a45521c95509806c08349879204a166b8358f165b4189e6ba810491568ed2d29

Analysis

max time kernel
149s
max time network
129s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
22/11/2024, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/20e0e61d27762a524f6974fb9f499506258.elf
Size

1.7MB
MD5

503c35c37d00d04ff2793c2b4bf5038f
SHA1

a03a9d06ca8441cb2ec7fe0c49cb56023130d884
SHA256

20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7
SHA512

c653fd4f8a6724b9a25e24e9a2a0152340be294d4d53d82e5762fd8599b014dabc4be6a2830822d51ce744ef256f1e5fe78b5c016fc24907de7ea964fb5835ee
SSDEEP

24576:94GdIhU6rF5IF0pGVZa4B6dmyw5DQ7EQ6LPni2Mt+aa:XShUL7VZ1BYZw5DcRt+a

Score

10^/10

antivm defense_evasion discovery persistence privilege_escalation ransomware

Malware Config

Extracted

Path

/usr/sbin/RECOVERY INFO.txt

Ransom Note

Your data has been encrypted In order to return your files back you need decryption tool 1)Download TOR Browser 2)Open in TOR browser link below and contact with us there: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C8C93634D8B19BE4FE221FDE41C180431DFB7200F6426B11C5A95B77AF263DB5 Or email: [email protected] Limit for free decryption: 3 files up to 5mb (no database or backups)

Emails

[email protected]

URLs

http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C8C93634D8B19BE4FE221FDE41C180431DFB7200F6426B11C5A95B77AF263DB5

Signatures

Renames multiple (107) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds new SSH keys 1 TTPs 2 IoCs

Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

persistence privilege_escalation

SSH Authorized Keys

T1098.004

description	ioc	Process
File opened for modification	/root/.ssh/authorized_keys	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/home/user/.ssh/authorized_keys	20e0e61d27762a524f6974fb9f499506258.elf

Creates/modifies environment variables 1 TTPs 4 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence privilege_escalation defense_evasion

Path Interception by PATH Environment Variable

T1574.007

description	ioc	Process
File opened for modification	/root/.profile	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/root/.bashrc	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/home/user/.profile	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/home/user/.bashrc	20e0e61d27762a524f6974fb9f499506258.elf

Enumerates running processes
Discovers information about currently running processes on the system

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Writes file to system bin folder 64 IoCs

description	ioc	Process
File opened for modification	/sbin/bcache-super-show	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/lvdisplay	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/lvcreate	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/pdata_tools	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/thin_ls	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/mkfs.fat	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/dhclient-script	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/update-ca-certificates	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/groupmod	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/xfs_db	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/vigr	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/lvmsar	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/ip	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/xfs_info	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/insmod	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/getty	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/vgremove	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/dosfslabel	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/modinfo	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/pvchange	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/xfs_estimate	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/xfs_ncheck	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/dmsetup	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/fsck.ext4	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/faillock	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/cache_repair	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/swaplabel	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/dnsmasq	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/vgimportclone	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/tarcat	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/thin_repair	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/thin_dump	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/fsck.xfs	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/e2label	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/multipathd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/vgconvert	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/readprofile	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/fsck.fat	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/mkdosfs	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/update-passwd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/ntfscp	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/telinit	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/bridge	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/xfs_spaceman	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/getweb	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/pppstats	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/cracklib-format	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/blkzone	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/e2image	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/runlevel	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/e2freefrag	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/sysctl	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/update-fonts-dir	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/update-shells	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/switch_root	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/update-gsfontmap	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/lsmod	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/cupsctl	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/pvremove	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/grub-macbless	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/aspell-autobuildhash	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/lvresize	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/fsck.ext3	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/sbin/killall5	20e0e61d27762a524f6974fb9f499506258.elf

Modifies Bash startup script 2 TTPs 4 IoCs

persistence

Boot or Logon Autostart Execution

T1547

Unix Shell Configuration Modification

T1546.004

description	ioc	Process
File opened for modification	/root/.profile	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/root/.bashrc	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/home/user/.profile	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/home/user/.bashrc	20e0e61d27762a524f6974fb9f499506258.elf

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	20e0e61d27762a524f6974fb9f499506258.elf

Reads CPU attributes 1 TTPs 1 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	20e0e61d27762a524f6974fb9f499506258.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1368/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/9/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/79/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/224/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/584/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/605/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/868/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1170/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/8/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/27/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/101/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/197/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/412/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/426/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/11/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/99/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/627/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/823/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1113/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/23/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/86/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/588/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1445/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/218/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/592/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/615/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/653/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1277/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/90/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/376/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1168/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1246/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/5/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/19/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/708/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1074/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1172/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1169/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1181/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/meminfo	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/85/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/744/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/862/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/990/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1011/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1300/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1538/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/83/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/745/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1141/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1144/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1245/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/17/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/608/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1092/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1295/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1492/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1558/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/989/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/1157/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/113/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/200/fd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for reading	/proc/416/fd	20e0e61d27762a524f6974fb9f499506258.elf

Writes file to tmp directory 64 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_dumpe2fs	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_e2mmpstatus	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_pam_extrausers_update	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_vgimportclone	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_xfs_admin	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_anacron	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_lvresize	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_tarcat	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_mkhomedir_helper	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_apparmor_parser	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_usb_modeswitch_dispatcher	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_update-grub-gfxpayload	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_ntfslabel	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_mkfs.bfs	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_e2image	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_cache_restore	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/run_user_0_gdm_Xauthority	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_capsh	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_pdata_tools	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_u-d-c-print-pci-ids	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_iucode-tool	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_reboot	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_lvchange	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_deluser	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_chpasswd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_era_invalidate	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_remove-default-wordlist	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_dpkg-reconfigure	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_groupmems	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_fatlabel	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_paperconfig	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_groupadd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_biosdecode	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_lpc	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_kpartx	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_avahi-autoipd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_ippeveprinter	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_e2scrub_all	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_sulogin	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_xfs_freeze	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_zic	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_addgnupghome	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_upgrade-from-grub-legacy	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_iwpriv	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_switch_root	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_fsck.btrfs	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_cppw	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_cgdisk	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_bcache-super-show	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_NetworkManager	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_add-shell	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_debugfs	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_pppd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_thin_repair	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_update-inetd	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_xfs_fsr	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_vgmerge	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_ldattach	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_tipc	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_lsmod	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_sfdisk	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_mkfs.vfat	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_vgimport	20e0e61d27762a524f6974fb9f499506258.elf
File opened for modification	/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_mount.fuse	20e0e61d27762a524f6974fb9f499506258.elf

/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/20e0e61d27762a524f6974fb9f499506258.elf
/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/20e0e61d27762a524f6974fb9f499506258.elf
1⤵
- Adds new SSH keys
- Creates/modifies environment variables
- Writes file to system bin folder
- Modifies Bash startup script
- Checks CPU configuration
- Reads CPU attributes
- Reads runtime system information
- Writes file to tmp directory
PID:1551

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Boot or Logon Autostart Execution

T1547

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Privilege Escalation

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Boot or Logon Autostart Execution

T1547

Event Triggered Execution

T1546

Unix Shell Configuration Modification

T1546.004

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Defense Evasion

Hijack Execution Flow

T1574

Path Interception by PATH Environment Variable

T1574.007

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/sbin_update-grub2

Filesize
4B

MD5
0afb21a5f243ec6c489ce1033bd2c71d

SHA1
62ea23f71d0d21fb2ef63d9de4b871f5b113d051

SHA256
5e873c29ac18e151673593f7e7e1a5f72e952ea870b1aa3037740d722c963937

SHA512
9c883309aadcdf36be075438dc76bbfb0c2d33bd2466d11a34a6cad0b9eb7542baac6ef46bf9431b9588facbea024928f3fcda2acef098fbf62c26c153f04f1b

Download Submit
/tmp/20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7/stepdata.txt

Filesize
471B

MD5
5c64ba37d0cd7f572795118195091dbf

SHA1
27aabdaf647ff1bdc0f16eedc4b9de7bae0a6e4b

SHA256
789c2df5f265b70e7ae41f3ea3d32ec8c7acf213b0935b61701dd69d6c9e3ace

SHA512
c0bd1abb0df9754a15b30ec1d249a291c973e63b828ec02b92fdfd226729f63790fd27c06b536a55bae37b8db7bcbe6dc21d990762ef3b9647f09c197c285596

Download Submit
/usr/sbin/RECOVERY INFO.txt

Filesize
441B

MD5
d9f75854b57665455bed233f93d774c1

SHA1
d7d1c646e7f822be2148650adc20c767d75db930

SHA256
bdd9158f38b73ee522765b036c63ef252d4ba60c059ad00fa728488bb0c8d83e

SHA512
61ccfd1fb7e10b54ed48cd8adaf07597fceebc1a0506a48b6c9fe0c951b3a48d45d739fea9c4fdcd0c5d6e27384faed5d319476b3a4f38a7288e11c5f4946b94

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads