bin/rm
  rm -rf /sbin/binitd
  2⤵
  PID:706
- /bin/cp
  cp -f -r -- /tmp/.systemd/.armv7l /sbin/binitd
  2⤵
  - Reads runtime system information
  PID:707
- /usr/bin/tee
  tee -a /etc/init.d/ntpdate
  2⤵
  - Modifies init.d
  PID:709
- /bin/chmod
  chmod +x /etc/init.d/ntpdate /sbin/binitd
  2⤵
  - File and Directory Permissions Modification
  PID:711
- /usr/bin/chattr
  chattr +i +a /etc/init.d/ntpdate /sbin/binitd
  2⤵
  - Attempts to change immutable files
  PID:713
- /usr/bin/which
  which chkconfig
  2⤵
  PID:714

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.d/ntpdate

Filesize
365B

MD5
755700d11d59e0daeb4f6452aee1ad5d

SHA1
6b1194921376bef9c7559629712772a11e78eaa4

SHA256
1b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00

SHA512
446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7

Download Submit
/etc/init.d/ntpdate

Filesize
365B

MD5
bd99a962d94b5b4c32f8b7c8ca1f9ea9

SHA1
af33dc04d1f16e5ccceb2c0569b26e45bb65b32b

SHA256
64e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28

SHA512
fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa

Download Submit
/sbin/entpdate

Filesize
365B

MD5
4aeb6335d69473274691f59dc2096cfe

SHA1
440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc

SHA256
87095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785

SHA512
23b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c

Download Submit
/sbin/lntpdate

Filesize
365B

MD5
3748e897538baafbc7b260b4d2fbc98f

SHA1
41d179e3cfc4c1820ea2c0fed0d50009564db79b

SHA256
ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7

SHA512
23519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea

Download Submit
/tmp/.systemd/systemd.dir

Filesize
14B

MD5
1f3a48ead214b69a4e5bbcc12a732ddb

SHA1
3391a93f27a805c58de438e5a50267af13b619ab

SHA256
8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c

SHA512
386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

Download Submit