Overview

overview

10

Static

static

5

.systemd/.i686

ubuntu-22.04-amd64

3

.systemd/.run

ubuntu-18.04-amd64

7

.systemd/.run

debian-9-armhf

6

.systemd/.run

debian-9-mips

6

.systemd/.run

debian-9-mipsel

6

.systemd/.x86_64

ubuntu-24.04-amd64

10

.systemd/auto

ubuntu-18.04-amd64

7

.systemd/auto

debian-9-armhf

7

.systemd/auto

debian-9-mips

7

.systemd/auto

debian-9-mipsel

7

.systemd/clean

ubuntu-18.04-amd64

1

.systemd/clean

debian-9-armhf

1

.systemd/clean

debian-9-mips

1

.systemd/clean

debian-9-mipsel

1

.systemd/go

ubuntu-18.04-amd64

1

.systemd/go

debian-9-armhf

1

.systemd/go

debian-9-mips

1

.systemd/go

debian-9-mipsel

1

.systemd/ntpdate

ubuntu-18.04-amd64

7

.systemd/ntpdate

debian-9-armhf

7

.systemd/ntpdate

debian-9-mips

7

.systemd/ntpdate

debian-9-mipsel

7

.update/.i686

ubuntu-20.04-amd64

6

.update/.run

ubuntu-18.04-amd64

3

.update/.run

debian-9-armhf

3

.update/.run

debian-9-mips

3

.update/.run

debian-9-mipsel

3

.update/.x86_64

ubuntu-22.04-amd64

10

.update/auth

ubuntu-18.04-amd64

8

.update/auth

debian-9-armhf

8

.update/auth

debian-9-mips

8

.update/auth

debian-9-mipsel

8

Analysis

  • max time kernel
    2s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    08-11-2024 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .update/auth

  • Size

    2KB

  • MD5

    90ded2b48075101fafbd34a7e4219c44

  • SHA1

    1f58b4b27921c813ffe5b2ef9adb1de4f6976718

  • SHA256

    1ef564b8c8f52d152b7c0f75c1442e9edb5841e93aee31d1da25a452168ef3c3

  • SHA512

    4aa75f3fb670507585f58eb347c1f3911def77e6fc84f23f3f437a71b968b229c516e6b98ee2f90629542b873b486bd2f8915f3db0a8e701ff0c6a311d7ab57b

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Adds new SSH keys 1 TTPs 2 IoCs

    Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    persistenceprivilege_escalation
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.update/auth
    /tmp/.update/auth
    1⤵
    • Adds new SSH keys
    • Writes file to tmp directory
    PID:725
    • /bin/uname
      uname -n
      2⤵
        PID:727
      • /bin/mkdir
        mkdir /root/.ssh
        2⤵
        • Reads runtime system information
        PID:729
      • /bin/chmod
        chmod 0700 /root/.ssh
        2⤵
          PID:733
        • /bin/chmod
          chmod 0644 /root/.ssh/authorized_keys
          2⤵
            PID:734
          • /usr/bin/chattr
            chattr +ai /root/.ssh /root/.ssh/authorized_keys
            2⤵
              PID:735
            • /bin/rm
              rm -rf authusers
              2⤵
                PID:736
              • /bin/grep
                grep -e /bin/sh -e /bin/bash
                2⤵
                  PID:739
                • /bin/cat
                  cat /etc/passwd
                  2⤵
                    PID:738
                  • /usr/bin/cut
                    cut -d : -f 1
                    2⤵
                      PID:743
                    • /usr/bin/cut
                      cut -d : -f 6
                      2⤵
                        PID:746
                      • /usr/bin/chattr
                        chattr -ai /root/.ssh /root/.ssh/authorized_keys
                        2⤵
                          PID:747
                        • /bin/sed
                          sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys
                          2⤵
                          • Reads runtime system information
                          PID:748
                        • /usr/bin/cut
                          cut -d : -f 1
                          2⤵
                            PID:752
                          • /usr/bin/cut
                            cut -d : -f 6
                            2⤵
                              PID:755
                            • /bin/mkdir
                              mkdir /home/user/.ssh
                              2⤵
                              • Reads runtime system information
                              PID:756
                            • /bin/chown
                              chown -R user /home/user/.ssh
                              2⤵
                                PID:757

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • /root/.ssh/authorized_keys
                              Filesize

                              410B

                              MD5

                              5841342e6d1bcae6dcfea6cc9326a684

                              SHA1

                              fea6d85939bb87ee27c30f670087ff0db740751c

                              SHA256

                              fb7dc97bdf7c5f4a74b2a0aa602a13c06ecadf99aeb1206dc86da38a7a75c6af

                              SHA512

                              116d63c20881320d0d76ab99300dbcf9146cf890d8b6c6c3769bc62cfbff88aba8d1d6d7ca0e39507a769251335251495e1246487fe8173f454e619535aadb33

                              Download Submit

                            • /tmp/.update/authusers
                              Filesize

                              5B

                              MD5

                              9514cd886e4faf1f23baadfd967abcbd

                              SHA1

                              00894ed21cee494a192e94a782ae265e45d828f1

                              SHA256

                              6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432

                              SHA512

                              17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6

                              Download Submit

                            • /tmp/.update/authusers
                              Filesize

                              10B

                              MD5

                              fe065880cc6e0333e8679d0e03ff2369

                              SHA1

                              aaceb9f893c93f47ddccca1e2e502c01ecbc5456

                              SHA256

                              f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77

                              SHA512

                              ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92

                              Download Submit