3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae

Analysis

max time kernel
50s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
03/12/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
Size

1KB
MD5

51a900215c41691542f83df8cb053ef7
SHA1

efaca58b61cb70b87a075fad593c81beb757ad7e
SHA256

3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
SHA512

15ff74bcc1f503f31cc8bff6fad446a1f5a7c774b13c623071ceb480bddef28d7a942f1e15b68a98eaa6e481a581c6792b734075011bd96a34fcbf0e256aa5b1

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
795	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/.redtail	796	.redtail

Enumerates running processes
Discovers information about currently running processes on the system

Reads network interface configuration 2 TTPs 6 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/virtual/net/lo/power	find
File opened for reading	/sys/devices/virtual/net/lo/queues	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	find
File opened for reading	/sys/devices/virtual/net/lo/statistics	find

Reads CPU attributes 1 TTPs 7 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology	find
File opened for reading	/sys/devices/system/cpu/power	find
File opened for reading	/sys/devices/system/cpu/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpufreq	find
File opened for reading	/sys/devices/system/cpu/cpu0	find

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/debug/tracing/events/ftrace/hwlat	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fallocate	find
File opened for reading	/sys/module/tda18271	find
File opened for reading	/sys/fs/cgroup/devices/system.slice/system-serial\x2dgetty.slice	find
File opened for reading	/sys/bus/platform/drivers/vexpress-syscfg	find
File opened for reading	/sys/module/crc16/notes	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_fdatasync	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sethostname	find
File opened for reading	/sys/devices/virtual/mem/zero	find
File opened for reading	/sys/bus/clockevents	find
File opened for reading	/sys/kernel/debug/clk/clk24mhz	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_journal_start	find
File opened for reading	/sys/class/bsg	find
File opened for reading	/sys/fs/cgroup/devices/user.slice/user-0.slice	find
File opened for reading	/sys/fs/ext4/features	find
File opened for reading	/sys/module/autofs4/sections	find
File opened for reading	/sys/kernel/debug/tracing/events/jbd2/jbd2_handle_extend	find
File opened for reading	/sys/kernel/debug/tracing/events/compaction/mm_compaction_defer_reset	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getuid16	find
File opened for reading	/sys/devices/platform/a002000.virtio_mmio/power	find
File opened for reading	/sys/bus/platform/drivers/bcm2835-clk	find
File opened for reading	/sys/bus/pci/devices	find
File opened for reading	/sys/module/pcie_aspm/parameters	find
File opened for reading	/sys/kernel/debug/tracing/events/jbd2/jbd2_commit_flushing	find
File opened for reading	/sys/kernel/debug/tracing/events/cma/cma_alloc	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_epoll_create	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_getrlimit	find
File opened for reading	/sys/devices/platform/9000000.pl011/tty/ttyAMA0	find
File opened for reading	/sys/firmware/devicetree/base/virtio_mmio@a001800	find
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/system.slice	find
File opened for reading	/sys/module/kvm_arm/parameters	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_mb_new_inode_pa	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getscheduler	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getppid	find
File opened for reading	/sys/bus/platform/devices	find
File opened for reading	/sys/bus/platform/drivers/sun4i-pinctrl	find
File opened for reading	/sys/kernel/debug/tracing/events/udp	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_lseek	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_fallocate	find
File opened for reading	/sys/class/bdi	find
File opened for reading	/sys/bus/platform/drivers/arm-smmu	find
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_remove_blocks	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mq_notify	find
File opened for reading	/sys/bus/platform/drivers/snvs_rtc	find
File opened for reading	/sys/module/omap_mailbox/parameters	find
File opened for reading	/sys/kernel/debug/tracing/events/block/block_unplug	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_ioprio_set	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mq_timedsend	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_io_setup	find
File opened for reading	/sys/devices/platform/a003800.virtio_mmio	find
File opened for reading	/sys/module/sysrq	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_faccessat	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_access	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_capget	find
File opened for reading	/sys/dev/block	find
File opened for reading	/sys/kernel/irq/24	find
File opened for reading	/sys/module/tea5761	find
File opened for reading	/sys/kernel/debug/tracing/events/mmc	find
File opened for reading	/sys/kernel/debug/tracing/events/migrate	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fadvise64_64	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_membarrier	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_clock_nanosleep	find
File opened for reading	/sys/devices/virtual/misc/apm_bios	find
File opened for reading	/sys/bus/platform/drivers/gpio-keys	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/137/task/137/ns	find
File opened for reading	/proc/139/ns	find
File opened for reading	/proc/8/task/8/fd	find
File opened for reading	/proc/9/net/dev_snmp6	find
File opened for reading	/proc/10/fd	find
File opened for reading	/proc/13/attr	find
File opened for reading	/proc/21/attr	find
File opened for reading	/proc/105/ns	find
File opened for reading	/proc/214/ns	find
File opened for reading	/proc/642/task/642/attr	find
File opened for reading	/proc/642/net/dev_snmp6	find
File opened for reading	/proc/7/task/7/ns	find
File opened for reading	/proc/137/net/stat	find
File opened for reading	/proc/148/task/148/ns	find
File opened for reading	/proc/269/task/269/net/netfilter	find
File opened for reading	/proc/389/task	find
File opened for reading	/proc/691/task/691/attr	find
File opened for reading	/proc/108/task/108/ns	find
File opened for reading	/proc/297/net/stat	find
File opened for reading	/proc/7/task/7	find
File opened for reading	/proc/11/ns	find
File opened for reading	/proc/19/task/19/fdinfo	find
File opened for reading	/proc/26/net/stat	find
File opened for reading	/proc/105/net/stat	find
File opened for reading	/proc/107/task/107/ns	find
File opened for reading	/proc/316/task/316/net/netfilter	find
File opened for reading	/proc/641	find
File opened for reading	/proc/691/task/691/fd	find
File opened for reading	/proc/25/ns	find
File opened for reading	/proc/214/task/223/fdinfo	find
File opened for reading	/proc/439/task/439/net/netfilter	find
File opened for reading	/proc/646/task	find
File opened for reading	/proc/14/task/14/ns	find
File opened for reading	/proc/97/task/97	find
File opened for reading	/proc/139/task/139/attr	find
File opened for reading	/proc/650/task/650/ns	find
File opened for reading	/proc/13/ns	find
File opened for reading	/proc/23/map_files	find
File opened for reading	/proc/75/task/75/ns	find
File opened for reading	/proc/214/fd	find
File opened for reading	/proc/267/task/274/net/dev_snmp6	find
File opened for reading	/proc/604/ns	find
File opened for reading	/proc/27/task/27/net/stat	find
File opened for reading	/proc/646/net/stat	find
File opened for reading	/proc/105/net/dev_snmp6	find
File opened for reading	/proc/299/task/299/attr	find
File opened for reading	/proc/1/task/1/net/netfilter	find
File opened for reading	/proc/1/net/netfilter	find
File opened for reading	/proc/7/task/7/fd	find
File opened for reading	/proc/17/task/17/net/netfilter	find
File opened for reading	/proc/28	find
File opened for reading	/proc/105/task/105/net/stat	find
File opened for reading	/proc/646/attr	find
File opened for reading	/proc/658/task/658	find
File opened for reading	/proc/108/fd	find
File opened for reading	/proc/267/task/267/ns	find
File opened for reading	/proc/283/task/283	find
File opened for reading	/proc/311/net/netfilter	find
File opened for reading	/proc/403/net/dev_snmp6	find
File opened for reading	/proc/17/net/netfilter	find
File opened for reading	/proc/214/task/214/net/netfilter	find
File opened for reading	/proc/687/net/stat	find
File opened for reading	/proc/3/task/3/attr	find
File opened for reading	/proc/137/task/137/fdinfo	find

/tmp/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
/tmp/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
1⤵
PID:649
- /bin/uname
  uname -mp
  2⤵
  PID:654
- /bin/grep
  grep -q x86_64
  2⤵
  PID:657
- /bin/grep
  grep -q amd64
  2⤵
  PID:660
- /bin/grep
  grep -q "i[3456]86"
  2⤵
  PID:666
- /bin/grep
  grep -q armv8
  2⤵
  PID:670
- /bin/grep
  grep -q aarch64
  2⤵
  PID:674
- /bin/grep
  grep -q armv7
  2⤵
  PID:677
- /bin/cat
  cat /proc/mounts
  2⤵
  PID:682
- /bin/grep
  grep noexec
  2⤵
  PID:683
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:684
- /usr/bin/whoami
  whoami
  2⤵
  PID:690
- /usr/bin/find
  find / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*"
  2⤵
  - Reads network interface configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:691
- /usr/bin/touch
  touch .testfile
  2⤵
  PID:788
- /bin/dd
  dd "if=/dev/zero" "of=.testfile2" "bs=2M" "count=1"
  2⤵
  PID:790
- /bin/rm
  rm -rf .testfile .testfile2
  2⤵
  PID:791
- /bin/cp
  cp -r "/tmp/redtail.*" /
  2⤵
  PID:792
- /bin/rm
  rm -rf .redtail
  2⤵
  PID:793
- /bin/cat
  cat redtail.arm7
  2⤵
  PID:794
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:795
- /.redtail
  ./.redtail ssh
  2⤵
  - Executes dropped EXE
  PID:796
- /bin/rm
  rm -rf "redtail.*"
  2⤵
  PID:798
- /bin/rm
  rm -rf "/tmp/redtail.*"
  2⤵
  PID:799

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.testfile2

Filesize
2.0MB

MD5
b2d1236c286a3c0704224fe4105eca49

SHA1
7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6

SHA256
5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee

SHA512
731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads