2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70

Resubmissions

25/03/2025, 12:33

250325-prj85swths 10

25/03/2025, 12:32

250325-pqvcqazkz3 10

07/02/2025, 09:45

250207-lrhtjaykek 10

Analysis

max time kernel
119s
max time network
69s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20250307-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20250307-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
25/03/2025, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
Size

112KB
MD5

05d7857dcead18bbd86d2935f591873c
SHA1

34d18f41ef35f93d5364ce3e24d74730a4e91985
SHA256

2cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512

d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
SSDEEP

3072:o0pHqiUxCoypP1Xyukbt56UFQ71SMSmUHM5RmNtbm9c:REOtiukxc3SmUHM5Rm/bm9c

Score

7^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Renames itself 1 IoCs

pid	Process
1557	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.jgdgov	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/23/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/93/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/525/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/645/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1478/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1545/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/97/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/218/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/259/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/629/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/893/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1037/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1170/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/760/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/784/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1090/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1546/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/5/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/98/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/209/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/523/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/677/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1155/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1162/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/17/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/85/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/88/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/406/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/925/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/927/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1067/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1152/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/75/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/109/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/211/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/582/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1101/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1542/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/2/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/4/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/20/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/771/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1153/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/214/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1086/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1163/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/16/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/83/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/446/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/631/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1135/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/424/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1046/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1047/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1137/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1219/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1353/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/7/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/80/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/92/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/633/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/1277/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/9/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
File opened for reading	/proc/74/cmdline	rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5

/tmp/rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5
/tmp/rHGF6UobDrEAw59FT3LPxJNMVzBlj02lX5 bcdedit /set shutdown /r /f /t 2
1⤵
- Renames itself
- Reads runtime system information
PID:1556
- /bin/sh
  sh -c "crontab -l"
  2⤵
  PID:1558
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:1559
- /bin/sh
  sh -c "crontab -"
  2⤵
  PID:1560
- - /usr/bin/crontab
    crontab -
    3⤵
    - Creates/modifies Cron job
    PID:1561

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.jgdgov

Filesize
210B

MD5
456e7180a6467624180adedf6db4b453

SHA1
3c10a0f7a7b1f631291ff2287cae9833532dd143

SHA256
0885bea2b1140de876f2e37d223f308038d28168e828d375e0c4e86124154a01

SHA512
3b33b254431328b7f6679cdd62af9a139ca2d44c8bd34e6724cd9c901b024857f791c214e61a70686b338c3083db97b3e02d148b5055608b2c20def7385178b3

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads