Overview
overview
10Static
static
10a46aab76
ubuntu-22.04-amd64
4chme
ubuntu-22.04-amd64
4isots
ubuntu-24.04-amd64
6mctes
ubuntu-18.04-amd64
1mswc
ubuntu-24.04-amd64
1netstat.gz
windows7-x64
1netstat.gz
windows10-2004-x64
1blue_helper
ubuntu-20.04-amd64
10kerndiacet
ubuntu-24.04-amd64
10systemctl
ubuntu-24.04-amd64
3uptime
ubuntu-22.04-amd64
3w
ubuntu-22.04-amd64
3node1
ubuntu-22.04-amd64
1pasuspende
ubuntu-18.04-amd64
6pasuspende
debian-9-armhf
6pasuspende
debian-9-mips
6pasuspende
debian-9-mipsel
6systemctl
ubuntu-18.04-amd64
1uptime
ubuntu-24.04-amd64
3w
ubuntu-24.04-amd64
3Analysis
-
max time kernel
0s -
max time network
132s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19/03/2025, 06:15
Behavioral task
behavioral1
Sample
a46aab76
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral2
Sample
chme
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral3
Sample
isots
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral4
Sample
mctes
Resource
ubuntu1804-amd64-20240729-en
ubuntu-18.04-amd64
Behavioral task
behavioral5
Sample
mswc
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral6
Sample
netstat.gz
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral7
Sample
netstat.gz
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
blue_helper
Resource
ubuntu2004-amd64-20241127-en
ubuntu-20.04-amd64
Behavioral task
behavioral9
Sample
kerndiacet
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral10
Sample
systemctl
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral11
Sample
uptime
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral12
Sample
w
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral13
Sample
node1
Resource
ubuntu2204-amd64-20250307-en
ubuntu-22.04-amd64
Behavioral task
behavioral14
Sample
pasuspende
Resource
ubuntu1804-amd64-20240508-en
ubuntu-18.04-amd64
Behavioral task
behavioral15
Sample
pasuspende
Resource
debian9-armhf-20240729-en
debian-9-armhf
Behavioral task
behavioral16
Sample
pasuspende
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral17
Sample
pasuspende
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral18
Sample
systemctl
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral19
Sample
uptime
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
Behavioral task
behavioral20
Sample
w
Resource
ubuntu2404-amd64-20250307-en
ubuntu-24.04-amd64
General
-
Target
pasuspende
-
Size
168B
-
MD5
2c2b5f7b2f1aa69edf0a10517d84a7c8
-
SHA1
6952156c2a3d7fde285376da514ea36c040c567b
-
SHA256
293d484c0785dd3d3ecc3c339a8826267a788632960380ec6b0ddd4dbb914c89
-
SHA512
510cf90071b39862c741b05730bdfede694e181197a567cce52724409d9ef8543ce68fb1df8c3d01c6188089276b049ebf4ff64a4cc94ea3695c19183cb27e13
Malware Config
Signatures
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
pid Process 1522 sudo -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 3 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pgrep File opened for reading /sys/devices/system/cpu/online pgrep -
description ioc Process File opened for reading /proc/1115/cmdline pgrep File opened for reading /proc/174/status pkill File opened for reading /proc/25/cmdline pgrep File opened for reading /proc/81/cmdline pgrep File opened for reading /proc/17/cmdline pkill File opened for reading /proc/170/status pgrep File opened for reading /proc/35/status pgrep File opened for reading /proc/658/status pgrep File opened for reading /proc/1128/status pgrep File opened for reading /proc/182/cmdline pgrep File opened for reading /proc/1194/status pgrep File opened for reading /proc/1302/status pgrep File opened for reading /proc/3/status pgrep File opened for reading /proc/176/status pgrep File opened for reading /proc/1081/cmdline pgrep File opened for reading /proc/1189/cmdline pgrep File opened for reading /proc/659/cmdline pgrep File opened for reading /proc/700/cmdline pkill File opened for reading /proc/1124/status pkill File opened for reading /proc/1194/cmdline pkill File opened for reading /proc/25/status pgrep File opened for reading /proc/187/cmdline pgrep File opened for reading /proc/1519/cmdline pgrep File opened for reading /proc/22/cmdline pkill File opened for reading /proc/30/status pkill File opened for reading /proc/34/cmdline pkill File opened for reading /proc/1074/status pkill File opened for reading /proc/168/cmdline pgrep File opened for reading /proc/5/status pkill File opened for reading /proc/28/status pkill File opened for reading /proc/175/status pgrep File opened for reading /proc/333/cmdline pgrep File opened for reading /proc/278/status pgrep File opened for reading /proc/7/status pkill File opened for reading /proc/213/status pkill File opened for reading /proc/973/status pgrep File opened for reading /proc/1168/cmdline pgrep File opened for reading /proc/459/status pkill File opened for reading /proc/1302/cmdline pkill File opened for reading /proc/11/cmdline pgrep File opened for reading /proc/14/status pgrep File opened for reading /proc/562/status pgrep File opened for reading /proc/1270/status pgrep File opened for reading /proc/1158/status pkill File opened for reading /proc/18/cmdline pgrep File opened for reading /proc/1071/status pgrep File opened for reading /proc/184/cmdline pkill File opened for reading /proc/1187/cmdline pkill File opened for reading /proc/29/status pgrep File opened for reading /proc/715/cmdline pgrep File opened for reading /proc/958/cmdline pkill File opened for reading /proc/1332/cmdline pkill File opened for reading /proc/693/status pgrep File opened for reading /proc/969/cmdline pgrep File opened for reading /proc/1177/cmdline pgrep File opened for reading /proc/177/status pkill File opened for reading /proc/1321/status pkill File opened for reading /proc/36/status pgrep File opened for reading /proc/89/cmdline pgrep File opened for reading /proc/563/cmdline pgrep File opened for reading /proc/22/cmdline pgrep File opened for reading /proc/85/cmdline pgrep File opened for reading /proc/1278/cmdline pkill File opened for reading /proc/1187/cmdline pgrep
Processes
-
/tmp/pasuspende/tmp/pasuspende1⤵PID:1521
-
/usr/bin/sudosudo pkill -9 watchdog2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1522 -
/usr/bin/pkillpkill -9 watchdog3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1523
-
-
-
/bin/watchdog/bin/watchdog2⤵PID:1524
-
-
/usr/bin/pgreppgrep -x top2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1525
-
-
/usr/bin/pgreppgrep htop2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1526
-