507ec5c385c79678e40503214c8e917c9ab419fcda0f86b2aa1ff4fdadb0f7e6

General

Target

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
Size

100KB
MD5

d0ceffd3b00587a2c593806f9b849cef
SHA1

c31438ddf15aa1ef49d540cd4faa6e78b874b313
SHA256

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
SHA512

ccb83ebbe4d7dd58cb8a0ca5f2b8ff698c2190f3dca75c01c7b1134dfe043844c88908c6ee82024751c6ca2ed3a35b89d5237bcec12275135b8f9644d26baffa
SSDEEP

1536:QUx8tzU06/iuN/G13HAswGz/gxi2pm5GA1KXUjmM1j6l3h+AWwh0f:Qc8tzUS4/N/wg82pm91KXUjhj6pIAQf

Score

9^/10

antivm defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Contacts a large (27175) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

shchmodshchmod

pid process

1666 sh
1667 chmod
1672 sh
1673 chmod

pid	process
1666	sh
1667	chmod
1672	sh
1673	chmod

Modifies Watchdog functionality 1 TTPs 2 IoCs

Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

defense_evasion

Impair Defenses

T1562

Processes:

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description	ioc	process
File opened for modification	/dev/watchdog	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for modification	/dev/misc/watchdog	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

Checks mountinfo of local process 1 TTPs 1 IoCs
Checks mountinfo of running processes which indicate if it is running in chroot jail.
antivm

System Checks
T1497.001

Processes:

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description ioc process

File opened for reading /proc/1670/mountinfo 1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
persistence privilege_escalation defense_evasion

Path Interception by PATH Environment Variable
T1574.007

Processes:

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description ioc process

File opened for modification /etc/profile 1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
Modifies init.d 2 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

RC Scripts
T1037.004

Processes:

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description ioc process

File opened for modification /etc/init.d/system 1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
Modifies rc script 2 TTPs 1 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
persistence

Boot or Logon Autostart Execution
T1547

RC Scripts
T1037.004

Processes:

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description ioc process

File opened for modification /etc/rc.local 1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
persistence privilege_escalation

XDG Autostart Entries
T1547.013

Systemd Service
T1543.002

Processes:

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description ioc process

File opened for modification /etc/systemd/system/custom.service 1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
Modifies Bash startup script 2 TTPs 1 IoCs
persistence

Boot or Logon Autostart Execution
T1547

Unix Shell Configuration Modification
T1546.004

Processes:

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description ioc process

File opened for modification /etc/profile 1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description	ioc	process
File opened for reading	/proc/1670/mountinfo	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description	ioc	process
File opened for modification	/etc/profile	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description	ioc	process
File opened for modification	/etc/init.d/system	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description	ioc	process
File opened for modification	/etc/rc.local	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description	ioc	process
File opened for modification	/etc/systemd/system/custom.service	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

description	ioc	process
File opened for modification	/etc/profile	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

Reads runtime system information 26 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450emkdirsystemctl

description	ioc	process
File opened for reading	/proc/737/cmdline	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1727/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/1701/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1708/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1713/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1712/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1714/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1699/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1702/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1706/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1705/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1707/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1711/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1715/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/self/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1/cgroup	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/633/cmdline	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1700/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1719/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1725/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1690/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1705/cmdline	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1709/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
File opened for reading	/proc/1716/status	1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e

/tmp/1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
/tmp/1518d9364ae6362a9dc3e7cc7d103e515ea7b1c0aaca74f80062ba9f7436450e
1⤵
- Modifies Watchdog functionality
- Checks mountinfo of local process
- Creates/modifies environment variables
- Modifies init.d
- Modifies rc script
- Modifies systemd
- Modifies Bash startup script
- Reads runtime system information
PID:1590
- /bin/sh
  sh -c "systemctl enable custom.service >/dev/null 2>&1"
  2⤵
  PID:1597
- - /usr/bin/systemctl
    systemctl enable custom.service
    3⤵
    - Reads runtime system information
    PID:1598
- /bin/sh
  sh -c "chmod +x /etc/init.d/system >/dev/null 2>&1"
  2⤵
  - File and Directory Permissions Modification
  PID:1666
- - /usr/bin/chmod
    chmod +x /etc/init.d/system
    3⤵
    - File and Directory Permissions Modification
    PID:1667
- /bin/sh
  sh -c "ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1"
  2⤵
  PID:1668
- - /usr/bin/ln
    ln -s /etc/init.d/system /etc/rcS.d/S99system
    3⤵
    PID:1669
- /bin/sh
  sh -c "chmod +x /etc/init.d/sh >/dev/null 2>&1"
  2⤵
  - File and Directory Permissions Modification
  PID:1672
- - /usr/bin/chmod
    chmod +x /etc/init.d/sh
    3⤵
    - File and Directory Permissions Modification
    PID:1673
- /bin/sh
  sh -c "mkdir -p /etc/rc.d >/dev/null 2>&1"
  2⤵
  PID:1674
- - /usr/bin/mkdir
    mkdir -p /etc/rc.d
    3⤵
    - Reads runtime system information
    PID:1675
- /bin/sh
  sh -c "ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1"
  2⤵
  PID:1676
- - /usr/bin/ln
    ln -s /etc/init.d/sh /etc/rc.d/S99sh
    3⤵
    PID:1677

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4

T1547

XDG Autostart Entries

1

T1547.013

Boot or Logon Initialization Scripts

2

T1037

RC Scripts

2

T1037.004

Create or Modify System Process

1

T1543

Systemd Service

1

T1543.002

Event Triggered Execution

1

T1546

Unix Shell Configuration Modification

1

T1546.004

Hijack Execution Flow

1

T1574

Path Interception by PATH Environment Variable

1

T1574.007

Privilege Escalation

Boot or Logon Autostart Execution

4

T1547

XDG Autostart Entries

1

T1547.013

Boot or Logon Initialization Scripts

2

T1037

RC Scripts

2

T1037.004

Create or Modify System Process

1

T1543

Systemd Service

1

T1543.002

Event Triggered Execution

1

T1546

Unix Shell Configuration Modification

1

T1546.004

Hijack Execution Flow

1

T1574

Path Interception by PATH Environment Variable

1

T1574.007

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Hijack Execution Flow

1

T1574

Path Interception by PATH Environment Variable

Impair Defenses

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

Network Service Discovery

2

T1046

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/boot/bootcmd

Filesize
109B

MD5
735cae7d3cbab0f59d95f84790282103

SHA1
1cb77931b3097f18988016c9ceba3280a5ccb2ae

SHA256
dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b

SHA512
998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe

Download Submit
/etc/init.d/system

Filesize
96B

MD5
f000251d92c773cc3ee1ca22cf5f0788

SHA1
e2386fe6a5f29b1e9e5ad5b38928c024f97105e6

SHA256
31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985

SHA512
0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2

Download Submit
/etc/inittab

Filesize
101B

MD5
3d6b6e1b05ad5d0538ccd8804bcd279b

SHA1
0fc061b51c225d5bea072c939de05e8a856558bc

SHA256
cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5

SHA512
1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98

Download Submit
/etc/motd

Filesize
53B

MD5
2bd9b4be30579e633fc0191aa93df486

SHA1
7d63a9bd9662e86666b27c1b50db8e7370c624ff

SHA256
64dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d

SHA512
ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5

Download Submit
/etc/systemd/system/custom.service

Filesize
290B

MD5
19a440fdac7f578f2fb33719698a082c

SHA1
ebadce21c65d05ad62a324deb39c57aecd3edf2c

SHA256
b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69

SHA512
8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads