49290f83b42d99c5314f8bf07479509cc69fbf20586c1e5826fc739e6ad0889a

Analysis

max time kernel
14s
max time network
19s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
19/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pasuspende
Size

168B
MD5

2c2b5f7b2f1aa69edf0a10517d84a7c8
SHA1

6952156c2a3d7fde285376da514ea36c040c567b
SHA256

293d484c0785dd3d3ecc3c339a8826267a788632960380ec6b0ddd4dbb914c89
SHA512

510cf90071b39862c741b05730bdfede694e181197a567cce52724409d9ef8543ce68fb1df8c3d01c6188089276b049ebf4ff64a4cc94ea3695c19183cb27e13

Score

6^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
709	sudo

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 5 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/656/cmdline	pkill
File opened for reading	/proc/36/cmdline	pgrep
File opened for reading	/proc/81/cmdline	pgrep
File opened for reading	/proc/340/status	pgrep
File opened for reading	/proc/714/cmdline	pgrep
File opened for reading	/proc/15/status	pgrep
File opened for reading	/proc/712/cmdline	pkill
File opened for reading	/proc/12/cmdline	pgrep
File opened for reading	/proc/83/status	pgrep
File opened for reading	/proc/116/cmdline	pgrep
File opened for reading	/proc/72/status	pgrep
File opened for reading	/proc/115/cmdline	pkill
File opened for reading	/proc/21/status	pgrep
File opened for reading	/proc/37/status	pkill
File opened for reading	/proc/116/cmdline	pkill
File opened for reading	/proc/150/cmdline	pkill
File opened for reading	/proc/717/cmdline	pgrep
File opened for reading	/proc/22/status	pgrep
File opened for reading	/proc/12/cmdline	pkill
File opened for reading	/proc/663/status	pgrep
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/679/cmdline	pkill
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/10/status	pgrep
File opened for reading	/proc/5/status	pgrep
File opened for reading	/proc/7/cmdline	pgrep
File opened for reading	/proc/76/status	pgrep
File opened for reading	/proc/331/status	pkill
File opened for reading	/proc/115/status	pgrep
File opened for reading	/proc/330/cmdline	pgrep
File opened for reading	/proc/2/cmdline	pgrep
File opened for reading	/proc/697/status	pgrep
File opened for reading	/proc/2/status	pkill
File opened for reading	/proc/9/cmdline	pkill
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/697/cmdline	pkill
File opened for reading	/proc/12/cmdline	pgrep
File opened for reading	/proc/13/status	pgrep
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/69/status	pgrep
File opened for reading	/proc/331/status	pgrep
File opened for reading	/proc/334/status	pkill
File opened for reading	/proc/filesystems	pgrep
File opened for reading	/proc/12/status	pgrep
File opened for reading	/proc/20/status	pgrep
File opened for reading	/proc/24/status	pkill
File opened for reading	/proc/24/cmdline	pgrep
File opened for reading	/proc/75/status	pgrep
File opened for reading	/proc/334/status	pgrep
File opened for reading	/proc/380/cmdline	pgrep
File opened for reading	/proc/703/cmdline	pgrep
File opened for reading	/proc/81/status	pkill
File opened for reading	/proc/328/status	pgrep
File opened for reading	/proc/72/status	pkill
File opened for reading	/proc/74/cmdline	pkill
File opened for reading	/proc/13/cmdline	pgrep
File opened for reading	/proc/76/cmdline	pgrep
File opened for reading	/proc/340/cmdline	pgrep
File opened for reading	/proc/71/cmdline	pgrep
File opened for reading	/proc/79/cmdline	pkill
File opened for reading	/proc/701/status	pkill
File opened for reading	/proc/73/status	pgrep
File opened for reading	/proc/663/status	pkill

/tmp/pasuspende
/tmp/pasuspende
1⤵
PID:703
- /usr/bin/sudo
  sudo pkill -9 watchdog
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  - Reads runtime system information
  PID:709
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:715
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1tulnN-0000BX-EQ
      4⤵
      Reads CPU attributes
      PID:772
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:718
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1tulnI-0000Ba-Be
      4⤵
      Reads CPU attributes
      PID:737
- - /usr/bin/pkill
    pkill -9 watchdog
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:720
- /bin/watchdog
  /bin/watchdog
  2⤵
  PID:721
- /usr/bin/pgrep
  pgrep -x top
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:722
- /usr/bin/pgrep
  pgrep htop
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:723

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
1KB

MD5
a273a326bd32986d062ac0bf95c6de77

SHA1
e60527a76c3127931d258bc078991e33339a3790

SHA256
5d3ad725c309daa9cfa75bd85099f0e3aa35dff3fba56300d74619b707238e95

SHA512
8299741e5d5f98901ac86c5e233707fbb3131b7fe275af3c86483eac25eedc732d596858a67ff5ff080910028ec274bf6062225939de70d2c4322ca683f880bd

Download Submit
/var/mail/user

Filesize
843B

MD5
754d3c76da39091c7350c9dc7c7004a9

SHA1
a0cf8e5ca4386924fefa2498b7eeac728644a60c

SHA256
f820585ac18b77c442a18f301951de6025624b5691f04e8405cc0292e54545cb

SHA512
f90a558a059394d065aef659ee00778a4b9b2810193eda54bcb0852f3244127ab826045eea1d72e961004a5c82c94b3f4176292c73abb6dc75ca6c6cab32802b

Download Submit
/var/spool/exim4/input/1tulnI-0000Ba-Be-D

Filesize
146B

MD5
4ba4b12ecb40b4735d8f0b182a5adee7

SHA1
5fc9b5aca68229cb929f0d911589ccea0b2878e3

SHA256
4a22b0e3f9d2392816e6e4d7f1c429617ab0c06146b791855850c07ce17e0ad3

SHA512
e4b8bdd38ffa30223fb1e7842beca78ff259b30c668219f8db57f506bca6342414fe194140506f85f05fa4ae99449092b0b7ee67711577bc8ee1e234694458b2

Download Submit
/var/spool/exim4/input/1tulnI-0000Ba-Be-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1tulnN-0000BX-EQ-D

Filesize
128B

MD5
abea5c7c37ad43bab4a7881144a343d6

SHA1
db11b5c0800fd61d530c098728cd1aab88e972b9

SHA256
9e922d23a538c7b31ed66cc121d04c824d70e875c9aa6522557193c18ef8bd0e

SHA512
b2af46601781854be8eac221d69d77b854779d10f25cbb8e10612d9d736c71af7dfc3cc6fb8a530a552a19a50387e4721c904ae3db5d5c1cccda1c3603478948

Download Submit
/var/spool/exim4/input/hdr.715

Filesize
915B

MD5
ee228eed658b9232530809481f257c30

SHA1
96c5f067f36bad207069ffc7b9ac054ea177775c

SHA256
329e95a39791c4f20cd97779138d1ef6413616533c6a11c26e379a1eab8aaca2

SHA512
706df611907a38c76ba2f574ca87cb69eb5fc054549dd02599df7c3ac07decf928b095fa124eead90a36502dff762a9d3139da38fd8811d5e22de39892972c30

Download Submit
/var/spool/exim4/input/hdr.718

Filesize
915B

MD5
08d43c2341710e5ad642c95d7804e122

SHA1
c1f4f470ee3bcee7ec692c07f9f9e28d72d960b7

SHA256
81d3cf9fbd1292086fc273f0a1cb9ed2be4eb6f5530a2086b3c0ca32490a49b3

SHA512
9ac9dfd3328de21a1c4b2ae22a0cb81d549c307bd4c460bcb48b3b63d6b008adb6825ced8cc23e5face371062e01959ba900b4ddb6d0eee3bfdf889f52534caf

Download Submit
/var/spool/exim4/msglog/1tulnI-0000Ba-Be

Filesize
89B

MD5
a16dab8725b420602b6f1bdc7ee7b78f

SHA1
46523d07be5ddb51c117cf964109a2484696eb18

SHA256
a9e42e69cc126e4da65972a4da0e9035243c18b5281a33e7bce023029a031123

SHA512
660e55d367cdf946582c72893438468442714d7cef341354aaaf1f39d00a7bc1395c50fbeb46cf74dab9b85a240b27c7ff4f609a551212c9aae2020b9a2a0faa

Download Submit
/var/spool/exim4/msglog/1tulnI-0000Ba-Be

Filesize
288B

MD5
47b5c3591db21b0ce542a44165303f46

SHA1
4705f1af344a91c6b8f1b7ddc13041979a7f5de3

SHA256
7a1d40885660f9a634f462216de550f82a6ffdbf476cf4a6ac18efa2de854a31

SHA512
935f516807bd52327bd3ef1e52de5121a56d0ce28c38bc436f8153df354d14f46728df2f85330ff51c8ceebd1ca0e8c723ce29310134da3e08c65764c95547cc

Download Submit
/var/spool/exim4/msglog/1tulnN-0000BX-EQ

Filesize
89B

MD5
af5ad11e63143ae3b4f7fc1f1424099c

SHA1
754c520deaa7cabe7b64118197d1dab0cb37c3a7

SHA256
3322414696dd9e345ca2ffa4f4605064f9d9b3a2b21e63edf01d7c8ee39bc227

SHA512
ef6107c8222e9ffcbdb66b0d10ecdaccd1569795614080dc5d93a3390b2c4b323d95b5327a146f4bbb422b8ad29a947481ca2b36571ea138af88110f4139485e

Download Submit
/var/spool/exim4/msglog/1tulnN-0000BX-EQ

Filesize
288B

MD5
35f61da06dc7ae3d2c57ae26d810e625

SHA1
d3ecca7c414eeea3d9352dbf75339c341124de96

SHA256
2c956ddce5d3ecd7c17540f91bd4beb7329b13b9d803d418e95374bd84772dd0

SHA512
e9ba925ef5009e552ae3a3f0826f3fa7d0bb35e7b7703ff191cc90780c635a66c54bd0add3e32e913961d6055adee223df13f2fe73f6e6d3e8fadeab04d072e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads