Analysis

  • max time kernel
    4s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    08-11-2024 11:36

General

  • Target

    .update/auth

  • Size

    2KB

  • MD5

    90ded2b48075101fafbd34a7e4219c44

  • SHA1

    1f58b4b27921c813ffe5b2ef9adb1de4f6976718

  • SHA256

    1ef564b8c8f52d152b7c0f75c1442e9edb5841e93aee31d1da25a452168ef3c3

  • SHA512

    4aa75f3fb670507585f58eb347c1f3911def77e6fc84f23f3f437a71b968b229c516e6b98ee2f90629542b873b486bd2f8915f3db0a8e701ff0c6a311d7ab57b

Malware Config

Signatures

  • Adds new SSH keys 1 TTPs 2 IoCs

    Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.update/auth
    /tmp/.update/auth
    1⤵
    • Adds new SSH keys
    • Writes file to tmp directory
    PID:681
    • /bin/uname
      uname -n
      2⤵
        PID:687
      • /bin/mkdir
        mkdir /root/.ssh
        2⤵
        • Reads runtime system information
        PID:689
      • /bin/chmod
        chmod 0700 /root/.ssh
        2⤵
          PID:690
        • /bin/chmod
          chmod 0644 /root/.ssh/authorized_keys
          2⤵
            PID:691
          • /usr/bin/chattr
            chattr +ai /root/.ssh /root/.ssh/authorized_keys
            2⤵
              PID:692
            • /bin/rm
              rm -rf authusers
              2⤵
                PID:693
              • /bin/cat
                cat /etc/passwd
                2⤵
                  PID:694
                • /bin/grep
                  grep -e /bin/sh -e /bin/bash
                  2⤵
                    PID:695
                  • /usr/bin/cut
                    cut -d : -f 1
                    2⤵
                      PID:699
                    • /usr/bin/cut
                      cut -d : -f 6
                      2⤵
                        PID:702
                      • /usr/bin/chattr
                        chattr -ai /root/.ssh /root/.ssh/authorized_keys
                        2⤵
                          PID:703
                        • /bin/sed
                          sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys
                          2⤵
                          • Reads runtime system information
                          PID:704
                        • /usr/bin/cut
                          cut -d : -f 1
                          2⤵
                            PID:708
                          • /usr/bin/cut
                            cut -d : -f 6
                            2⤵
                              PID:711
                            • /bin/mkdir
                              mkdir /home/user/.ssh
                              2⤵
                              • Reads runtime system information
                              PID:712
                            • /bin/chown
                              chown -R user /home/user/.ssh
                              2⤵
                                PID:713

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • /root/.ssh/authorized_keys

                              Filesize

                              409B

                              MD5

                              3fdca3b51b9c7ea16d39ffe168fdb5f9

                              SHA1

                              129679920ccdd3b0f43bb743c475d0e6bfa65488

                              SHA256

                              c11d21fa2f98c2c0a1c311042d0d3302f289b47320fdaaaff371b100c2e97b22

                              SHA512

                              eee67cda123034a81886571e6aa1dcd7d5eb7eb74af6ed71e336b6cb4fbe151ccc7efdcdbecc50b17dcfd00ef319edc119648fbbfd3643c98afa80c88d425f94

                            • /tmp/.update/authusers

                              Filesize

                              5B

                              MD5

                              9514cd886e4faf1f23baadfd967abcbd

                              SHA1

                              00894ed21cee494a192e94a782ae265e45d828f1

                              SHA256

                              6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432

                              SHA512

                              17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6

                            • /tmp/.update/authusers

                              Filesize

                              10B

                              MD5

                              fe065880cc6e0333e8679d0e03ff2369

                              SHA1

                              aaceb9f893c93f47ddccca1e2e502c01ecbc5456

                              SHA256

                              f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77

                              SHA512

                              ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92