489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
25-11-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
Size

1.2MB
MD5

db0533432eb1071c80086e843a2010ec
SHA1

f77840fb1fe66b251b8327544bd52f9dd55b32cc
SHA256

489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
SHA512

58690d8d6f99f6b30f199b9ec7ce6ee2ec210992fe2b6f159d4c7c45baba772c717d9b771e033b1a65c9ea0a4d66cf10c7d70a783d964fc837d8c556793099e8
SSDEEP

24576:e845rGHu6gVJKG75oFpA0VWeX4F2y1q2rJp0:745vRVJKGtSA0VWeosu9p0

Score

7^/10

defense_evasion discovery persistence rootkit

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 6 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
2886	chmod
2896	chmod
2906	chmod
2914	chmod
2922	chmod
2932	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	2854	getty
/usr/bin/.sshd	2870	.sshd

Loads a kernel module 64 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
2830	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2836	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2838	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2840	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2842	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2844	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2846	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2848	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2850	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2852	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2853	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2854	getty
2852	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2856	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2858	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2860	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2832	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2855	getty
2862	getty
2855	getty
2855	getty
2864	getty
2855	getty
2855	getty
2866	getty
2867	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2869	489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
2870	.sshd
2855	getty
2855	getty
2871	getty
2855	getty
2855	getty
2873	getty
2855	getty
2855	getty
2875	getty
2855	getty
2855	getty
2877	getty
2855	getty
2855	getty
2879	getty

Write file to user bin folder 8 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/.sshd	cp
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/dpkgd/ss	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/ss	cp

Writes file to system bin folder 3 IoCs

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp
File opened for modification	/bin/ss	cp

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/compression	insmod
File opened for reading	/sys/module/compression	insmod

Reads runtime system information 30 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir

/tmp/489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
/tmp/489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907
1⤵
- Loads a kernel module
PID:2830
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
  2⤵
  PID:2837
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
  2⤵
  PID:2839
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
  2⤵
  PID:2841
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
  2⤵
  PID:2843
- /usr/bin/ln
  ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
  2⤵
  PID:2845
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:2847
- /usr/bin/mkdir
  mkdir -p /usr/bin/bsd-port
  2⤵
  - Reads runtime system information
  PID:2849
- /usr/bin/cp
  cp -f /tmp/489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907 /usr/bin/bsd-port/getty
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2851
- /usr/bin/bsd-port/getty
  /usr/bin/bsd-port/getty
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2854
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
    3⤵
    PID:2863
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
    3⤵
    PID:2865
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
    3⤵
    PID:2868
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
    3⤵
    PID:2872
- - /usr/bin/ln
    ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
    3⤵
    PID:2874
- - /usr/bin/mkdir
    mkdir -p /usr/bin/dpkgd
    3⤵
    - Reads runtime system information
    PID:2876
- - /usr/bin/cp
    cp -f /bin/lsof /usr/bin/dpkgd/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2878
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2880
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2882
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/lsof
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2884
- - /usr/bin/chmod
    chmod 0755 /bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2886
- - /usr/bin/cp
    cp -f /bin/ps /usr/bin/dpkgd/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2888
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2890
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2892
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/ps
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2894
- - /usr/bin/chmod
    chmod 0755 /bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2896
- - /usr/bin/cp
    cp -f /bin/ss /usr/bin/dpkgd/ss
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2898
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2900
- - /usr/bin/mkdir
    mkdir -p /bin
    3⤵
    - Reads runtime system information
    PID:2902
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /bin/ss
    3⤵
    - Writes file to system bin folder
    - Reads runtime system information
    PID:2904
- - /usr/bin/chmod
    chmod 0755 /bin/ss
    3⤵
    - File and Directory Permissions Modification
    PID:2906
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2908
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2910
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2912
- - /usr/bin/chmod
    chmod 0755 /usr/bin/lsof
    3⤵
    - File and Directory Permissions Modification
    PID:2914
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2916
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2918
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/ps
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2920
- - /usr/bin/chmod
    chmod 0755 /usr/bin/ps
    3⤵
    - File and Directory Permissions Modification
    PID:2922
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2924
- - /usr/bin/mkdir
    mkdir -p /usr/bin
    3⤵
    - Reads runtime system information
    PID:2927
- - /usr/bin/cp
    cp -f /usr/bin/bsd-port/getty /usr/bin/ss
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:2930
- - /usr/bin/chmod
    chmod 0755 /usr/bin/ss
    3⤵
    - File and Directory Permissions Modification
    PID:2932
- - /usr/sbin/insmod
    insmod /usr/bin/bsd-port/xpacket.ko
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2936
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:2857
- /usr/bin/mkdir
  mkdir -p /usr/bin
  2⤵
  - Reads runtime system information
  PID:2859
- /usr/bin/cp
  cp -f /tmp/489566ae52ff7d91debde176382bc81523bad6bad4b8d1f814576e932d498907 /usr/bin/.sshd
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:2861
- /usr/bin/.sshd
  /usr/bin/.sshd
  2⤵
  - Executes dropped EXE
  - Loads a kernel module
  PID:2870
- /usr/sbin/insmod
  insmod /tmp/xpacket.ko
  2⤵
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:2934

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
82B

MD5
80f19074244b4b5ba040d06a14db9e73

SHA1
454d860102a3fc39f2ce6873c5c5bf973ff26d31

SHA256
dc5aaefcce14581e4003fc7ce3f91587606bae413f7cff41dea97240925ab662

SHA512
0c90e5b3cb83bf5042599ad6af79d20dbe67755fc99b8e9566ae0492a9768cc7fe7a208ea5add70687f6dd5750b79d6335fcad499d629cda601aef3434d6d714

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/conf.n

Filesize
73B

MD5
d33373ca2eacfed7da84c8fba4e1b064

SHA1
3267958a8df8d6f1d86598e65e265b88d8012fd6

SHA256
65a4ac424da89b2164423f43cd746647a67d7f7405c7383af5767c0b741a752f

SHA512
7df25c77249fb49bbb6dae443452511c0f91125193749d9de5c1cb0db4efdc377786e56fbd0dddbfd17e6d25b8d305a33dab8b6eab096450d741a9d48a537dbb

Download Submit
/tmp/gates.lod

Filesize
4B

MD5
2bc8ae25856bc2a6a1333d1331a3b7a6

SHA1
91a7bc9deaeeb18d77904dce1ed85ab89013e06f

SHA256
db5989a78dd31d0ccfe36eb3c60d8b98150ddbd8a7ae6edb927eb821c8d81284

SHA512
e35170dffa8b198884bf79cb6fca91ec969c212db69f7df4c9f4b6feffe0f738e0e0919705b1db642f2b4ecf331e031f473ad6b90f94789b7e1067753a198df6

Download Submit
/tmp/moni.lod

Filesize
4B

MD5
ac34ae1fda29b8fe781ac8d6d32a6bc7

SHA1
412085c129e3538bc20644116c05ed7fc4c33aa0

SHA256
f0e3bd92f157f9b73ede82834286e7cea4044134b39d92ac3ee7e56392194241

SHA512
6e7f947af82d2102a2ad2558c37ee09eed53d25055bd5c1f8ab12b1f9c2bd70982fceaf84a8d666ea4175ae50b9d62c196ac24b0c9bfaae41a2c86feb9a45ccb

Download Submit
/tmp/notify.file

Filesize
69B

MD5
946561b52c866aa52a453a1ace7f77e0

SHA1
eb086702608ae8e2c60fd628ac531a50ac699267

SHA256
a106019941d18f19d24ae5cfa839c871c40f1c069bb33330c9369768b4518169

SHA512
8f28fd373c4a08498516b6a77179271ef7fc027280537af8cf36829298fbaefd7d88256102b3b8e5bbd906216be8d6c7bb280a8b1b3fea253a879d6f1fa736ac

Download Submit