ec1213394717932b0062136ce96d42092e9120da1e32cce7ff355de67c7b6988

Analysis

max time kernel
12s
max time network
16s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24/02/2025, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec1213394717932b0062136ce96d42092e9120da1e32cce7ff355de67c7b6988.sh
Size

27KB
MD5

e1753baa1b118dc24f6dc0ba82fdafc0
SHA1

3906dedc8d5623bf5ab739ee156a881d011630b2
SHA256

ec1213394717932b0062136ce96d42092e9120da1e32cce7ff355de67c7b6988
SHA512

cd8208faf30c801fb4b41114d566eeba58629dd5658d0e82883b875fa4bd24a00ec813fd2e05c39afa158cd0bfae40e17bbfc810e649fbf873037badde8d25ce
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiKMvU/4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeUoJ5:p7wVFNcDAFLcIwgnoYq0xFB/aps

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
660	iptables

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
666	sudo

Attempts to change immutable files 24 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
740	xargs
758	xargs
782	xargs
791	xargs
649	chattr
658	chattr
692	chattr
708	xargs
713	xargs
719	xargs
728	xargs
746	xargs
652	chattr
656	chattr
700	grep
752	xargs
764	xargs
770	xargs
776	xargs
688	chattr
798	xargs
805	xargs
697	grep
734	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 5 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4

Process Discovery 1 TTPs 2 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
699	ps
696	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/stat	ps
File opened for reading	/proc/145/status	ps
File opened for reading	/proc/326/stat	ps
File opened for reading	/proc/599/status	ps
File opened for reading	/proc/645/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/676/status	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/26/cmdline	ps
File opened for reading	/proc/300/stat	ps
File opened for reading	/proc/699/status	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/166/stat	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/639/stat	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/42/stat	ps
File opened for reading	/proc/655/cmdline	ps
File opened for reading	/proc/42/stat	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/703/stat	ps
File opened for reading	/proc/107/cmdline	ps
File opened for reading	/proc/691/stat	ps
File opened for reading	/proc/149/cmdline	ps
File opened for reading	/proc/108/stat	ps
File opened for reading	/proc/166/cmdline	ps
File opened for reading	/proc/655/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/639/status	ps
File opened for reading	/proc/646/stat	ps
File opened for reading	/proc/27/stat	ps
File opened for reading	/proc/107/status	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/699/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/697/cmdline	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/147/cmdline	ps
File opened for reading	/proc/593/cmdline	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/145/cmdline	ps
File opened for reading	/proc/639/cmdline	ps
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/43/status	ps
File opened for reading	/proc/598/stat	ps
File opened for reading	/proc/676/cmdline	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/11/cmdline	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	ec1213394717932b0062136ce96d42092e9120da1e32cce7ff355de67c7b6988.sh

/tmp/ec1213394717932b0062136ce96d42092e9120da1e32cce7ff355de67c7b6988.sh
/tmp/ec1213394717932b0062136ce96d42092e9120da1e32cce7ff355de67c7b6988.sh
1⤵
- Writes file to tmp directory
PID:646
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:647
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:649
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:652
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:656
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:658
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:660
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:666
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:677
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1tmOYd-0000Av-J5
      4⤵
      Reads CPU attributes
      PID:703
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:680
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1tmOYd-0000Ay-JF
      4⤵
      Reads CPU attributes
      PID:702
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    - Reads CPU attributes
    PID:682
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:684
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:686
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:688
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:692
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:693
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:694
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:695
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:697
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:696
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:699
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:700
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:705
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:707
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:706
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:708
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:711
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:713
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:710
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:712
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:717
- /bin/grep
  grep :143
  2⤵
  PID:715
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:716
- /bin/grep
  grep -v -
  2⤵
  PID:718
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:719
- /bin/grep
  grep -v -
  2⤵
  PID:727
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:725
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:728
- /bin/grep
  grep :2222
  2⤵
  PID:724
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:726
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:731
- /bin/grep
  grep -v -
  2⤵
  PID:733
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:734
- /bin/grep
  grep :3333
  2⤵
  PID:730
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:732
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:738
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:740
- /bin/grep
  grep -v -
  2⤵
  PID:739
- /bin/grep
  grep :3389
  2⤵
  PID:736
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:737
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:743
- /bin/grep
  grep :4444
  2⤵
  PID:742
- /bin/grep
  grep -v -
  2⤵
  PID:745
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:744
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:746
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:749
- /bin/grep
  grep :5555
  2⤵
  PID:748
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:752
- /bin/grep
  grep -v -
  2⤵
  PID:751
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:750
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:755
- /bin/grep
  grep :6666
  2⤵
  PID:754
- /bin/grep
  grep -v -
  2⤵
  PID:757
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:758
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:756
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:761
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:764
- /bin/grep
  grep -v -
  2⤵
  PID:763
- /bin/grep
  grep :6665
  2⤵
  PID:760
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:762
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:767
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:768
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:770
- /bin/grep
  grep :6667
  2⤵
  PID:766
- /bin/grep
  grep -v -
  2⤵
  PID:769
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:774
- /bin/grep
  grep :7777
  2⤵
  PID:772
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:773
- /bin/grep
  grep -v -
  2⤵
  PID:775
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:776
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:779
- /bin/grep
  grep :8444
  2⤵
  PID:778
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:782
- /bin/grep
  grep -v -
  2⤵
  PID:781
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:780
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:788
- /bin/grep
  grep :3347
  2⤵
  PID:787
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  - Reads runtime system information
  PID:791
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:789
- /bin/grep
  grep -v -
  2⤵
  PID:790
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:795
- /bin/grep
  grep -v -
  2⤵
  PID:797
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:796
- /bin/grep
  grep :14444
  2⤵
  PID:794
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:798
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:802
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:805
- /bin/grep
  grep -v -
  2⤵
  PID:804
- /bin/grep
  grep :14433
  2⤵
  PID:801
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:803

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/mail/user

Filesize
839B

MD5
4c1dd1f52747628272415f5960d604da

SHA1
335ff03c578f75f495389cdf76b9cb9ac2f39353

SHA256
dfa35afb631e7937f20640f4a645b1a73e57af96930f969f1140b8d0011da5df

SHA512
d9380674b8f93706fc6e7fc0fa1f9df53ce1f091267f0462c4fe47926ccc643d4a167bba4663add4e84c0e91c7ce47c61482feda5ec3b1384f04243cf0322dc6

Download Submit
/var/mail/user

Filesize
1KB

MD5
6aaad5487de93e80b4a4b3bb4e5cbec1

SHA1
93e353d073a2b93108d21135b9557a2140653060

SHA256
2c956b5a3dc67eba89d21ed90e25acc51e086203a5c81506123080bb8ef38c2e

SHA512
ced37174f72627672381602d9739393b8f28612a0b7d73ed89f432ce5b8e79c2b70cc5b24302a36cdf49da9939e28e270a2f36dcc71b8e38a6dfe64b9fe1d26d

Download Submit
/var/spool/exim4/input/1tmOYd-0000Av-J5-D

Filesize
126B

MD5
70da170787cd07ba467638f230f2b018

SHA1
2360c8d6ff3e1c1f5867e0e6ee09b93ef33977a6

SHA256
c6c978b3c2ec71e79d891f9047906f03a25528f50007f25473d0c33bf069c841

SHA512
70e1fd35f104d277292c7d115d13a894a828e527e9bd1d52b1012907499dbb428caa615fc1e544d39d338f9f67df2531c1188d71048d709981a4276934deacfb

Download Submit
/var/spool/exim4/input/1tmOYd-0000Ay-JF-D

Filesize
145B

MD5
274c51fdf5721a0ea63f9b2508bec032

SHA1
3794689efb3db00929f5ab604798620610e5eea8

SHA256
9bd0be66a13accf2c3d3c36c38a59f5c107060dc1527ef5e97c1e336149b2d16

SHA512
c69518327ed9c97385d6a03192cff0261f63824f9f98e48ed9acac7d1af3f5b5a5758cd90df5adcb1412bc7a3112923b972e6cc3293b9270ccdcc9f5a7b5ceb1

Download Submit
/var/spool/exim4/input/1tmOYd-0000Ay-JF-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.677

Filesize
912B

MD5
70ecdeef52de11732e5cf6a86a277c15

SHA1
800344d90e9e593c7bb28661e75a694f5a266108

SHA256
7ce4f572d4b881a67d71e4a92f78dba415b6732c52aa92cb90a5db280bd91b7e

SHA512
e67d4676ce951245f73017961f8f35bbb357bfbbb7c928d351de5a1b3337dc4e5de2c106a602ab7370791e9abc960b841c5192332403c7748a4d913517969ddf

Download Submit
/var/spool/exim4/msglog/1tmOYd-0000Av-J5

Filesize
288B

MD5
8a8d28170f5e784f31fcc8273b5ab123

SHA1
686a0de4e08c30240db90570d38f84b0982aa7e2

SHA256
46dbc5a44b674e036b5f4bb30d68ea2ce4cc3c1cd6a1f88111817cafd7d38f01

SHA512
20b9c09427ae51158bdc5298b40264b32fed897308d2ad6ff9916aa6b1cbaccbe091686c7ceb3e917908196054e84c0c8862c0805550461ae899d86d9c13ec34

Download Submit
/var/spool/exim4/msglog/1tmOYd-0000Av-J5

Filesize
89B

MD5
13b9d8e11029a1e0afc510fc0811da74

SHA1
6ebbe269651487f30e462c0fd8e33e740422f092

SHA256
822501d9d0ac9fda393cb1308b20fe17a7751f94bdf3fba45286ed9ee0a09487

SHA512
972f20d93cfcfb2d129ee97748379bef3fbc67fa067ffb9082c26ae930c29aa67e9d44c187fe4c4b08512e175a534261e445b8a7540fcb44e507fe88e0618753

Download Submit
/var/spool/exim4/msglog/1tmOYd-0000Ay-JF

Filesize
288B

MD5
ab21ffd24e0488fd47a7245de8291fec

SHA1
7dfa005534162e0a4cec4cb24c6da41400323b6d

SHA256
9ea5f8b59090fc424e2154b1a00dcd8757596122bcbda37d5bfd961ec594a54f

SHA512
2555e84790d7d209ad6c7abaed8f06a39e1523392b9197449c5e00812ca19f4a76a7642ba4117f672e93085abfbcc6ee0c21dfed1f48ab334664caa52c276def

Download Submit
/var/spool/exim4/msglog/1tmOYd-0000Ay-JF

Filesize
89B

MD5
dcb0ab40c4e86402023033bbe0d5ab51

SHA1
bbd1a920b99a1ed1db9c50131973482066205670

SHA256
b56d4b73d17de00826bc40b0cc925a45e3d6cd4f79e7390f3ca75c040f2d0a2c

SHA512
f58e3816d3def1134a98c99239ac23a8b38935258e011067ca331acc000b8857cec79527446fc2238be93ab66ba9337b3e314a998854e02b34d87d7791f4c57b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads