3c58f7bc700f17de482a95d965ac76c8efb0f2614ab5f707cd9c4c61bc2acf3c

Analysis

max time kernel
899s
max time network
899s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
26-12-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unpacked
Size

6.3MB
MD5

66cb162d1880fff9f98f9d93f0aeab73
SHA1

99607f0eb75b14a5bf9891fb5104e0a9ea474427
SHA256

3c58f7bc700f17de482a95d965ac76c8efb0f2614ab5f707cd9c4c61bc2acf3c
SHA512

5aff245f001d695e259ff5cdad6a737ac8d7862750c7a1eca98bf07aa15f3e178b3e77e8168ced4326b8e9d08f2576bd7ca3c2fe4e495615c793c7370118ac34
SSDEEP

98304:3l3SXxr6OYgW3wfYug9xCO5uL2SVPWN+XfMJ6aeOIpgKIxt9qus:3l3a6OYnpXSINTetgK7us

Score

7^/10

antivm discovery execution persistence privilege_escalatio rootkit

Malware Config

Signatures

Loads a kernel module 40 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

pid	Process
4066	unpacked
4068	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4108	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4120	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4128	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4143	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4066	unpacked
4151	unpacked
4151	unpacked

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.yYMLdr	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps

Reads CPU attributes 1 TTPs 4 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps

Enumerates kernel/hardware configuration 1 TTPs 4 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	ps

Process Discovery 1 TTPs 2 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
4122	ps
4146	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/54/environ	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/3569/stat	ps
File opened for reading	/proc/3485/environ	ps
File opened for reading	/proc/2582/status	ps
File opened for reading	/proc/3560/stat	ps
File opened for reading	/proc/45/cmdline	ps
File opened for reading	/proc/3553/status	ps
File opened for reading	/proc/3919/ctty	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/3590/cmdline	ps
File opened for reading	/proc/4127/cmdline	ps
File opened for reading	/proc/33/status	ps
File opened for reading	/proc/814/status	ps
File opened for reading	/proc/1074/cmdline	ps
File opened for reading	/proc/3382/ctty	ps
File opened for reading	/proc/190/status	ps
File opened for reading	/proc/31/environ	ps
File opened for reading	/proc/3497/ctty	ps
File opened for reading	/proc/4111/status	ps
File opened for reading	/proc/4065/status	ps
File opened for reading	/proc/3471/stat	ps
File opened for reading	/proc/3560/cmdline	ps
File opened for reading	/proc/187/cmdline	ps
File opened for reading	/proc/3398/stat	ps
File opened for reading	/proc/4/ctty	ps
File opened for reading	/proc/1105/ctty	ps
File opened for reading	/proc/4122/ctty	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/187/stat	ps
File opened for reading	/proc/3549/cmdline	ps
File opened for reading	/proc/1057/cmdline	ps
File opened for reading	/proc/505/stat	ps
File opened for reading	/proc/3743/status	ps
File opened for reading	/proc/23/environ	ps
File opened for reading	/proc/3518/cmdline	ps
File opened for reading	/proc/36/environ	ps
File opened for reading	/proc/3471/cmdline	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/71/stat	ps
File opened for reading	/proc/417/status	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/1405/ctty	ps
File opened for reading	/proc/3559/cmdline	ps
File opened for reading	/proc/25/cmdline	ps
File opened for reading	/proc/41/cmdline	ps
File opened for reading	/proc/3737/stat	ps
File opened for reading	/proc/3749/status	ps
File opened for reading	/proc/146/environ	ps
File opened for reading	/proc/3549/ctty	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/3560/environ	ps
File opened for reading	/proc/770/environ	ps
File opened for reading	/proc/3556/ctty	ps
File opened for reading	/proc/189/ctty	ps
File opened for reading	/proc/374/environ	ps
File opened for reading	/proc/54/ctty	ps
File opened for reading	/proc/44/environ	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/717/cmdline	ps
File opened for reading	/proc/273/cmdline	ps
File opened for reading	/proc/57/status	ps
File opened for reading	/proc/2563/stat	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.cron	unpacked

/tmp/unpacked
/tmp/unpacked
1⤵
- Loads a kernel module
- Writes file to tmp directory
PID:4066
- /usr/bin/hostname
  hostname -I
  2⤵
  PID:4071
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:4073
- /usr/bin/cat
  cat /etc/ssh/sshd_config
  2⤵
  PID:4075
- /usr/bin/grep
  grep "Port "
  2⤵
  PID:4076
- /usr/bin/head
  head -n 1
  2⤵
  PID:4077
- /usr/bin/awk
  awk "{print \":\"\$2}"
  2⤵
  PID:4078
- /usr/bin/whoami
  whoami
  2⤵
  PID:4079
- /usr/bin/hostname
  hostname
  2⤵
  PID:4080
- /usr/bin/grep
  grep -c "^processor" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:4081
- /usr/bin/grep
  grep -m 1 "model name" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:4084
- /usr/bin/cut
  cut -d: -f2
  2⤵
  PID:4085
- /usr/bin/sed
  sed -e "s/^ *//"
  2⤵
  PID:4086
- /usr/bin/sed
  sed -e "s/\$//"
  2⤵
  PID:4087
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:4090
- /usr/bin/awk
  awk "{print \$4}"
  2⤵
  PID:4093
- /usr/bin/awk
  awk "{print \$4}"
  2⤵
  - Reads runtime system information
  PID:4096
- /usr/bin/awk
  awk "{print \$3}"
  2⤵
  PID:4099
- /usr/bin/awk
  awk "{print \$4}"
  2⤵
  - Reads runtime system information
  PID:4102
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:4105
- /usr/bin/awk
  awk "{print \$2\" \"\$3\" \"\$4}"
  2⤵
  PID:4107
- /usr/bin/ps
  ps -A "-ostat,ppid"
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:4109
- /usr/bin/awk
  awk "/[zZ]/ && !a[\$2]++ {print \$2}"
  2⤵
  PID:4110
- /usr/bin/id
  id -u
  2⤵
  PID:4112
- /usr/bin/ps
  ps x
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:4113
- /usr/bin/grep
  grep /etc/cron
  2⤵
  PID:4114
- /usr/bin/grep
  grep -v grep
  2⤵
  PID:4115
- /usr/bin/id
  id -u
  2⤵
  PID:4121
- /usr/bin/ps
  ps aux
  2⤵
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Process Discovery
  - Reads runtime system information
  PID:4122
- /usr/bin/grep
  grep -v grep
  2⤵
  PID:4123
- /usr/bin/grep
  grep -v -- "-bash[[:space:]]*\$"
  2⤵
  PID:4124
- /usr/bin/grep
  grep -v /usr/sbin/httpd
  2⤵
  PID:4125
- /usr/bin/awk
  awk "{if(\$3>30.0) print \$2}"
  2⤵
  PID:4126
- /usr/bin/rm
  rm -rf /tmp/.cron
  2⤵
  PID:4130
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:4131
- /usr/bin/grep
  grep -v grep
  2⤵
  PID:4132
- /usr/bin/grep
  grep -v /tmp/unpacked
  2⤵
  PID:4133
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:4135
- /usr/bin/grep
  grep -v grep
  2⤵
  PID:4136
- /usr/bin/grep
  grep "/tmp/unpacked\$"
  2⤵
  PID:4137
- /usr/bin/sort
  sort
  2⤵
  PID:4138
- /usr/bin/uniq
  uniq
  2⤵
  PID:4139
- /usr/bin/wc
  wc -l
  2⤵
  PID:4140
- /usr/bin/crontab
  crontab /tmp/.cron
  2⤵
  - Creates/modifies Cron job
  PID:4141
- /usr/bin/rm
  rm -rf /tmp/.cron
  2⤵
  PID:4142
- /usr/bin/id
  id -u
  2⤵
  PID:4144
- /usr/bin/ps
  ps aux
  2⤵
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Process Discovery
  - Reads runtime system information
  PID:4146
- /usr/bin/grep
  grep -v grep
  2⤵
  PID:4147
- /usr/bin/grep
  grep -- "-bash[[:space:]]*\$"
  2⤵
  PID:4148
- /usr/bin/awk
  awk "{if(\$3>30.0) print \$2}"
  2⤵
  PID:4149
- /usr/bin/wc
  wc -l
  2⤵
  PID:4150

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.cron

Filesize
29B

MD5
7a5b5de82a9f106db54bb9870efe364e

SHA1
e08e128126b6fd8002cd6684ff77a69a9a270bde

SHA256
c7bdab00ca2e83d98793965c13391d91b624c2e5fa354c887bcba7011a20ceb8

SHA512
975711ff2842bf38970cb0f9d7b4d087603af8121f8357131cc5d9ce6112d39b638aa6fcdb7dd89662d75b3619729503d1745da2ef029433f967791766ec7b49

Download Submit
/var/spool/cron/crontabs/tmp.yYMLdr

Filesize
213B

MD5
e4a77d24702293b5cfd4a2eec0e82379

SHA1
15765e60b028c7447ebe6c104c9733a2a2f39ffc

SHA256
f6cc71f19fa00b939af5cfabd3fc9a048f02b16794e128aa1cb7968c3f97df80

SHA512
39314a1a7316127fa7657d26c20985f9bd4e3a62af20c22d6d6f634d0a734676494ac00492296b6eeccba0d59ad4e75ee297832706faec4526674b18d0cec719

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads