7a7bfa4f84e073d45b33ca6d4e5f263d31aa512d124bc6c682029f2b831c7c08

Analysis

max time kernel
0s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
28-06-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/a/stop
Size

114B
MD5

b726837db1e4d3a05a4749fdc7a4f9d5
SHA1

793d9bb347cdc6bf99a1a6eeff2a210a6f149734
SHA256

ad46ee339c92694f3d8b072b74eec325e416bbbf305803345d6fc4e787832af6
SHA512

ce24fcc586b0172409352020c07bb49069fa8ffe7e4fb9c3f350c6b2f02c5a997b83dfb6ce6ac35db168434c7f68d0cd95f1ab198d25f2ee6ab9b13067a7ecc4

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system
Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery
T1082

Processes:

pkillps

description ioc process

File opened for reading /sys/devices/system/cpu/online pkill
File opened for reading /sys/devices/system/cpu/online ps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkillpskillall

description	ioc	process
File opened for reading	/proc/1126/status	pkill
File opened for reading	/proc/1130/status	ps
File opened for reading	/proc/89/cmdline	pkill
File opened for reading	/proc/202/status	pkill
File opened for reading	/proc/1193/status	pkill
File opened for reading	/proc/170/stat	ps
File opened for reading	/proc/445/cmdline	ps
File opened for reading	/proc/137/cmdline	pkill
File opened for reading	/proc/1352/status	pkill
File opened for reading	/proc/1262/stat	killall
File opened for reading	/proc/1044/status	ps
File opened for reading	/proc/1372/stat	ps
File opened for reading	/proc/30/cmdline	pkill
File opened for reading	/proc/1114/cmdline	pkill
File opened for reading	/proc/1167/status	ps
File opened for reading	/proc/1223/cmdline	ps
File opened for reading	/proc/203/cmdline	pkill
File opened for reading	/proc/1294/stat	killall
File opened for reading	/proc/1496/stat	killall
File opened for reading	/proc/317/stat	ps
File opened for reading	/proc/953/status	ps
File opened for reading	/proc/26/cmdline	pkill
File opened for reading	/proc/1130/status	pkill
File opened for reading	/proc/1262/status	pkill
File opened for reading	/proc/1122/status	ps
File opened for reading	/proc/1186/stat	ps
File opened for reading	/proc/1494/stat	ps
File opened for reading	/proc/684/status	pkill
File opened for reading	/proc/914/stat	killall
File opened for reading	/proc/1038/stat	killall
File opened for reading	/proc/1085/status	ps
File opened for reading	/proc/1247/stat	ps
File opened for reading	/proc/914/status	ps
File opened for reading	/proc/1147/status	ps
File opened for reading	/proc/30/status	pkill
File opened for reading	/proc/312/cmdline	pkill
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/655/status	ps
File opened for reading	/proc/914/stat	ps
File opened for reading	/proc/1182/stat	killall
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/1183/stat	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/16/stat	ps
File opened for reading	/proc/1044/cmdline	ps
File opened for reading	/proc/1061/cmdline	ps
File opened for reading	/proc/1143/status	ps
File opened for reading	/proc/1072/stat	ps
File opened for reading	/proc/1126/stat	ps
File opened for reading	/proc/471/status	pkill
File opened for reading	/proc/28/stat	killall
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/171/stat	ps
File opened for reading	/proc/78/cmdline	pkill
File opened for reading	/proc/245/stat	ps
File opened for reading	/proc/708/status	ps
File opened for reading	/proc/13/status	pkill
File opened for reading	/proc/158/status	pkill
File opened for reading	/proc/31/cmdline	ps
File opened for reading	/proc/202/cmdline	ps
File opened for reading	/proc/1505/cmdline	ps
File opened for reading	/proc/19/status	pkill
File opened for reading	/proc/413/stat	killall

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

stop

description ioc process

File opened for modification /tmp/.rsync/a/.proc stop

description	ioc	process
File opened for modification	/tmp/.rsync/a/.proc	stop

/tmp/.rsync/a/stop
/tmp/.rsync/a/stop
1⤵
- Writes file to tmp directory
PID:1498

/usr/bin/pkill
pkill -9 cron
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1499

/usr/bin/killall
killall -9 cron
2⤵
- Reads runtime system information
PID:1500

/usr/bin/awk
awk "{print \$1}"
2⤵
PID:1505

/bin/grep
grep -v grep
2⤵
PID:1504

/bin/grep
grep cron
2⤵
PID:1503

/bin/ps
ps x
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1502

/bin/rm
rm -rf .proc
2⤵
PID:1506

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads