2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378

Analysis

max time kernel
1s
max time network
131s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
03/12/2024, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378
Size

3.7MB
MD5

5584e10914a55fc813492a624ee5e867
SHA1

aeb18912e1e5053449fa5ad286c3df56643f33d0
SHA256

2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378
SHA512

bfda5ee5894efc69a0aa3a5d3a96028d11f85bf96d02493800272b09aa7bb4c6ae2a346441bc5cedb3629ca3386bef44cc930070068f3d87d3ac65cf46948925
SSDEEP

98304:4KNuSEXA9WwKSrpyP8UGgGLMrJH84mA92GcNO2tBv7:nEXA9WwKip1me4e9N77

Score

7^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
2832	chmod
2834	chmod

Modifies systemd 2 TTPs 1 IoCs

Adds/ modifies systemd service files. Likely to achieve persistence.

persistence privilege_escalation

XDG Autostart Entries

T1547.013

Systemd Service

T1543.002

description	ioc	Process
File opened for modification	/etc/systemd/system/2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378.service	2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378

Write file to user bin folder 1 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/sbin/2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378	2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/exe	2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378
File opened for reading	/proc/filesystems	id

/tmp/2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378
/tmp/2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378
1⤵
- Modifies systemd
- Write file to user bin folder
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2818
- /bin/sh
  /bin/sh
  2⤵
  PID:2824
- /bin/sh
  /bin/sh
  2⤵
  PID:2827
- /bin/sh
  /bin/sh
  2⤵
  PID:2831
- /bin/sh
  /bin/sh
  2⤵
  PID:2833
- /bin/sh
  /bin/sh
  2⤵
  PID:2835
- /bin/sh
  /bin/sh
  2⤵
  PID:2960

/usr/bin/id
id -u
1⤵
- Reads runtime system information
PID:2825

/usr/bin/systemctl
systemctl disable 2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378.service
1⤵
- Reads runtime system information
PID:2830

/usr/bin/chmod
chmod +x /usr/sbin/2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378
1⤵
- File and Directory Permissions Modification
PID:2832

/usr/bin/chmod
chmod +x /etc/systemd/system/2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378.service
1⤵
- File and Directory Permissions Modification
PID:2834

/usr/bin/systemctl
systemctl enable 2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378.service
1⤵
- Reads runtime system information
PID:2836

/usr/bin/systemctl
systemctl start 2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378.service
1⤵
- Reads runtime system information
PID:2961

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Privilege Escalation

Boot or Logon Autostart Execution

T1547

XDG Autostart Entries

T1547.013

Create or Modify System Process

T1543

Systemd Service

T1543.002

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/systemd/system/2c573abfa5f989511f669b8ece80aecd4362cba6041841fff2c008dea81e9378.service

Filesize
297B

MD5
7746a50656eadd66a4815923e6fc2ebf

SHA1
0b7c998565a713749f6b73b1bde55072c1dde7fb

SHA256
e59b2ae1eaf406db9b57820292a9ca907aa2ca7e747cd15186c912ecd06064ae

SHA512
a2dbbefb1480d0e6f0a128726a51bfa8f2c5920bae9eb28dc94d8d5dc16b81e397b6720c623dcf408d5a36814cbb985ed086928abe0e5a694331dbd3153b9de0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads