Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20250619-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20250619-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    03/07/2025, 05:28

General

  • Target

    i686.elf

  • Size

    573KB

  • MD5

    490ad35e351803f7d5d8adb8cab6ea1b

  • SHA1

    3967a16181bdf5052fb548890863c0c6b28d2a1c

  • SHA256

    09e563ee72e2242d9f2e67d402ffe5b1f480134dd34fe8fd05930a90c1fc11ab

  • SHA512

    6058dcfb54e0394e79760208f5129c8a99f7fb68a4306092929061308bed3be28ffcedfb0846a1fe4d5df5aa544b6e2455a3fa5c033b1d82b74617edb7bfba23

  • SSDEEP

    12288:5D+Azf/CVCW3ISw+hRNb3W/aTyA9VV/cZWLnR98V+:5D+AznCVNIZ+vNbG/WYWrR98V

Malware Config

Signatures

  • Renames itself 1 IoCs
  • Checks hardware identifiers (DMI) 1 TTPs 2 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads MAC address of network interface 2 TTPs 1 IoCs

    Fetches the MAC address of active network interfaces. May be used to detect known values for hypervisors.

  • Reads hardware information 1 TTPs 4 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /usr/bin/crontab
    crontab -l
    1⤵
      PID:1565
    • /usr/bin/crontab
      crontab -
      1⤵
      • Creates/modifies Cron job
      PID:1568
    • /usr/bin/crontab
      crontab -l
      1⤵
        PID:1569
      • /root/.sys/configuration
        /tmp/i686.elf
        1⤵
        • Checks hardware identifiers (DMI)
        • Reads MAC address of network interface
        • Reads hardware information
        • Checks CPU configuration
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        • Writes file to tmp directory
        PID:1563

      Network

            MITRE ATT&CK Enterprise v16

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /var/spool/cron/crontabs/tmp.sHn8ys

              Filesize

              208B

              MD5

              759a652ed7e7a97a0f00299c595b3d72

              SHA1

              91c3f7e58a12b98f839aad238a68bc23860eac23

              SHA256

              d215568de167b4417ddd3d68c65cc53e4d834afe175e35926b2ca8be376a72da

              SHA512

              af28c7930bfe2f0fb2798b70d9f9b507ca53eafc2f1e58b4ec397915a78158f6f5494a9e90998a1fbd7a5d91c12599b92f2fb49068097fc91d8ce583260090cd