Malware Analysis Report

2024-12-07 13:05

Sample ID 241109-naj2dasmet
Target 10000
SHA256 7f048a07a9c6166054ae0a1fe9af0c38769ff6fc5189ada4e4144c71e5d24994
Tags
defense_evasion discovery persistence rootkit
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7f048a07a9c6166054ae0a1fe9af0c38769ff6fc5189ada4e4144c71e5d24994

Threat Level: Shows suspicious behavior

The file 10000 was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery persistence rootkit

File and Directory Permissions Modification

Executes dropped EXE

Loads a kernel module

Write file to user bin folder

Writes file to system bin folder

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 11:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 11:11

Reported

2024-11-09 11:12

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Command Line

[/tmp/10000]

Signatures

N/A

Processes

/tmp/10000

[/tmp/10000]

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 11:11

Reported

2024-11-09 11:12

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

45s

Max time network

44s

Command Line

[/tmp/10000]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /usr/bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/bsd-port/knerl /usr/bin/bsd-port/knerl N/A
N/A /usr/bin/pythno /usr/bin/pythno N/A

Loads a kernel module

rootkit
Description Indicator Process Target
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /usr/bin/pythno N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /tmp/10000 N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A
N/A N/A /usr/bin/bsd-port/knerl N/A

Write file to user bin folder

persistence
Description Indicator Process Target
File opened for modification /usr/bin/bsd-port/knerl /usr/bin/cp N/A
File opened for modification /usr/bin/pythno /usr/bin/cp N/A
File opened for modification /usr/bin/dpkgd/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/dpkgd/ps /usr/bin/cp N/A
File opened for modification /usr/bin/lsof /usr/bin/cp N/A
File opened for modification /usr/bin/ps /usr/bin/cp N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ps /usr/bin/cp N/A
File opened for modification /bin/lsof /usr/bin/cp N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/module/compression /usr/sbin/insmod N/A
File opened for reading /sys/module/compression /usr/sbin/insmod N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/cmdline /usr/sbin/insmod N/A

Processes

/tmp/10000

[/tmp/10000]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt]

/usr/bin/ln

[ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt]

/usr/bin/mkdir

[mkdir -p /usr/bin/bsd-port]

/usr/bin/cp

[cp -f /tmp/10000 /usr/bin/bsd-port/knerl]

/usr/bin/bsd-port/knerl

[/usr/bin/bsd-port/knerl]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/usr/bin/cp

[cp -f /tmp/10000 /usr/bin/pythno]

/usr/bin/pythno

[/usr/bin/pythno]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]

/usr/bin/ln

[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]

/usr/bin/mkdir

[mkdir -p /usr/bin/dpkgd]

/usr/bin/cp

[cp -f /bin/lsof /usr/bin/dpkgd/lsof]

/usr/bin/mkdir

[mkdir -p /bin]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/knerl /bin/lsof]

/usr/bin/chmod

[chmod 0755 /bin/lsof]

/usr/bin/cp

[cp -f /bin/ps /usr/bin/dpkgd/ps]

/usr/bin/mkdir

[mkdir -p /bin]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/knerl /bin/ps]

/usr/bin/chmod

[chmod 0755 /bin/ps]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof]

/usr/bin/chmod

[chmod 0755 /usr/bin/lsof]

/usr/bin/mkdir

[mkdir -p /usr/bin]

/usr/bin/cp

[cp -f /usr/bin/bsd-port/knerl /usr/bin/ps]

/usr/bin/chmod

[chmod 0755 /usr/bin/ps]

/usr/sbin/insmod

[insmod /usr/lib/xpacket.ko]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 vip-1.0889.org udp
JP 213.139.233.9:10000 vip-1.0889.org tcp

Files

/tmp/vga.conf

MD5 b4baaff0e2f11b5356193849021d641f
SHA1 7e002fb47152f462c2f2f63ba124226f7e2ed4a9
SHA256 a2b00e8a452d83bf2e0963f471cc297bb96d41dbb866037966079dc85484715b
SHA512 0fd1d922493435ec07e3bea32d793da97870c8c107a22eca6409c3d2ec535c5f34d284ac7fcda7e2fb498a8b1d2b52e2ce697ea8c05b78c68f91476e30c8fb10

/etc/init.d/VsystemsshMdt

MD5 58ba0d23b781739fdc46dec9db4a2ca2
SHA1 dc521bcb15fbe169cf570a83937bd8e8b01ec12a
SHA256 cf8655faaf29eb5bdf7a8f0301485326cb5fddf1f9391be4328f0a8826e052d3
SHA512 5b7a5637e7bab9eecd1c1a00106b03bd0ba411f2b38415565b14f1732fa7524af8fbfbe801b09f09720025b58ff6f541898bd34ecafc7793a2969365ed4ca840

/tmp/notify.file

MD5 5d6819f51832e0197265540029e15913
SHA1 5694f3ab239796f8919c64ea2ebb911f20353fe9
SHA256 d675e5cc9b84b8f368641b82518d99085eb12f9ad60e2d11dc0b02bd831a6e6e
SHA512 97a8929b235d4b5cf27fcd5ab7e86a1ac89a7a44fb05be5925e4dd94fa57f05a48d1139bc5105780e0f7f3c5464655ddb9bc8446244a3c39676082ed4cd72afd

/etc/init.d/selinux

MD5 caa27b819c9303446f702929874a00e8
SHA1 d24199c0e376edea3f822b215148cc0dc78364bf
SHA256 da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b
SHA512 dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e

/tmp/idus.log

MD5 40c48dab939a482f04dcecde07e27de6
SHA1 44d93dc18fe2522b7ee20bdea39cb980ec2de834
SHA256 0371fc7cdb0ab35c882c492829dda05076e162691e6550e82bdf842471377d64
SHA512 c3ec44b901c723583902643e2d7115ff2d435689b675203c0feef7b9aa6520ba3de523208514dfe8a27476599417874ab520b10cb57def4d23dfd719eaa745f8

/usr/bin/bsd-port/conf.n

MD5 47a18c202c712d0020decc507454ffe3
SHA1 3173b80375569cdd379d7f51be3ebfa6b346d695
SHA256 c2b17c5cf5a0f16a851353ac36b73c2b0a0aee53c6038f15b140d2470ba6a944
SHA512 5b31c3391693da0a7bec0bdfdba9cee5fe4ceeac1b4739aa3440818945ec42520a83d484bd8d4d0b8e316f95079d414ac481d5a7a0f37297b92c6f8ae5b21c1c