c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Resubmissions

02-01-2025 21:33

250102-1ejbvswpcv 10

08-12-2024 01:12

241208-bkq68azkep 10

Analysis

max time kernel
149s
max time network
153s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
08-12-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06432
Size

384KB
MD5

9a51d462452001e1f04dd68cf4336c54
SHA1

594d570708fa03d0ab37a0306b38c134be90becc
SHA256

7b06be1d204ee0b5ebc0d4cb287133b796bb28b18414ce3b1e8d31691db8b172
SHA512

e89c9abca2fce011ecade9763fdf738af4b642d5bad22af9a78b25e6a229409b1cb823e446569f7d647ccdd88f6d55094bcf7f4c591951d01f72b7b6d8e4deb6
SSDEEP

6144:AH0cwGaZNuEtdb3usKYgoJ4o+dp5ky7aIq1/axpR9yMl0gXQYjTwk73o:AHZwBTdbFKVy+dp5kZIlL08QgwGo

Score

7^/10

antivm defense_evasion discovery persistence upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1675	sh
1676	chmod
1683	sh
1684	chmod
1689	sh
1690	chmod
1695	sh
1696	chmod

Executes dropped EXE 2 IoCs

ioc	pid	Process
/usr/bin/bsd-port/getty	1638	getty
/etc/ssh/bashpa	1646	bashpa

Modifies init.d 2 TTPs 2 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

RC Scripts

T1037.004

description	ioc	Process
File opened for modification	/etc/init.d/DbSecuritySpt	06432
File opened for modification	/etc/init.d/selinux	getty

Reads system routing table 1 TTPs 1 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	06432

Write file to user bin folder 8 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/bsd-port/udevd.lock	06432
File opened for modification	/usr/bin/bsd-port/getty	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	getty
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/getty.lock	06432

Writes file to system bin folder 2 IoCs

description	ioc	Process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/fstream-4.dat	upx

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	06432
File opened for reading	/proc/cpuinfo	getty

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/dev	06432
File opened for reading	/proc/net/route	06432
File opened for reading	/proc/net/arp	06432
File opened for reading	/proc/net/dev	getty

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	06432
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	bashpa
File opened for reading	/proc/stat	06432
File opened for reading	/proc/meminfo	06432
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/kernel/version	getty
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	getty
File opened for reading	/proc/meminfo	getty

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/gates.lock	bashpa
File opened for modification	/tmp/moni.lock	06432
File opened for modification	/tmp/bill.lock	06432
File opened for modification	/tmp/gates.lock	06432
File opened for modification	/tmp/notify.file	06432
File opened for modification	/tmp/conf.n	06432
File opened for modification	/tmp/moni.lock	bashpa
File opened for modification	/tmp/notify.file	bashpa

/tmp/06432
/tmp/06432
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1596
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt"
  2⤵
  PID:1616
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc1.d/S97DbSecuritySpt
    3⤵
    PID:1617
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt"
  2⤵
  PID:1618
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc2.d/S97DbSecuritySpt
    3⤵
    PID:1619
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt"
  2⤵
  PID:1620
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc3.d/S97DbSecuritySpt
    3⤵
    PID:1621
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt"
  2⤵
  PID:1622
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc4.d/S97DbSecuritySpt
    3⤵
    PID:1623
- /bin/sh
  sh -c "ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt"
  2⤵
  PID:1624
- - /usr/bin/ln
    ln -s /etc/init.d/DbSecuritySpt /etc/rc5.d/S97DbSecuritySpt
    3⤵
    PID:1625
- /bin/sh
  sh -c "mkdir -p /usr/bin/bsd-port"
  2⤵
  PID:1632
- - /usr/bin/mkdir
    mkdir -p /usr/bin/bsd-port
    3⤵
    - Reads runtime system information
    PID:1633
- /bin/sh
  sh -c "cp -f /tmp/06432 /usr/bin/bsd-port/getty"
  2⤵
  PID:1634
- - /usr/bin/cp
    cp -f /tmp/06432 /usr/bin/bsd-port/getty
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:1635
- /bin/sh
  sh -c /usr/bin/bsd-port/getty
  2⤵
  PID:1637
- - /usr/bin/bsd-port/getty
    /usr/bin/bsd-port/getty
    3⤵
    - Executes dropped EXE
    - Modifies init.d
    - Write file to user bin folder
    - Checks CPU configuration
    - Reads system network configuration
    - Reads runtime system information
    PID:1638
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
      4⤵
      PID:1656
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
        5⤵
        
        PID:1657
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
      4⤵
      PID:1659
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
        5⤵
        
        PID:1660
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
      4⤵
      PID:1661
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
        5⤵
        
        PID:1662
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
      4⤵
      PID:1663
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
        5⤵
        
        PID:1664
  - - /bin/sh
      sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
      4⤵
      PID:1665
    - - /usr/bin/ln
        
        ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
        5⤵
        
        PID:1666
  - - /bin/sh
      sh -c "mkdir -p /usr/bin/dpkgd"
      4⤵
      PID:1667
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin/dpkgd
        5⤵
        Reads runtime system information
        
        PID:1668
  - - /bin/sh
      sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
      4⤵
      PID:1669
    - - /usr/bin/cp
        
        cp -f /bin/lsof /usr/bin/dpkgd/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1670
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1671
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1672
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /bin/lsof"
      4⤵
      PID:1673
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /bin/lsof
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1674
  - - /bin/sh
      sh -c "chmod 0755 /bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1675
    - - /usr/bin/chmod
        
        chmod 0755 /bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1676
  - - /bin/sh
      sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
      4⤵
      PID:1677
    - - /usr/bin/cp
        
        cp -f /bin/ps /usr/bin/dpkgd/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1678
  - - /bin/sh
      sh -c "mkdir -p /bin"
      4⤵
      PID:1679
    - - /usr/bin/mkdir
        
        mkdir -p /bin
        5⤵
        Reads runtime system information
        
        PID:1680
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /bin/ps"
      4⤵
      PID:1681
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /bin/ps
        5⤵
        Writes file to system bin folder
        Reads runtime system information
        
        PID:1682
  - - /bin/sh
      sh -c "chmod 0755 /bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1683
    - - /usr/bin/chmod
        
        chmod 0755 /bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1684
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1685
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1686
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/lsof"
      4⤵
      PID:1687
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /usr/bin/lsof
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1688
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/lsof"
      4⤵
      File and Directory Permissions Modification
      PID:1689
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/lsof
        5⤵
        File and Directory Permissions Modification
        
        PID:1690
  - - /bin/sh
      sh -c "mkdir -p /usr/bin"
      4⤵
      PID:1691
    - - /usr/bin/mkdir
        
        mkdir -p /usr/bin
        5⤵
        Reads runtime system information
        
        PID:1692
  - - /bin/sh
      sh -c "cp -f /usr/bin/bsd-port/getty /usr/bin/ps"
      4⤵
      PID:1693
    - - /usr/bin/cp
        
        cp -f /usr/bin/bsd-port/getty /usr/bin/ps
        5⤵
        Write file to user bin folder
        Reads runtime system information
        
        PID:1694
  - - /bin/sh
      sh -c "chmod 0755 /usr/bin/ps"
      4⤵
      File and Directory Permissions Modification
      PID:1695
    - - /usr/bin/chmod
        
        chmod 0755 /usr/bin/ps
        5⤵
        File and Directory Permissions Modification
        
        PID:1696
  - - /bin/sh
      sh -c "insmod /usr/lib/xpacket.ko"
      4⤵
      PID:1697
    - - /usr/sbin/insmod
        
        insmod /usr/lib/xpacket.ko
        5⤵
        Reads runtime system information
        
        PID:1698
- /bin/sh
  sh -c "mkdir -p /etc/ssh"
  2⤵
  PID:1640
- - /usr/bin/mkdir
    mkdir -p /etc/ssh
    3⤵
    - Reads runtime system information
    PID:1641
- /bin/sh
  sh -c "cp -f /tmp/06432 /etc/ssh/bashpa"
  2⤵
  PID:1642
- - /usr/bin/cp
    cp -f /tmp/06432 /etc/ssh/bashpa
    3⤵
    - Reads runtime system information
    PID:1643
- /bin/sh
  sh -c /etc/ssh/bashpa
  2⤵
  PID:1645
- - /etc/ssh/bashpa
    /etc/ssh/bashpa
    3⤵
    - Executes dropped EXE
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1646
- /bin/sh
  sh -c "insmod /usr/lib/xpacket.ko"
  2⤵
  PID:1648
- - /usr/sbin/insmod
    insmod /usr/lib/xpacket.ko
    3⤵
    - Reads runtime system information
    PID:1649

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Boot or Logon Initialization Scripts

T1037

RC Scripts

T1037.004

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/DbSecuritySpt

Filesize
23B

MD5
48dab32d26db5bf4a05140b06c745ab9

SHA1
a4f0d81fbbbbee256b4337e5775865680c0d63a6

SHA256
7b0c9ce02a8992a99c6b7d60607a112205483c024474942d7cad1741400310ce

SHA512
d624971593d8f117666cbc378b612c34b007b8c2390f7cd256b35cbbcfe1c7a3ac6115c167e394fc4bccfae57579ffae0a8a83cae894f737c15b77735f6e30af

Download Submit
/etc/init.d/selinux

Filesize
36B

MD5
993cc15058142d96c3daf7852c3d5ee8

SHA1
0950b8b391b04dd3895ea33cd3141543ebd2525d

SHA256
8171d077918611803d93088409f220c66fae1c670b297e1aa5d8cbd548ce9208

SHA512
0c4256c00a3710f97e92581b552682b36b62afc35fe72622c491323c618c19ea62611ac04ccafc3dfcde2254a2ebbd93b69b66795b16e36332293bed83adb928

Download Submit
/tmp/conf.n

Filesize
69B

MD5
5d3d128f1b932142cdc67365e42a6fd5

SHA1
95a1566f0df9cc0857b389ab0285a778f0fb0e55

SHA256
344444f85c309bc9fd45233857e0bbb62dc549b49abf4cfc3af8d62a1ea1e222

SHA512
4f7485ce2ef5fca45c7d1b6a9301f2b0a43b2a125f39c0f9c303cba4f3532cff3eef8ba241870c0744898db07e40dae9dd81538082a1258a5493e6bd6e836206

Download Submit
/tmp/gates.lock

Filesize
4B

MD5
87ec2f451208df97228105657edb717f

SHA1
3738f2650c3885bee794953d56a1e91a5516f93f

SHA256
eb57f949956cc9f3c32eb7f249bbe56a74c253015af4dddb0c98cde49157cbd0

SHA512
ed0b97c0e93e6fea48a3038fe6a19f5083f8e81575d5e27472e7f40d9cca795ef6ab7440acedb4a7837623e9ef21f635f782067d411ee428e7690d3ffe6644ea

Download Submit
/tmp/moni.lock

Filesize
4B

MD5
8d420fa35754d1f1c19969c88780314d

SHA1
b1d2f044e12dcb7cdd594a29701421711464cede

SHA256
920232613e4a67a07d6c99b7974dbcd6765ee171da73e4961e1499a05a1f471b

SHA512
4ae489c0b5faa148721d69e59718436a3766f0479833decd3c946247fa8c319ed9bd98823bbda7f916b9f1460412cd964c9e75868a83105d0ffb5b4cd55f0f79

Download Submit
/tmp/notify.file

Filesize
10B

MD5
14a74da1c3ed51e7744747af12724a92

SHA1
d66cbc587968d8cad15c34e09782bcffe283deae

SHA256
fd71ae4560d140229377c2e4f2eccfc759a4c3eb8c6dd81e5697e33b6ecfb896

SHA512
2a484a97808d68ee644e4162773c8540602aefce1764a449ff987ca89de77da4d166601d5893c8342969974dff3e4913d479a2b98f66acd38a75fbb719311119

Download Submit
/usr/bin/bsd-port/getty

Filesize
384KB

MD5
9a51d462452001e1f04dd68cf4336c54

SHA1
594d570708fa03d0ab37a0306b38c134be90becc

SHA256
7b06be1d204ee0b5ebc0d4cb287133b796bb28b18414ce3b1e8d31691db8b172

SHA512
e89c9abca2fce011ecade9763fdf738af4b642d5bad22af9a78b25e6a229409b1cb823e446569f7d647ccdd88f6d55094bcf7f4c591951d01f72b7b6d8e4deb6

Download Submit
/usr/bin/dpkgd/lsof

Filesize
163KB

MD5
ab57b66cc531ae0f996963223e632b60

SHA1
bf7e5becd33f21c2539f5a75ffa0ab61c49c8795

SHA256
2484863a7bfda7f97b90bfd5dfceed4ec9f27dd51f9c5158c8daabbf4309b1df

SHA512
908acef13f3c1d80b7169ec3b16bb67006013453348fff75550bc3c6c2137e798b21d7990edbd5be63d756d9c41b06160aebf38aa80547e4bafa3a62596057f6

Download Submit
/usr/bin/dpkgd/ps

Filesize
138KB

MD5
8146139c2ad7e550b1d1f49480997446

SHA1
074db8890c3227bd8a588417f5b9bde637bcf3af

SHA256
207df9d438f75185ab3af2ab1173d104831a6631c28ef40d38b2ab43de27b40f

SHA512
b6d71d537f593b9af833e6f798e412e95fc486a313414ed8cca9639f61be7ac9dca700e9f861c0d07c7f65b3783127a67f829f422472cad8938ba01d397ab9de

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads