6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
25-11-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
Size

1.1MB
MD5

7d1343b3ab670b162fb2ce8854f01167
SHA1

de95e608dd0e97d5eca90b6b6d747465980d4857
SHA256

6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
SHA512

22ff942fcaabe8a63919a53bf68642dd45943ef3c24e558b18d51ca5c4c0209be653ec268f9d0f64b5634e9dd3e32f7eacdb746fd2263907c0f8f33d89dd91be
SSDEEP

24576:4vRE7caCfKGPqVEDNLFxKsfawI+gIGYuuCol7r:4vREKfPqVE5jKsfawRHGVo7r

Score

7^/10

defense_evasion discovery persistence rootkit

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
2391	chmod
2401	chmod
2407	chmod
2414	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/knerl	2355	knerl
/usr/bin/pythno	2368	pythno

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2315	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2339	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2341	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2343	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2345	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2347	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2349	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2351	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2353	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2354	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2355	knerl
2353	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2357	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2359	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2356	knerl
2361	knerl
2356	knerl
2356	knerl
2363	knerl
2365	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2356	knerl
2366	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2356	knerl
2367	knerl
2368	pythno
2365	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2356	knerl
2356	knerl
2371	knerl
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2372	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2356	knerl
2356	knerl
2375	knerl
2356	knerl
2356	knerl
2316	6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
2377	knerl
2356	knerl
2356	knerl
2380	knerl
2356	knerl
2356	knerl
2384	knerl
2356	knerl
2356	knerl

Write file to user bin folder 6 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/knerl	cp
File opened for modification	/usr/bin/pythno	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/compression	insmod
File opened for reading	/sys/module/compression	insmod

Reads runtime system information 17 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp

/tmp/6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
/tmp/6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23
1⤵
- Loads a kernel module
PID:2315
- /usr/bin/ln
  ln -s /etc/init.d/VsystemsshMdt /etc/rc1.d/S97VsystemsshMdt
  2⤵
  PID:2340
- /usr/bin/ln
  ln -s /etc/init.d/VsystemsshMdt /etc/rc2.d/S97VsystemsshMdt
  2⤵
  PID:2342
- /usr/bin/ln
  ln -s /etc/init.d/VsystemsshMdt /etc/rc3.d/S97VsystemsshMdt
  2⤵
  PID:2344
- /usr/bin/ln
  ln -s /etc/init.d/VsystemsshMdt /etc/rc4.d/S97VsystemsshMdt
  2⤵
  PID:2346
- /usr/bin/ln
  ln -s /etc/init.d/VsystemsshMdt /etc/rc5.d/S97VsystemsshMdt
  2⤵
  PID:2348
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:2350
- /usr/bin/cp
  cp -f /tmp/6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23 /usr/bin/bsd-port/knerl
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2352
- /usr/bin/bsd-port/knerl
  /usr/bin/bsd-port/knerl
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2355
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
    3⤵
    PID:2362
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
    3⤵
    PID:2364
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
    3⤵
    PID:2369
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
    3⤵
    PID:2373
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
    3⤵
    PID:2376
- - /usr/bin/mkdir
    mkdir -p /usr/bin/dpkgd
    3⤵
    - Reads runtime system information
    PID:2378
- - /usr/bin/cp
    cp -f /bin/lsof /usr/bin/dpkgd/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2381
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2385
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/knerl /bin/lsof
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2388
- - /usr/bin/chmod
    chmod 0755 /bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2391
- - /usr/bin/cp
    cp -f /bin/ps /usr/bin/dpkgd/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2394
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2397
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/knerl /bin/ps
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2399
- - /usr/bin/chmod
    chmod 0755 /bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2401
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2403
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/knerl /usr/bin/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2405
- - /usr/bin/chmod
    chmod 0755 /usr/bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2407
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2409
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/knerl /usr/bin/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2412
- - /usr/bin/chmod
    chmod 0755 /usr/bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2414
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2416
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:2358
- /usr/bin/cp
  cp -f /tmp/6674baf9b5ee9baf415ae92ed69b522bf1367cceb60cfd57ae7bc4b8e0677a23 /usr/bin/pythno
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2360
- /usr/bin/pythno
  /usr/bin/pythno
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2368
- /usr/sbin/insmod
  insmod /usr/lib/xpacket.ko
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2374

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/VsystemsshMdt

Filesize
82B

MD5
70e0b9f354c2b27951868de4c7188409

SHA1
69f78de2f008bf099afdee94ee73f079038c2904

SHA256
b084ecd0d6a422f16312528a8f5ab3944777488bfd06cb899895bbeba255aa2a

SHA512
ff69a6d6155e82166066b84bd8dd95227cec662451b51ba6f1db2d3d5aa98ab8fce7e153ae6fd9b1cddb9eaea250dc523ec95da427a5bbba3908dc59f7aeef1b

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
caa27b819c9303446f702929874a00e8

SHA1
d24199c0e376edea3f822b215148cc0dc78364bf

SHA256
da9b535a14c6d9152857e211f14fb8da9056e84ba1b8d4dc27ab79c98264050b

SHA512
dcd9413eb2cb24d77f637edfc00ca0bb42229a1a3b0d84e29eff94a7b91aee6ee8c126c286a4b4103e01834d1c6aec9de09ffab3927e8de8015421005f31446e

Download Submit
/tmp/conf.n

Filesize
69B

MD5
709576b0953dc08211f82fb5f0a3a097

SHA1
762ffe4640952ddb127c878143bbe1005e11de68

SHA256
c5430b75c6a44e5035cea9ef1f356769829a25a199af51f8f3234b3de03503cc

SHA512
306889217a1463fd45d3e679d8ce95f1a19672266739c0cc5a8051258438bfd7c86b697fe12fd77ac52f0214dd8e27bb9ad15e8bdda1f83c3390213e89295b58

Download Submit
/tmp/idus.log

Filesize
4B

MD5
ca43108ded5aabc7793d3f9b928cdd54

SHA1
53584939a79a641b754999cf0b76ad9123a4ac42

SHA256
d0a8a882c042eea09d56cc66ca6e04d988078f17506c0c5182224613390a1ad0

SHA512
6e0bd080fd5bedba925aff75336e9d624149e65f27d8c514e29c95dd92f688f1ac5f1ea24ae9494cb53b2da2d480d3f029e93f98d5c6c0204ef16df2dbcf7f8b

Download Submit
/tmp/notify.file

Filesize
69B

MD5
9b06d04eed867c3f7d9aaf38dfa5275f

SHA1
49333e3795f27c0b0e0c1937256c8f429f338d1c

SHA256
f868eed1818bc099599d717def5fe952c7d4557a18e5c32dcb473eb54f956391

SHA512
9455120e4ea42128418b9bed50482679e157ef51b1134c7e50b9d088e5f35ccf0af640a0f0ccda57340dd4d0638d5377058aac876f9dd374ef49631898201deb

Download Submit
/tmp/vga.conf

Filesize
4B

MD5
778609db5dc7e1a8315717a9cdd8fd6f

SHA1
a90159cc1a7228e57680670297b8c7b575b9db3f

SHA256
3343427bd8ac1cfc0f8e51fee0f21ad7db5432ac07ac382768f7668bfd1309c9

SHA512
4e1e5a3f6375e541a9b625fc74a7e90f7caf15929088d2d6ba717a69d4e66b028bf9583c3b471d1411fc15f9ee01964e0ac782991716055748115fa44c57bfb2

Download Submit