General
-
Target
install_cloud.sh
-
Size
9KB
-
Sample
250328-pr2s7axpv6
-
MD5
54a6dc25ac6a1e71d8b2168db0d3e27f
-
SHA1
97a9146fc9349f365beae6aea4bf7258d63e2f93
-
SHA256
2ae7255eedd7f4d39a999f57209497235d632e543356e34f634ce90522d2b2b2
-
SHA512
d9ad9672052076d2cbc43ec6f08e0d9fe759f4efbf66d8fdd32fed21c3861225b40c3a3aa87a4ddc5388198cb0dc7fc85fd686f19bce14a25e4070ebf53c4c1c
-
SSDEEP
192:FvSgVoI18Byt8rHmUiBTYGv/n4C5B4Ps136Dx9/3Gc8Y6DRAml1906Y:FKgWe8Byt8XGv/n4C5B4PsV6DvCVAqS
Malware Config
Targets
-
-
Target
install_cloud.sh
-
Size
9KB
-
MD5
54a6dc25ac6a1e71d8b2168db0d3e27f
-
SHA1
97a9146fc9349f365beae6aea4bf7258d63e2f93
-
SHA256
2ae7255eedd7f4d39a999f57209497235d632e543356e34f634ce90522d2b2b2
-
SHA512
d9ad9672052076d2cbc43ec6f08e0d9fe759f4efbf66d8fdd32fed21c3861225b40c3a3aa87a4ddc5388198cb0dc7fc85fd686f19bce14a25e4070ebf53c4c1c
-
SSDEEP
192:FvSgVoI18Byt8rHmUiBTYGv/n4C5B4Ps136Dx9/3Gc8Y6DRAml1906Y:FKgWe8Byt8XGv/n4C5B4PsV6DvCVAqS
Score8/10-
Modifies password files for system users/ groups
Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE
-
Modifies sudoers policy
Adds/ Modifies rule files for sudoers policy, likely to grant additional privileges.
-
OS Credential Dumping
Adversaries may attempt to dump credentials to use it in password cracking.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse sudo or cached sudo credentials to execute code.
-
Adds a user to the system
-
Creates/modifies environment variables
Creating/modifying environment variables is a common persistence mechanism.
-
Deletes log files
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies init.d
Adds/modifies system service, likely for persistence.
-
Write file to user bin folder
-
Writes file to system bin folder
-
Modifies Bash startup script
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2Python
1Unix Shell
1Software Deployment Tools
1User Execution
2Malicious File
1Persistence
Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Modify Authentication Process
1Pluggable Authentication Modules
1Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Boot or Logon Autostart Execution
2Boot or Logon Initialization Scripts
1RC Scripts
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Indicator Removal
1Clear Linux or Mac System Logs
1Modify Authentication Process
1Pluggable Authentication Modules
1Virtualization/Sandbox Evasion
1System Checks
1Credential Access
Modify Authentication Process
1Pluggable Authentication Modules
1OS Credential Dumping
1/etc/passwd and /etc/shadow
1