5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5

Resubmissions

22-11-2024 12:09

241122-pbe99azpgw 10

22-11-2024 12:08

241122-pa2rvszpf1 10

Analysis

max time kernel
0s
max time network
129s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
22-11-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5
Size

90KB
MD5

563205e6c072588081ca841fc18d9f71
SHA1

1f7509a4c3456b8d29d504852648efface0e60cf
SHA256

5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5
SHA512

e55bbe2f62f898a1ee483fbed038de6d987c1cbac6688b3d12bf0a4f36a3d503abf474df82495d6b3e0c4ce60b01869bc497855879b6012c2cda9afba93b55f8
SSDEEP

1536:0loZZa3wD/CqhX9tLPGcMXNPsVzqbvGxHyAG/jZaZSibj7l3i2XE51SRhtQR/ad:0lEkwD/Cq9XOW+bvGy9csEjh3zUyh2ad

Score

7^/10

defense_evasion discovery persistence rootkit

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmod

pid process

2592 chmod
2584 chmod
Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
rootkit

Processes:

5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5

pid process

2441 5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

RC Scripts
T1037.004

Processes:

5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5

description ioc process

File opened for modification /etc/init.d/sh 5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5
Write file to user bin folder 1 IoCs
persistence

Processes:

5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5

description ioc process

File opened for modification /usr/sbin/halt 5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
discovery

Processes:

systemctlmkdir

description ioc process

File opened for reading /proc/filesystems systemctl
File opened for reading /proc/filesystems mkdir

pid	process
2592	chmod
2584	chmod

pid	process
2441	5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5

description	ioc	process
File opened for modification	/etc/init.d/sh	5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5

description	ioc	process
File opened for modification	/usr/sbin/halt	5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5

description	ioc	process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	mkdir

/tmp/5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5
/tmp/5b56bb90601a55fb49bea46f524a47570b4a0a9117bd7d545f406a78d2f3f2c5
1⤵
- Loads a kernel module
- Modifies init.d
- Write file to user bin folder
PID:2441
- /usr/bin/systemctl
  systemctl enable custom.service
  2⤵
  - Reads runtime system information
  PID:2445
- /usr/bin/chmod
  chmod +x /etc/init.d/mybinary
  2⤵
  - File and Directory Permissions Modification
  PID:2584
- /usr/bin/ln
  ln -s /etc/init.d/mybinary /etc/rcS.d/S99mybinary
  2⤵
  PID:2588
- /usr/bin/chmod
  chmod +x /etc/init.d/sh
  2⤵
  - File and Directory Permissions Modification
  PID:2592
- /usr/bin/mkdir
  mkdir -p /etc/rc.d
  2⤵
  - Reads runtime system information
  PID:2594
- /usr/bin/ln
  ln -s /etc/init.d/sh /etc/rc.d/S99sh
  2⤵
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/bootcmd

Filesize
110B

MD5
2a3758c7be4b51e45514ca71272a2241

SHA1
16f6c47091d87086ae361ee9653af0bbb3f0afb7

SHA256
05e88586f84b6ddddd894580aa50f2b066be6520174c497e5957860e07f51ea7

SHA512
246177d06d5c8d2444663c4d4828f3be8ca640123b6f0934add6953aa9b54e12e7114912644503fd598aa57dedd5a4392e14e136ce2c628899ed1f607a2b77ee

Download Submit
/etc/init.d/mybinary

Filesize
97B

MD5
0680c195fdd2fca0a0e632cf637d150e

SHA1
7ded21dcbe33cfde13db634f159b7748b28b61c1

SHA256
1d1be04cff45dde0d7a8a6e60e5c6e65312108a926d235892a04b0b2ce6cf38d

SHA512
fad47bb194885f9e6b7875e99f4469807eb1aaac0fa7d04b647420bce466a1eb422320eafa59e180bdbd4c69414f671138fb60bdd87403a414f0624d678e497f

Download Submit
/etc/init.d/sh

Filesize
354B

MD5
064ba5f4b09e62ca552b70a2e94d6393

SHA1
7076e742aa5e9757e555091c4a72206018115518

SHA256
038696b3a44f62a700ee8e6187eef48c8e817068900363d4e527b14899fc22a1

SHA512
5488263037dd93ae9daa23e987a2c4016ad4f241d3d318abfbba4d19bf67fa7e1084bf09f03ab07580df49a3b8ac45767e6cbc03cf7e71afff5adb942ef42eb9

Download Submit
/etc/inittab

Filesize
102B

MD5
e5e2c6d263b0ee1c9c19d46192ad5cdf

SHA1
3197ca0f3394eedd2c4702cb6eaf7a22817d5fef

SHA256
436aed8a5a70ab60873b71384b840ddcb839185208bd3bddb2b6a627e053a548

SHA512
bd5e7113e820c1771eeedac572c16201bcc490b820d5d18323f03dfa7e263e14f1bacbf5923a24daac0db1f9789ace29682307464e098f72820655537b6c2786

Download Submit
/etc/motd

Filesize
53B

MD5
2bd9b4be30579e633fc0191aa93df486

SHA1
7d63a9bd9662e86666b27c1b50db8e7370c624ff

SHA256
64dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d

SHA512
ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5

Download Submit
/etc/systemd/system/custom.service

Filesize
291B

MD5
a31178fddb5564754ff49f0865dd2b20

SHA1
f0b205696a09245229469d0ac1809135be57a837

SHA256
d6f5a8734ff982cb1d46c25cad29fe1d09421ec31d364c507766a41cb775878d

SHA512
7e2e400c9b70d54c7f4c196e8cf7970d4510577ab2777ab7694cb254445a68128256d10750e156681fdab7f35469f0efd9632ddc5432fb078ebf6f57da382a9d

Download Submit