Overview

overview

10

Static

static

5

.systemd/.i686

ubuntu-22.04-amd64

3

.systemd/.run

ubuntu-18.04-amd64

7

.systemd/.run

debian-9-armhf

6

.systemd/.run

debian-9-mips

6

.systemd/.run

debian-9-mipsel

6

.systemd/.x86_64

ubuntu-24.04-amd64

10

.systemd/auto

ubuntu-18.04-amd64

7

.systemd/auto

debian-9-armhf

7

.systemd/auto

debian-9-mips

7

.systemd/auto

debian-9-mipsel

7

.systemd/clean

ubuntu-18.04-amd64

1

.systemd/clean

debian-9-armhf

1

.systemd/clean

debian-9-mips

1

.systemd/clean

debian-9-mipsel

1

.systemd/go

ubuntu-18.04-amd64

1

.systemd/go

debian-9-armhf

1

.systemd/go

debian-9-mips

1

.systemd/go

debian-9-mipsel

1

.systemd/ntpdate

ubuntu-18.04-amd64

7

.systemd/ntpdate

debian-9-armhf

7

.systemd/ntpdate

debian-9-mips

7

.systemd/ntpdate

debian-9-mipsel

7

.update/.i686

ubuntu-20.04-amd64

6

.update/.run

ubuntu-18.04-amd64

3

.update/.run

debian-9-armhf

3

.update/.run

debian-9-mips

3

.update/.run

debian-9-mipsel

3

.update/.x86_64

ubuntu-22.04-amd64

10

.update/auth

ubuntu-18.04-amd64

8

.update/auth

debian-9-armhf

8

.update/auth

debian-9-mips

8

.update/auth

debian-9-mipsel

8

Analysis

  • max time kernel
    2s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240729-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    08-11-2024 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .update/auth

  • Size

    2KB

  • MD5

    90ded2b48075101fafbd34a7e4219c44

  • SHA1

    1f58b4b27921c813ffe5b2ef9adb1de4f6976718

  • SHA256

    1ef564b8c8f52d152b7c0f75c1442e9edb5841e93aee31d1da25a452168ef3c3

  • SHA512

    4aa75f3fb670507585f58eb347c1f3911def77e6fc84f23f3f437a71b968b229c516e6b98ee2f90629542b873b486bd2f8915f3db0a8e701ff0c6a311d7ab57b

Score
8/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Adds new SSH keys 1 TTPs 2 IoCs

    Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    persistenceprivilege_escalation
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.update/auth
    /tmp/.update/auth
    1⤵
    • Adds new SSH keys
    • Writes file to tmp directory
    PID:729
    • /bin/uname
      uname -n
      2⤵
        PID:731
      • /bin/mkdir
        mkdir /root/.ssh
        2⤵
        • Reads runtime system information
        PID:733
      • /bin/chmod
        chmod 0700 /root/.ssh
        2⤵
          PID:734
        • /bin/chmod
          chmod 0644 /root/.ssh/authorized_keys
          2⤵
            PID:738
          • /usr/bin/chattr
            chattr +ai /root/.ssh /root/.ssh/authorized_keys
            2⤵
              PID:739
            • /bin/rm
              rm -rf authusers
              2⤵
                PID:741
              • /bin/grep
                grep -e /bin/sh -e /bin/bash
                2⤵
                  PID:743
                • /bin/cat
                  cat /etc/passwd
                  2⤵
                    PID:742
                  • /usr/bin/cut
                    cut -d : -f 1
                    2⤵
                      PID:747
                    • /usr/bin/cut
                      cut -d : -f 6
                      2⤵
                        PID:750
                      • /usr/bin/chattr
                        chattr -ai /root/.ssh /root/.ssh/authorized_keys
                        2⤵
                          PID:751
                        • /bin/sed
                          sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys
                          2⤵
                          • Reads runtime system information
                          PID:752
                        • /usr/bin/cut
                          cut -d : -f 1
                          2⤵
                            PID:757
                          • /usr/bin/cut
                            cut -d : -f 6
                            2⤵
                              PID:760
                            • /bin/mkdir
                              mkdir /home/user/.ssh
                              2⤵
                              • Reads runtime system information
                              PID:761
                            • /bin/chown
                              chown -R user /home/user/.ssh
                              2⤵
                                PID:762

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • /root/.ssh/authorized_keys
                              Filesize

                              410B

                              MD5

                              5c32d0c2275c7ce0965aafd240461f13

                              SHA1

                              17eb3e899cf234ee1a8ddc07e8979d72a0d92a0c

                              SHA256

                              d7517566205c297d1efd7a9e81a57fc53f39e6ce2e42f0044933238d37da36ce

                              SHA512

                              3c0aa1096dd8f538616a43b1a32b8b97322608d53ed35f7dea500f799a29b3eccaeecfe0b1358cf118ad3c0f1d74f23ca7650ad8174a5cad1751e1667bd6d13c

                              Download Submit

                            • /tmp/.update/authusers
                              Filesize

                              5B

                              MD5

                              9514cd886e4faf1f23baadfd967abcbd

                              SHA1

                              00894ed21cee494a192e94a782ae265e45d828f1

                              SHA256

                              6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432

                              SHA512

                              17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6

                              Download Submit

                            • /tmp/.update/authusers
                              Filesize

                              10B

                              MD5

                              fe065880cc6e0333e8679d0e03ff2369

                              SHA1

                              aaceb9f893c93f47ddccca1e2e502c01ecbc5456

                              SHA256

                              f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77

                              SHA512

                              ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92

                              Download Submit