49290f83b42d99c5314f8bf07479509cc69fbf20586c1e5826fc739e6ad0889a

Analysis

max time kernel
3s
max time network
6s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
19/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pasuspende
Size

168B
MD5

2c2b5f7b2f1aa69edf0a10517d84a7c8
SHA1

6952156c2a3d7fde285376da514ea36c040c567b
SHA256

293d484c0785dd3d3ecc3c339a8826267a788632960380ec6b0ddd4dbb914c89
SHA512

510cf90071b39862c741b05730bdfede694e181197a567cce52724409d9ef8543ce68fb1df8c3d01c6188089276b049ebf4ff64a4cc94ea3695c19183cb27e13

Score

6^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
676	sudo

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 5 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	pkill
File opened for reading	/proc/7/cmdline	pkill
File opened for reading	/proc/287/status	pkill
File opened for reading	/proc/24/cmdline	pgrep
File opened for reading	/proc/42/cmdline	pgrep
File opened for reading	/proc/614/cmdline	pgrep
File opened for reading	/proc/6/cmdline	pgrep
File opened for reading	/proc/22/status	pgrep
File opened for reading	/proc/14/status	pgrep
File opened for reading	/proc/15/cmdline	pgrep
File opened for reading	/proc/18/cmdline	pgrep
File opened for reading	/proc/7/cmdline	pgrep
File opened for reading	/proc/13/cmdline	pgrep
File opened for reading	/proc/28/status	pgrep
File opened for reading	/proc/80/status	pgrep
File opened for reading	/proc/150/status	pgrep
File opened for reading	/proc/25/cmdline	pkill
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/16/status	pgrep
File opened for reading	/proc/275/cmdline	pgrep
File opened for reading	/proc/679/cmdline	pgrep
File opened for reading	/proc/12/cmdline	pgrep
File opened for reading	/proc/697/cmdline	pgrep
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/29/status	pkill
File opened for reading	/proc/669/status	pkill
File opened for reading	/proc/688/status	pkill
File opened for reading	/proc/2/cmdline	pgrep
File opened for reading	/proc/11/cmdline	pgrep
File opened for reading	/proc/316/status	pgrep
File opened for reading	/proc/612/cmdline	pgrep
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/28/status	pkill
File opened for reading	/proc/173/status	pkill
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/12/cmdline	pgrep
File opened for reading	/proc/113/cmdline	pgrep
File opened for reading	/proc/141/cmdline	pgrep
File opened for reading	/proc/652/status	pgrep
File opened for reading	/proc/5/status	pkill
File opened for reading	/proc/15/status	pkill
File opened for reading	/proc/612/cmdline	pkill
File opened for reading	/proc/685/cmdline	pkill
File opened for reading	/proc/691/cmdline	pkill
File opened for reading	/proc/22/cmdline	pgrep
File opened for reading	/proc/41/status	pgrep
File opened for reading	/proc/653/cmdline	pgrep
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/18/status	pgrep
File opened for reading	/proc/672/cmdline	pgrep
File opened for reading	/proc/689/status	pgrep
File opened for reading	/proc/110/status	pgrep
File opened for reading	/proc/670/cmdline	pgrep
File opened for reading	/proc/679/status	pgrep
File opened for reading	/proc/696/cmdline	pgrep
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/110/cmdline	pkill
File opened for reading	/proc/25/status	pgrep
File opened for reading	/proc/27/cmdline	pgrep
File opened for reading	/proc/25/cmdline	pgrep
File opened for reading	/proc/26/status	pgrep
File opened for reading	/proc/611/status	pgrep
File opened for reading	/proc/8/cmdline	pkill

/tmp/pasuspende
/tmp/pasuspende
1⤵
PID:672
- /usr/bin/sudo
  sudo pkill -9 watchdog
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:676
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:686
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:689
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1tulnE-0000B7-RV
      4⤵
      Reads CPU attributes
      PID:699
- - /usr/bin/pkill
    pkill -9 watchdog
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:691
- /bin/watchdog
  /bin/watchdog
  2⤵
  PID:693
- /usr/bin/pgrep
  pgrep -x top
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:694
- /usr/bin/pgrep
  pgrep htop
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:697

/usr/sbin/exim4
/usr/sbin/exim4 -Mc 1tulnF-0000B4-9W
1⤵
- Reads CPU attributes
PID:701

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
839B

MD5
87509b3941d29b8f7f31eb3311579f4d

SHA1
7bd80be319f5b98ee285eb6324e1e26e12ed0a8e

SHA256
dcfc6e3b39f587c346131a0b8076dec9ffb8a6e41029415d5f6fe4b514e49689

SHA512
31a92a27ec833bb496d8f1b786aa55fce666155f712901ef60ff0332d35fc1b3da144d8d66ad9134b59d844f0f173c026f6d318489a9b4efe18d4d3ad6b5ddea

Download Submit
/var/mail/user

Filesize
1KB

MD5
49357b168e33a048538900205697c40a

SHA1
c2d7d46a696e25e2b06cced13732bfb8ab154266

SHA256
4f98be5f8cb662ebb703c78b764856d66bb59227d3ee2d0d2e4ab1813dffb8a4

SHA512
62af3935e738624ce79792abfda7c1c34c32935eb411f6a601101033c2fa579b9bc56385dcc56ded3f28d0133871393baebf18ac6e59ad547f3445a89d6797f6

Download Submit
/var/spool/exim4/input/1tulnE-0000B7-RV-D

Filesize
145B

MD5
d8f25d89f5690c76cd07666c1120633c

SHA1
23c290d530227512d23eeb89b07bdeec8194c9fb

SHA256
51bdd99982f93ef2fdc4d1ee9900e466b31cda3e8f399d82a7e7959e491597b6

SHA512
058548491922d8b955eef10c6e72e05d3cfa39f72a57f3d5115f0fc495b298e774e893228158849f270b685dc2d02c90c1026c5543edf9868d944b03061196e1

Download Submit
/var/spool/exim4/input/1tulnE-0000B7-RV-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1tulnF-0000B4-9W-D

Filesize
126B

MD5
95031c51e9e34926b373e959e46b28e8

SHA1
b3f6d1621b357722a3d7c1f8e68f2de1cb06bbf5

SHA256
b385b281be8deac264c9392058cbd5dab02fb68c465787986e93d9366ee85990

SHA512
0205b1fc0c6408d4675028ec3d1a05bd46c62bec09576fe11e7c405a5c26d6d00265a711b544b9ee14f32fe1ab2a88dfe179e4dea7d84a7f100949299c63785f

Download Submit
/var/spool/exim4/input/hdr.686

Filesize
912B

MD5
dba52f03f182b8f1e0debb4da382f786

SHA1
1be64e6ec8e64e977a979b0a00e55df6ef7cdbf6

SHA256
03fd5ffa328700daa5fc9fec2dff335551ee24a1f8d91eac4e0c55a64384f9aa

SHA512
37b1cf1c272968e71592b89d625500f61d7e8d86684acd6b4fcffc51b59def611065b072258d8d53f516912b764d98be29b404b7ca83ae45a97de90e90365c3f

Download Submit
/var/spool/exim4/input/hdr.689

Filesize
912B

MD5
a84f78c8c5518d78213b682701c20663

SHA1
f4d369c13448eedaebcff58ff9ae02164239bbbd

SHA256
bb1797c2e9b4950dfbc0278aa44a357c401885e8cd33e42de81f3bd215f6a19f

SHA512
387cfa38928102564f66ba09ae93a02a6d1389c36f5832e0963fd1942e6ece2e59ed98029e7e6d80f5605b2cacf68e5254bc1cf7078e4e3396eb57726fc71c8e

Download Submit
/var/spool/exim4/msglog/1tulnE-0000B7-RV

Filesize
288B

MD5
7623bf9f5487f6760e2e6bd2bd8bae1c

SHA1
710e1f3670bf2b974fba17a77f5e7e7aa019a5b3

SHA256
d1d6c1a40fcf9858418c6f892b8690e15cc92b1d6335ea5f86894ba834ae6ed3

SHA512
d1adc26a4b627ee4040eb0db621f3b48a5131886499872f534af669a24120f1e9a8464a47714772f83939b608877213af84f388a13adb0b4d3fbc161ca4a6f3f

Download Submit
/var/spool/exim4/msglog/1tulnE-0000B7-RV

Filesize
89B

MD5
d23c1c97114316a1195808176c1756ab

SHA1
04d1143067c78e419ce5bf346d16d23782f6b15e

SHA256
abe84fc0ea23c485370cfd29c3bd1f39dd1a05a81ede4a598d1ef961322e922e

SHA512
3eb5262d54439c3ccf136a4c5fb89784c95e4d6381899379e45167104c6b02fa8fafa5e9318ad06bb16fbdb2c12c7fc9ea9a0eb57f1bd6dcfb4060cfea1b6cdf

Download Submit
/var/spool/exim4/msglog/1tulnF-0000B4-9W

Filesize
288B

MD5
4a3b90b6de633ff462b4defe2929ff28

SHA1
e51081907f5d147637547582add81a59433ce2bc

SHA256
63fdd8be3310f3e5f3a362725650fe8e4101be7a2df69564d102365a81a4b3a1

SHA512
e518e5683c6642d972f25bee6dc4286bf3ba12a9c2b73532e784cff7fa955167ec0f417ce2f38658ef30ec8de4941896d44fe6b3ffd1cff4ae4d182634dea1e5

Download Submit
/var/spool/exim4/msglog/1tulnF-0000B4-9W

Filesize
89B

MD5
efa245245d55a744d39991231b3e84d4

SHA1
a8c096b240fcdf292b85d4d6dc0514f3dda28606

SHA256
dc60f0b4fe26eb1f29a9b09ee44927db54f3e790556a69d19903dbc9663aa3ed

SHA512
1bcfb255c8eae4b683449e804be811e8570071f728daf628c75693ba723f0726dfca2d64d5733adafa260b07e8cf3b03254276e6c2aec31cde3f88a41a220fd7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads