Analysis Overview
SHA256
7f048a07a9c6166054ae0a1fe9af0c38769ff6fc5189ada4e4144c71e5d24994
Threat Level: Shows suspicious behavior
The file 10000 was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Executes dropped EXE
Loads a kernel module
Write file to user bin folder
Writes file to system bin folder
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 11:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 11:11
Reported
2024-11-09 11:12
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/10000
[/tmp/10000]
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 11:11
Reported
2024-11-09 11:12
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
45s
Max time network
44s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/bin/bsd-port/knerl | /usr/bin/bsd-port/knerl | N/A |
| N/A | /usr/bin/pythno | /usr/bin/pythno | N/A |
Loads a kernel module
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/bin/bsd-port/knerl | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/pythno | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/dpkgd/lsof | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/dpkgd/ps | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/lsof | /usr/bin/cp | N/A |
| File opened for modification | /usr/bin/ps | /usr/bin/cp | N/A |
Writes file to system bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /bin/ps | /usr/bin/cp | N/A |
| File opened for modification | /bin/lsof | /usr/bin/cp | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/module/compression | /usr/sbin/insmod | N/A |
| File opened for reading | /sys/module/compression | /usr/sbin/insmod | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/cmdline | /usr/sbin/insmod | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/cp | N/A |
| File opened for reading | /proc/cmdline | /usr/sbin/insmod | N/A |
Processes
/tmp/10000
[/tmp/10000]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt]
/usr/bin/ln
[ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt]
/usr/bin/mkdir
[mkdir -p /usr/bin/bsd-port]
/usr/bin/cp
[cp -f /tmp/10000 /usr/bin/bsd-port/knerl]
/usr/bin/bsd-port/knerl
[/usr/bin/bsd-port/knerl]
/usr/bin/mkdir
[mkdir -p /usr/bin]
/usr/bin/cp
[cp -f /tmp/10000 /usr/bin/pythno]
/usr/bin/pythno
[/usr/bin/pythno]
/usr/sbin/insmod
[insmod /usr/lib/xpacket.ko]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux]
/usr/bin/ln
[ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux]
/usr/bin/mkdir
[mkdir -p /usr/bin/dpkgd]
/usr/bin/cp
[cp -f /bin/lsof /usr/bin/dpkgd/lsof]
/usr/bin/mkdir
[mkdir -p /bin]
/usr/bin/cp
[cp -f /usr/bin/bsd-port/knerl /bin/lsof]
/usr/bin/chmod
[chmod 0755 /bin/lsof]
/usr/bin/cp
[cp -f /bin/ps /usr/bin/dpkgd/ps]
/usr/bin/mkdir
[mkdir -p /bin]
/usr/bin/cp
[cp -f /usr/bin/bsd-port/knerl /bin/ps]
/usr/bin/chmod
[chmod 0755 /bin/ps]
/usr/bin/mkdir
[mkdir -p /usr/bin]
/usr/bin/cp
[cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof]
/usr/bin/chmod
[chmod 0755 /usr/bin/lsof]
/usr/bin/mkdir
[mkdir -p /usr/bin]
/usr/bin/cp
[cp -f /usr/bin/bsd-port/knerl /usr/bin/ps]
/usr/bin/chmod
[chmod 0755 /usr/bin/ps]
/usr/sbin/insmod
[insmod /usr/lib/xpacket.ko]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | vip-1.0889.org | udp |
| JP | 213.139.233.9:10000 | vip-1.0889.org | tcp |
Files
/tmp/vga.conf
| MD5 | b4baaff0e2f11b5356193849021d641f |
| SHA1 | 7e002fb47152f462c2f2f63ba124226f7e2ed4a9 |
| SHA256 | a2b00e8a452d83bf2e0963f471cc297bb96d41dbb866037966079dc85484715b |
| SHA512 | 0fd1d922493435ec07e3bea32d793da97870c8c107a22eca6409c3d2ec535c5f34d284ac7fcda7e2fb498a8b1d2b52e2ce697ea8c05b78c68f91476e30c8fb10 |
/etc/init.d/VsystemsshMdt
| MD5 | 58ba0d23b781739fdc46dec9db4a2ca2 |
| SHA1 | dc521bcb15fbe169cf570a83937bd8e8b01ec12a |
| SHA256 | cf8655faaf29eb5bdf7a8f0301485326cb5fddf1f9391be4328f0a8826e052d3 |
| SHA512 | 5b7a5637e7bab9eecd1c1a00106b03bd0ba411f2b38415565b14f1732fa7524af8fbfbe801b09f09720025b58ff6f541898bd34ecafc7793a2969365ed4ca840 |
/tmp/notify.file
| MD5 | 5d6819f51832e0197265540029e15913 |
| SHA1 | 5694f3ab239796f8919c64ea2ebb911f20353fe9 |
| SHA256 | d675e5cc9b84b8f368641b82518d99085eb12f9ad60e2d11dc0b02bd831a6e6e |
| SHA512 | 97a8929b235d4b5cf27fcd5ab7e86a1ac89a7a44fb05be5925e4dd94fa57f05a48d1139bc5105780e0f7f3c5464655ddb9bc8446244a3c39676082ed4cd72afd |
/etc/init.d/selinux
| MD5 | caa27b819c9303446f702929874a00e8 |
| SHA1 | d24199c0e376edea3f822b215148cc0dc78364bf |
| SHA256 | da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b |
| SHA512 | dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e |
/tmp/idus.log
| MD5 | 40c48dab939a482f04dcecde07e27de6 |
| SHA1 | 44d93dc18fe2522b7ee20bdea39cb980ec2de834 |
| SHA256 | 0371fc7cdb0ab35c882c492829dda05076e162691e6550e82bdf842471377d64 |
| SHA512 | c3ec44b901c723583902643e2d7115ff2d435689b675203c0feef7b9aa6520ba3de523208514dfe8a27476599417874ab520b10cb57def4d23dfd719eaa745f8 |
/usr/bin/bsd-port/conf.n
| MD5 | 47a18c202c712d0020decc507454ffe3 |
| SHA1 | 3173b80375569cdd379d7f51be3ebfa6b346d695 |
| SHA256 | c2b17c5cf5a0f16a851353ac36b73c2b0a0aee53c6038f15b140d2470ba6a944 |
| SHA512 | 5b31c3391693da0a7bec0bdfdba9cee5fe4ceeac1b4739aa3440818945ec42520a83d484bd8d4d0b8e316f95079d414ac481d5a7a0f37297b92c6f8ae5b21c1c |