3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae

Analysis

max time kernel
11s
max time network
32s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
03-12-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
Size

1KB
MD5

51a900215c41691542f83df8cb053ef7
SHA1

efaca58b61cb70b87a075fad593c81beb757ad7e
SHA256

3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
SHA512

15ff74bcc1f503f31cc8bff6fad446a1f5a7c774b13c623071ceb480bddef28d7a942f1e15b68a98eaa6e481a581c6792b734075011bd96a34fcbf0e256aa5b1

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1517	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/.redtail	1518	.redtail

Reads AppArmor ptrace settings 1 TTPs 1 IoCs

Discovery of allowed ptrace capabilities by AppArmor.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/security/apparmor/features/ptrace	find

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/power	find

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	find
File opened for reading	/sys/devices/virtual/net/lo/statistics	find
File opened for reading	/sys/devices/virtual/net/lo/power	find
File opened for reading	/sys/devices/virtual/net/lo/queues	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	find

Reads CPU attributes 1 TTPs 22 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	find
File opened for reading	/sys/devices/system/cpu/cpuidle	find
File opened for reading	/sys/devices/system/cpu/microcode	find
File opened for reading	/sys/devices/system/cpu/cpu0	find
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	find
File opened for reading	/sys/devices/system/cpu/power	find
File opened for reading	/sys/devices/system/cpu/vulnerabilities	find
File opened for reading	/sys/devices/system/cpu/cpufreq	find
File opened for reading	/sys/devices/system/cpu/cpu0/microcode	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	find
File opened for reading	/sys/devices/system/cpu/hotplug	find
File opened for reading	/sys/devices/system/cpu/smt	find
File opened for reading	/sys/devices/system/cpu/cpu0/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/power	find

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/debug/bdi/7:3	find
File opened for reading	/sys/devices/virtual/drm/ttm/memory_accounting	find
File opened for reading	/sys/module/crct10dif_pclmul/notes	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mq_notify	find
File opened for reading	/sys/kernel/security/apparmor	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_ext_rm_idx	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_setpgid	find
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/queue/iosched	find
File opened for reading	/sys/module/parport_pc/notes	find
File opened for reading	/sys/module/usbhid/notes	find
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_dbc_giveback_request	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_es_lookup_extent_exit	find
File opened for reading	/sys/devices/virtual/mem/urandom/power	find
File opened for reading	/sys/bus/platform/drivers/twl4030-audio	find
File opened for reading	/sys/module/drm_kms_helper	find
File opened for reading	/sys/kernel/debug/tracing/events/thermal/thermal_zone_trip	find
File opened for reading	/sys/class/firmware	find
File opened for reading	/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0/event0/power	find
File opened for reading	/sys/firmware/qemu_fw_cfg/by_key/36	find
File opened for reading	/sys/kernel/debug/tracing/events/thermal_power_allocator/thermal_power_allocator_pid	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_utime	find
File opened for reading	/sys/bus/platform	find
File opened for reading	/sys/kernel/slab/bdev_cache/cgroup	find
File opened for reading	/sys/kernel/debug/tracing/events/mmc/mmc_request_start	find
File opened for reading	/sys/kernel/debug/tracing/events/irq_vectors/reschedule_entry	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_epoll_pwait	find
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS13	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_renameat	find
File opened for reading	/sys/devices/virtual/tty/tty48	find
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:17	find
File opened for reading	/sys/module/sysrq	find
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_dbg_quirks	find
File opened for reading	/sys/kernel/debug/tracing/events/power/clock_disable	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setattr	find
File opened for reading	/sys/bus/platform/drivers/rc5t583-gpio	find
File opened for reading	/sys/bus/platform/drivers/i2c_designware	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_timer_settime	find
File opened for reading	/sys/fs/cgroup/pids/system.slice/kerneloops.service	find
File opened for reading	/sys/kernel/slab/:0000640	find
File opened for reading	/sys/kernel/debug/tracing/events/block/block_rq_complete	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_symlink	find
File opened for reading	/sys/fs/cgroup/systemd/user.slice/user-0.slice/[email protected]/gvfs-mtp-volume-monitor.service	find
File opened for reading	/sys/module/pciehp/parameters	find
File opened for reading	/sys/kernel/debug/tracing/events/bridge/br_fdb_external_learn_add	find
File opened for reading	/sys/kernel/debug/tracing/events/sched/sched_stat_runtime	find
File opened for reading	/sys/kernel/debug/tracing/events/xen/xen_mc_extend_args	find
File opened for reading	/sys/devices/virtual/bdi/7:5	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_es_insert_extent	find
File opened for reading	/sys/kernel/debug/tracing/events/page_isolation	find
File opened for reading	/sys/devices/virtual/tty/tty5	find
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0f	find
File opened for reading	/sys/fs/cgroup/pids/system.slice/polkit.service	find
File opened for reading	/sys/bus/serio/devices	find
File opened for reading	/sys/kernel/security/apparmor/features/policy/versions	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_listxattr	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_faccessat	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_process_vm_readv	find
File opened for reading	/sys/kernel/debug/tracing/events/xen/xen_mmu_set_pte_at	find
File opened for reading	/sys/devices/virtual/bdi	find
File opened for reading	/sys/devices/platform/platform-framebuffer.0	find
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS17	find
File opened for reading	/sys/module/tpm_crb	find
File opened for reading	/sys/module/printk/parameters	find
File opened for reading	/sys/kernel/debug/usb/ohci	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/438/task/438/attr/smack	find
File opened for reading	/proc/648/task/649	find
File opened for reading	/proc/1255/task/1256	find
File opened for reading	/proc/1284/task/1284/net/netfilter	find
File opened for reading	/proc/162/task/162/fdinfo	find
File opened for reading	/proc/432/task/432	find
File opened for reading	/proc/436/attr/selinux	find
File opened for reading	/proc/535/task/543/fdinfo	find
File opened for reading	/proc/161/map_files	find
File opened for reading	/proc/1165/task/1195	find
File opened for reading	/proc/1241/task/1245/attr/selinux	find
File opened for reading	/proc/1276/task/1276/net/stat	find
File opened for reading	/proc/1322/task	find
File opened for reading	/proc/453/task/513/net	find
File opened for reading	/proc/160/fd	find
File opened for reading	/proc/442/attr/selinux	find
File opened for reading	/proc/471/task/471/attr	find
File opened for reading	/proc/506/net/netfilter	find
File opened for reading	/proc/936/task/936/fdinfo	find
File opened for reading	/proc/1174/attr/selinux	find
File opened for reading	/proc/11/task/11/net/stat	find
File opened for reading	/proc/167/task/167/net	find
File opened for reading	/proc/443/attr/selinux	find
File opened for reading	/proc/704/task/1475/fdinfo	find
File opened for reading	/proc/1159/task/1159	find
File opened for reading	/proc/1367/task/1376/attr/smack	find
File opened for reading	/proc/438/task/438/net/stat	find
File opened for reading	/proc/659/task/659/attr/apparmor	find
File opened for reading	/proc/1054/task/1062/fdinfo	find
File opened for reading	/proc/1150/task/1150/fd	find
File opened for reading	/proc/35/net/dev_snmp6	find
File opened for reading	/proc/1294/task/1323/attr/smack	find
File opened for reading	/proc/35/task/35/fd	find
File opened for reading	/proc/428/task/428/net/netfilter	find
File opened for reading	/proc/451/net/dev_snmp6	find
File opened for reading	/proc/3	find
File opened for reading	/proc/1474/attr/selinux	find
File opened for reading	/proc/1074/task/1089/attr/selinux	find
File opened for reading	/proc/1106/task/1108/attr/smack	find
File opened for reading	/proc/1299/task/1299/fdinfo	find
File opened for reading	/proc/1474/task/1487/net	find
File opened for reading	/proc/453/fd	find
File opened for reading	/proc/436/task/436/attr/apparmor	find
File opened for reading	/proc/1474/task/1492/ns	find
File opened for reading	/proc/31/attr/selinux	find
File opened for reading	/proc/535/task/535/fd	find
File opened for reading	/proc/156/task/156/fd	find
File opened for reading	/proc/510/task/510/fdinfo	find
File opened for reading	/proc/1145/task/1145/attr	find
File opened for reading	/proc/13/attr/smack	find
File opened for reading	/proc/164/net	find
File opened for reading	/proc/85/attr/apparmor	find
File opened for reading	/proc/1500/task	find
File opened for reading	/proc/170/net/netfilter	find
File opened for reading	/proc/267	find
File opened for reading	/proc/1179/task/1219/net/stat	find
File opened for reading	/proc/1322/task/1327/attr/selinux	find
File opened for reading	/proc/1322/task/1329/net/dev_snmp6	find
File opened for reading	/proc/4/attr/smack	find
File opened for reading	/proc/625/net/netfilter	find
File opened for reading	/proc/648/task/652/attr/apparmor	find
File opened for reading	/proc/1050/task/1051/fdinfo	find
File opened for reading	/proc/1056/task/1056/attr/smack	find
File opened for reading	/proc/131/task/131/net/dev_snmp6	find

/tmp/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
/tmp/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
1⤵
PID:1481
- /bin/uname
  uname -mp
  2⤵
  PID:1482
- /bin/grep
  grep -q x86_64
  2⤵
  PID:1486
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1491
- /bin/grep
  grep noexec
  2⤵
  PID:1490
- /bin/cat
  cat /proc/mounts
  2⤵
  PID:1489
- /usr/bin/whoami
  whoami
  2⤵
  PID:1496
- /usr/bin/find
  find / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/unified -not -path "/sys/fs/cgroup/unified/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path /sys/fs/pstore -not -path "/sys/fs/pstore/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path /sys/fs/cgroup/hugetlb -not -path "/sys/fs/cgroup/hugetlb/*" -not -path /sys/fs/cgroup/rdma -not -path "/sys/fs/cgroup/rdma/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*"
  2⤵
  - Reads AppArmor ptrace settings
  - Reads hardware information
  - Reads network interface configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1497
- /usr/bin/touch
  touch .testfile
  2⤵
  PID:1510
- /bin/dd
  dd "if=/dev/zero" "of=.testfile2" "bs=2M" "count=1"
  2⤵
  PID:1512
- /bin/rm
  rm -rf .testfile .testfile2
  2⤵
  PID:1513
- /bin/cp
  cp -r "/tmp/redtail.*" /
  2⤵
  PID:1514
- /bin/rm
  rm -rf .redtail
  2⤵
  PID:1515
- /bin/cat
  cat redtail.x86_64
  2⤵
  PID:1516
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:1517
- /.redtail
  ./.redtail ssh
  2⤵
  - Executes dropped EXE
  PID:1518
- /bin/rm
  rm -rf "redtail.*"
  2⤵
  PID:1520
- /bin/rm
  rm -rf "/tmp/redtail.*"
  2⤵
  PID:1521

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.testfile2

Filesize
2.0MB

MD5
b2d1236c286a3c0704224fe4105eca49

SHA1
7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6

SHA256
5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee

SHA512
731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads