Overview

overview

10

Static

static

5

.systemd/.i686

ubuntu-22.04-amd64

3

.systemd/.run

ubuntu-18.04-amd64

7

.systemd/.run

debian-9-armhf

6

.systemd/.run

debian-9-mips

6

.systemd/.run

debian-9-mipsel

6

.systemd/.x86_64

ubuntu-24.04-amd64

10

.systemd/auto

ubuntu-18.04-amd64

7

.systemd/auto

debian-9-armhf

7

.systemd/auto

debian-9-mips

7

.systemd/auto

debian-9-mipsel

7

.systemd/clean

ubuntu-18.04-amd64

1

.systemd/clean

debian-9-armhf

1

.systemd/clean

debian-9-mips

1

.systemd/clean

debian-9-mipsel

1

.systemd/go

ubuntu-18.04-amd64

1

.systemd/go

debian-9-armhf

1

.systemd/go

debian-9-mips

1

.systemd/go

debian-9-mipsel

1

.systemd/ntpdate

ubuntu-18.04-amd64

7

.systemd/ntpdate

debian-9-armhf

7

.systemd/ntpdate

debian-9-mips

7

.systemd/ntpdate

debian-9-mipsel

7

.update/.i686

ubuntu-20.04-amd64

6

.update/.run

ubuntu-18.04-amd64

3

.update/.run

debian-9-armhf

3

.update/.run

debian-9-mips

3

.update/.run

debian-9-mipsel

3

.update/.x86_64

ubuntu-22.04-amd64

10

.update/auth

ubuntu-18.04-amd64

8

.update/auth

debian-9-armhf

8

.update/auth

debian-9-mips

8

.update/auth

debian-9-mipsel

8

Analysis

  • max time kernel
    0s
  • max time network
    129s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    08-11-2024 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .update/auth

  • Size

    2KB

  • MD5

    90ded2b48075101fafbd34a7e4219c44

  • SHA1

    1f58b4b27921c813ffe5b2ef9adb1de4f6976718

  • SHA256

    1ef564b8c8f52d152b7c0f75c1442e9edb5841e93aee31d1da25a452168ef3c3

  • SHA512

    4aa75f3fb670507585f58eb347c1f3911def77e6fc84f23f3f437a71b968b229c516e6b98ee2f90629542b873b486bd2f8915f3db0a8e701ff0c6a311d7ab57b

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Adds new SSH keys 1 TTPs 2 IoCs

    Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    persistenceprivilege_escalation
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.update/auth
    /tmp/.update/auth
    1⤵
    • Adds new SSH keys
    • Writes file to tmp directory
    PID:1517
    • /bin/uname
      uname -n
      2⤵
        PID:1518
      • /bin/mkdir
        mkdir /root/.ssh
        2⤵
        • Reads runtime system information
        PID:1519
      • /bin/chmod
        chmod 0700 /root/.ssh
        2⤵
          PID:1520
        • /bin/chmod
          chmod 0644 /root/.ssh/authorized_keys
          2⤵
            PID:1521
          • /usr/bin/chattr
            chattr +ai /root/.ssh /root/.ssh/authorized_keys
            2⤵
              PID:1522
            • /bin/rm
              rm -rf authusers
              2⤵
                PID:1523
              • /bin/grep
                grep -e /bin/sh -e /bin/bash
                2⤵
                  PID:1525
                • /bin/cat
                  cat /etc/passwd
                  2⤵
                    PID:1524
                  • /usr/bin/cut
                    cut -d : -f 1
                    2⤵
                      PID:1529
                    • /usr/bin/cut
                      cut -d : -f 6
                      2⤵
                        PID:1532
                      • /usr/bin/chattr
                        chattr -ai /root/.ssh /root/.ssh/authorized_keys
                        2⤵
                          PID:1533
                        • /bin/sed
                          sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys
                          2⤵
                          • Reads runtime system information
                          PID:1534
                        • /usr/bin/cut
                          cut -d : -f 1
                          2⤵
                            PID:1538
                          • /usr/bin/cut
                            cut -d : -f 6
                            2⤵
                              PID:1541
                            • /bin/mkdir
                              mkdir /home/user/.ssh
                              2⤵
                              • Reads runtime system information
                              PID:1542
                            • /bin/chown
                              chown -R user /home/user/.ssh
                              2⤵
                                PID:1543

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • /root/.ssh/authorized_keys
                              Filesize

                              413B

                              MD5

                              8fe44e7f210016f1a630679fe2379c1b

                              SHA1

                              2ca1d7e85c3f3f57e93c224df0d6765615969b25

                              SHA256

                              7e086e2e17f07dcf4f39288e348e14ec7cff52af7aca8b537ed13e2fb3fb4189

                              SHA512

                              981450e6206dcf76811bec0bc3fa8e87b2fd2ac3234754738a3220d29dc1a61b9e82a00ace865d21c365cc598b9caccf58686deb69be5820a52bcfb9b65eaa9c

                              Download Submit

                            • /tmp/.update/authusers
                              Filesize

                              5B

                              MD5

                              9514cd886e4faf1f23baadfd967abcbd

                              SHA1

                              00894ed21cee494a192e94a782ae265e45d828f1

                              SHA256

                              6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432

                              SHA512

                              17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6

                              Download Submit

                            • /tmp/.update/authusers
                              Filesize

                              10B

                              MD5

                              fe065880cc6e0333e8679d0e03ff2369

                              SHA1

                              aaceb9f893c93f47ddccca1e2e502c01ecbc5456

                              SHA256

                              f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77

                              SHA512

                              ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92

                              Download Submit