Overview
overview
10Static
static
5.systemd/.i686
ubuntu-22.04-amd64
3.systemd/.run
ubuntu-18.04-amd64
7.systemd/.run
debian-9-armhf
6.systemd/.run
debian-9-mips
6.systemd/.run
debian-9-mipsel
6.systemd/.x86_64
ubuntu-24.04-amd64
10.systemd/auto
ubuntu-18.04-amd64
7.systemd/auto
debian-9-armhf
7.systemd/auto
debian-9-mips
7.systemd/auto
debian-9-mipsel
7.systemd/clean
ubuntu-18.04-amd64
1.systemd/clean
debian-9-armhf
1.systemd/clean
debian-9-mips
1.systemd/clean
debian-9-mipsel
1.systemd/go
ubuntu-18.04-amd64
1.systemd/go
debian-9-armhf
1.systemd/go
debian-9-mips
1.systemd/go
debian-9-mipsel
1.systemd/ntpdate
ubuntu-18.04-amd64
7.systemd/ntpdate
debian-9-armhf
7.systemd/ntpdate
debian-9-mips
7.systemd/ntpdate
debian-9-mipsel
7.update/.i686
ubuntu-20.04-amd64
6.update/.run
ubuntu-18.04-amd64
3.update/.run
debian-9-armhf
3.update/.run
debian-9-mips
3.update/.run
debian-9-mipsel
3.update/.x86_64
ubuntu-22.04-amd64
10.update/auth
ubuntu-18.04-amd64
8.update/auth
debian-9-armhf
8.update/auth
debian-9-mips
8.update/auth
debian-9-mipsel
8Analysis
-
max time kernel
3s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
08-11-2024 11:36
Behavioral task
behavioral1
Sample
.systemd/.i686
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
.systemd/.run
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral3
Sample
.systemd/.run
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral4
Sample
.systemd/.run
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral5
Sample
.systemd/.run
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral6
Sample
.systemd/.x86_64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral7
Sample
.systemd/auto
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral8
Sample
.systemd/auto
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral9
Sample
.systemd/auto
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral10
Sample
.systemd/auto
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral11
Sample
.systemd/clean
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral12
Sample
.systemd/clean
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral13
Sample
.systemd/clean
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral14
Sample
.systemd/clean
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral15
Sample
.systemd/go
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral16
Sample
.systemd/go
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral17
Sample
.systemd/go
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral18
Sample
.systemd/go
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral19
Sample
.systemd/ntpdate
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral20
Sample
.systemd/ntpdate
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral21
Sample
.systemd/ntpdate
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral22
Sample
.systemd/ntpdate
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral23
Sample
.update/.i686
Resource
ubuntu2004-amd64-20240611-en
Behavioral task
behavioral24
Sample
.update/.run
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral25
Sample
.update/.run
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral26
Sample
.update/.run
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral27
Sample
.update/.run
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral28
Sample
.update/.x86_64
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral29
Sample
.update/auth
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral30
Sample
.update/auth
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral31
Sample
.update/auth
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral32
Sample
.update/auth
Resource
debian9-mipsel-20240729-en
General
-
Target
.systemd/ntpdate
-
Size
4KB
-
MD5
e1e04a6303387665ef0db838157d63d6
-
SHA1
ebb08e424ce4251827c0ddea5ac91f971a1a8f73
-
SHA256
af0b766bcffc9bf2e2a1a6059515d0bc58e60d4de3fe19598de7411fb619b65d
-
SHA512
f2eea4ac06e9cb750e36a35a10e22cdd60403982f9d1597cd96002972b7fe3228c8ae3caf5f7cc028221a36d81615be4369a9f34fa4c81ae84dd1dd0f5cf4f76
-
SSDEEP
48:QuH1wKQWqaT2WHKBNCNN12WHNS4g2WHEoeXa5J2WH95J2WHT:1V4WH+C4WHNRWHEoeRWHsWHT
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 762 chmod 773 chmod 781 chmod 789 chmod -
Attempts to change immutable files 9 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
pid Process 756 chattr 763 chattr 768 chattr 790 chattr 764 chattr 774 chattr 776 chattr 782 chattr 784 chattr -
Creates/modifies Cron job 1 TTPs 5 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/cron.hourly/ntpdate tee File opened for modification /etc/cron.monthly/ntpdate tee File opened for modification /etc/cron.weekly/ntpdate tee File opened for modification /etc/cron.d/ntpdate tee File opened for modification /etc/cron.daily/ntpdate tee -
description ioc Process File opened for modification /etc/init.d/ntpdate tee -
Writes file to system bin folder 2 IoCs
description ioc Process File opened for modification /sbin/lntpdate tee File opened for modification /sbin/entpdate tee -
description ioc Process File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems cp -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 759 cp 770 cp 778 cp 786 cp -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.systemd/systemd.dir ntpdate
Processes
-
/tmp/.systemd/ntpdate/tmp/.systemd/ntpdate1⤵
- Writes file to tmp directory
PID:745 -
/bin/unameuname -m2⤵PID:748
-
-
/bin/catcat systemd.dir2⤵PID:751
-
-
/bin/mkdirmkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly2⤵
- Reads runtime system information
PID:752
-
-
/usr/bin/chattrchattr -i -a "/etc/cron.*/ntpdate" /sbin/bcrond2⤵
- Attempts to change immutable files
PID:756
-
-
/bin/rmrm -rf /sbin/bcrond2⤵PID:758
-
-
/bin/cpcp -f -r -- /tmp/.systemd/.mips /sbin/bcrond2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:759
-
-
/usr/bin/teetee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate2⤵
- Creates/modifies Cron job
PID:761
-
-
/bin/chmodchmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond2⤵
- File and Directory Permissions Modification
PID:762
-
-
/usr/bin/chattrchattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond2⤵
- Attempts to change immutable files
PID:763
-
-
/usr/bin/chattrchattr -a -i /sbin/bsysd2⤵
- Attempts to change immutable files
PID:764
-
-
/bin/rmrm -rf /sbin/bsysd2⤵PID:766
-
-
/usr/bin/whichwhich systemctl2⤵PID:767
-
-
/usr/bin/chattrchattr -i -a /sbin/entpdate /sbin/bsysde2⤵
- Attempts to change immutable files
PID:768
-
-
/bin/rmrm -rf /sbin/bsysde2⤵PID:769
-
-
/bin/cpcp -f -r -- /tmp/.systemd/.mips /sbin/bsysde2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:770
-
-
/usr/bin/teetee -a /sbin/entpdate2⤵
- Writes file to system bin folder
PID:772
-
-
/bin/chmodchmod +x /sbin/entpdate2⤵
- File and Directory Permissions Modification
PID:773
-
-
/usr/bin/chattrchattr +i +a /sbin/entpdate /sbin/bsysde2⤵
- Attempts to change immutable files
PID:774
-
-
/usr/bin/whichwhich systemctl2⤵PID:775
-
-
/usr/bin/chattrchattr -i -a /sbin/lntpdate /sbin/bsysdl2⤵
- Attempts to change immutable files
PID:776
-
-
/bin/rmrm -rf /sbin/bsysdl2⤵PID:777
-
-
/bin/cpcp -f -r -- /tmp/.systemd/.mips /sbin/bsysdl2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:778
-
-
/usr/bin/teetee -a /sbin/lntpdate2⤵
- Writes file to system bin folder
PID:780
-
-
/bin/chmodchmod +x /sbin/lntpdate2⤵
- File and Directory Permissions Modification
PID:781
-
-
/usr/bin/chattrchattr +i +a /sbin/lntpdate /sbin/bsysdl2⤵
- Attempts to change immutable files
PID:782
-
-
/usr/bin/whichwhich update-rc.d2⤵PID:783
-
-
/usr/bin/chattrchattr -i -a /etc/init.d/ntpdate /sbin/binitd2⤵
- Attempts to change immutable files
PID:784
-
-
/bin/rmrm -rf /sbin/binitd2⤵PID:785
-
-
/bin/cpcp -f -r -- /tmp/.systemd/.mips /sbin/binitd2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:786
-
-
/usr/bin/teetee -a /etc/init.d/ntpdate2⤵
- Modifies init.d
PID:788
-
-
/bin/chmodchmod +x /etc/init.d/ntpdate /sbin/binitd2⤵
- File and Directory Permissions Modification
PID:789
-
-
/usr/bin/chattrchattr +i +a /etc/init.d/ntpdate /sbin/binitd2⤵
- Attempts to change immutable files
PID:790
-
-
/usr/bin/whichwhich chkconfig2⤵PID:791
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Privilege Escalation
Boot or Logon Autostart Execution
1Boot or Logon Initialization Scripts
1RC Scripts
1Scheduled Task/Job
1Cron
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365B
MD5755700d11d59e0daeb4f6452aee1ad5d
SHA16b1194921376bef9c7559629712772a11e78eaa4
SHA2561b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00
SHA512446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7
-
Filesize
365B
MD5bd99a962d94b5b4c32f8b7c8ca1f9ea9
SHA1af33dc04d1f16e5ccceb2c0569b26e45bb65b32b
SHA25664e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28
SHA512fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa
-
Filesize
365B
MD54aeb6335d69473274691f59dc2096cfe
SHA1440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc
SHA25687095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785
SHA51223b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c
-
Filesize
365B
MD53748e897538baafbc7b260b4d2fbc98f
SHA141d179e3cfc4c1820ea2c0fed0d50009564db79b
SHA256ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7
SHA51223519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea
-
Filesize
14B
MD51f3a48ead214b69a4e5bbcc12a732ddb
SHA13391a93f27a805c58de438e5a50267af13b619ab
SHA2568ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c
SHA512386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d