Analysis
-
max time kernel
43s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
-
submitted
03-12-2024 08:34
General
-
Target
3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
-
Size
1KB
-
MD5
51a900215c41691542f83df8cb053ef7
-
SHA1
efaca58b61cb70b87a075fad593c81beb757ad7e
-
SHA256
3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
-
SHA512
15ff74bcc1f503f31cc8bff6fad446a1f5a7c774b13c623071ceb480bddef28d7a942f1e15b68a98eaa6e481a581c6792b734075011bd96a34fcbf0e256aa5b1
Score
7/10
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 4 IoCs
-
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae/tmp/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae1⤵
-
/bin/unameuname -mp2⤵
-
-
/bin/grepgrep -q x86_642⤵
-
-
/bin/grepgrep -q amd642⤵
-
-
/bin/grepgrep -q "i[3456]86"2⤵
-
-
/bin/grepgrep -q armv82⤵
-
-
/bin/grepgrep -q aarch642⤵
-
-
/bin/grepgrep -q armv72⤵
-
-
/bin/catcat /proc/mounts2⤵
- Reads runtime system information
-
-
/bin/grepgrep noexec2⤵
-
-
/usr/bin/awkawk "{print \$2}"2⤵
- Reads runtime system information
-
-
/usr/bin/whoamiwhoami2⤵
-
-
/usr/bin/findfind / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*"2⤵
- Reads runtime system information
-
-
/usr/bin/touchtouch .testfile2⤵
-
-
/bin/dddd "if=/dev/zero" "of=.testfile2" "bs=2M" "count=1"2⤵
-
-
/bin/rmrm -rf .testfile .testfile22⤵
-
-
/bin/cpcp -r "/tmp/redtail.*" /2⤵
- Reads runtime system information
-
-
/bin/rmrm -rf .redtail2⤵
-
-
/bin/catcat redtail.x86_642⤵
-
-
/bin/chmodchmod +x .redtail2⤵
- File and Directory Permissions Modification
-
-
/.redtail./.redtail ssh2⤵
- Executes dropped EXE
-
-
/bin/catcat redtail.i6862⤵
-
-
/bin/chmodchmod +x .redtail2⤵
- File and Directory Permissions Modification
-
-
/.redtail./.redtail ssh2⤵
- Executes dropped EXE
-
-
/bin/catcat redtail.arm82⤵
-
-
/bin/chmodchmod +x .redtail2⤵
- File and Directory Permissions Modification
-
-
/.redtail./.redtail ssh2⤵
- Executes dropped EXE
-
-
/bin/catcat redtail.arm72⤵
-
-
/bin/chmodchmod +x .redtail2⤵
- File and Directory Permissions Modification
-
-
/.redtail./.redtail ssh2⤵
- Executes dropped EXE
-
-
/bin/rmrm -rf "redtail.*"2⤵
-
-
/bin/rmrm -rf "/tmp/redtail.*"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5b2d1236c286a3c0704224fe4105eca49
SHA17d76d48d64d7ac5411d714a4bb83f37e3e5b8df6
SHA2565647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee
SHA512731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6