Overview

overview

10

Static

static

5

.systemd/.i686

ubuntu-22.04-amd64

3

.systemd/.run

ubuntu-18.04-amd64

7

.systemd/.run

debian-9-armhf

6

.systemd/.run

debian-9-mips

6

.systemd/.run

debian-9-mipsel

6

.systemd/.x86_64

ubuntu-24.04-amd64

10

.systemd/auto

ubuntu-18.04-amd64

7

.systemd/auto

debian-9-armhf

7

.systemd/auto

debian-9-mips

7

.systemd/auto

debian-9-mipsel

7

.systemd/clean

ubuntu-18.04-amd64

1

.systemd/clean

debian-9-armhf

1

.systemd/clean

debian-9-mips

1

.systemd/clean

debian-9-mipsel

1

.systemd/go

ubuntu-18.04-amd64

1

.systemd/go

debian-9-armhf

1

.systemd/go

debian-9-mips

1

.systemd/go

debian-9-mipsel

1

.systemd/ntpdate

ubuntu-18.04-amd64

7

.systemd/ntpdate

debian-9-armhf

7

.systemd/ntpdate

debian-9-mips

7

.systemd/ntpdate

debian-9-mipsel

7

.update/.i686

ubuntu-20.04-amd64

6

.update/.run

ubuntu-18.04-amd64

3

.update/.run

debian-9-armhf

3

.update/.run

debian-9-mips

3

.update/.run

debian-9-mipsel

3

.update/.x86_64

ubuntu-22.04-amd64

10

.update/auth

ubuntu-18.04-amd64

8

.update/auth

debian-9-armhf

8

.update/auth

debian-9-mips

8

.update/auth

debian-9-mipsel

8

Analysis

  • max time kernel
    1s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    08-11-2024 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .systemd/auto

  • Size

    546B

  • MD5

    e587a0a58aaac49aeb3bf0eff743eab2

  • SHA1

    636b68d9e02328e5d68880e22fdf73f6e0df4a66

  • SHA256

    7c7fef23a91fb19f98f584f545a27f58bdf7eda4f57bd80d173825413ac6662d

  • SHA512

    4168c61744633ded40261c99cb06ddb07fea4bd6fbff6bfacabd1668166a86ba7f344b5d20c2933877860f204373b1560cdf398a25d1770c8b3a0f28146b7da9

Score
7/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/.systemd/auto
    /tmp/.systemd/auto
    1⤵
    • Writes file to tmp directory
    PID:670
    • /bin/uname
      uname -m
      2⤵
        PID:671
      • /bin/cat
        cat systemd.dir
        2⤵
          PID:672
        • /usr/bin/crontab
          crontab -l
          2⤵
          • Reads runtime system information
          PID:676
        • /bin/grep
          grep .systemd
          2⤵
            PID:679
          • /usr/bin/wc
            wc -l
            2⤵
              PID:680
            • /usr/bin/crontab
              crontab -l
              2⤵
              • Reads runtime system information
              PID:681
            • /usr/bin/crontab
              crontab systemd.d
              2⤵
              • Creates/modifies Cron job
              • Reads runtime system information
              PID:683
            • /bin/rm
              rm -rf systemd.d
              2⤵
                PID:685
              • /bin/chmod
                chmod u+x .systemd
                2⤵
                • File and Directory Permissions Modification
                PID:686

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /tmp/.systemd/.systemd
              Filesize

              129B

              MD5

              20abc8e72d4066c0565f7bbfad0fe526

              SHA1

              10cb464b8e9401cb3bfe17e059c957d79f4a93dd

              SHA256

              579de93e6119bdd4eb948bbdc32b0a3340bab93d4d0b5db723dbc5dddf82b09b

              SHA512

              9d849197900f20993624e5b713b24c72ffd269b078a7fc8574211258899bc70ddc85f00259d5f6aa3b032bcc0ec687524f042b6fed5e4fa96781d03a858ac977

              Download Submit

            • /tmp/.systemd/systemd.dir
              Filesize

              14B

              MD5

              1f3a48ead214b69a4e5bbcc12a732ddb

              SHA1

              3391a93f27a805c58de438e5a50267af13b619ab

              SHA256

              8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c

              SHA512

              386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

              Download Submit

            • /var/spool/cron/crontabs/tmp.RBTJla
              Filesize

              216B

              MD5

              dbb47228523c48edfe60dda1b012f03d

              SHA1

              64adf38fbd662f2cdc856b0a1a1898d60d2e5c14

              SHA256

              0985d86b6a0b52111095135d4a0e5405848d42318445492d6540784bfc61f30e

              SHA512

              a720fc83063c925b735443be41ae8857d342c1a6dd64afe3463b6c9c64c35e4725641d3db5dd5ce7f22fc965e77d5218fb0903c592c51c777992e59b9419a287

              Download Submit