{
	"id": "44bcdaca-9591-49a0-93e8-6062f708fa22",
	"created_at": "2026-04-06T00:19:17.270732Z",
	"updated_at": "2026-04-10T13:12:31.739618Z",
	"deleted_at": null,
	"sha1_hash": "243c3c5089789e3b641c19f5ff997c631beacc9f",
	"title": "Sysrv Infection (Linux Edition)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1371444,
	"plain_text": "Sysrv Infection (Linux Edition)\r\nPublished: 2024-04-14 · Archived: 2026-04-05 19:44:23 UTC\r\nIntroduction\r\nOn a recent incident response case, a customer contacted us regarding their EDR detecting a crypto miner on a\r\nLinux endpoint. The identified malicious file, named 41hs1z, is accessible on VirusTotal. The folders and paths\r\nassociated with each execution of the crypto miner may differ; however, here are some paths we encountered:\r\n/backup/files/excel/41hs1z\r\n/backup/files/xml/dotnet115/BeID/41hs1z\r\n/backup/files/xml/dotnet115/layouts/defaults/41hs1z\r\nUpon analysis, we discovered that the malware is a component of the Sysrv botnet. In this short blog post, we will\r\nexamine the ELF binary to uncover its capabilities and identify IOCs associated with the sample.\r\nFor further insights into Sysrv, we recommend referring to the following three informative blog posts:\r\nCrypto miner attack – Sysrv-Hello Botnet targeting WordPress pods (sysdig.com)\r\nNot Another Coin Miner (ultimacybr.co.uk)\r\nThe Sysrv Botnet and How It Evolved (cujo.com)\r\nLoader\r\nAt the time of writing this blog post, the loader script remains available online at http://194.38.23.2/ldr[.]sh\r\n(VirusTotal). This shell script was executed on the target host, presumably after exploiting a vulnerability in the\r\ninternet-facing web application. While the server was no longer accessible for a thorough investigation, we\r\ndiscovered traces of the script’s execution.\r\nFigure 1: Part of the ldr.sh file\r\nhttps://dfir.ch/posts/sysrv/\r\nPage 1 of 9\n\nMany other blogs, including UltimaCybr’s, have thoroughly examined the loader script (which is why we won’t\r\nduplicate the analysis here). One notable difference in our case is that the loader does not possess the capabilities\r\nto gather and use SSH keys for subsequent propagation, as highlighted in a report by TheDFIRReport.\r\nA recovered version of this script shows that it uses a clever technique for self-propagation on Linux. In addition\r\nto disabling UFW and killing several running services, the script then turns to enumerating all the private keys\r\nstored on the hosts, parsing all the hosts in the known_hosts files, as well as username associated with any keys\r\nfound.\r\nGO-Binary Reversing\r\nUpon opening the binary with Ghidra, we are presented with… not much information. The functions pane appears\r\nlargely empty.\r\nFigure 2: Functions within Ghidra\r\nhttps://dfir.ch/posts/sysrv/\r\nPage 2 of 9\n\nAdditionally, the included strings from the binary do not make much sense.\r\nFigure 3: Defined strings within Ghidra\r\nDorka Palotay wrote an excellent article titled Reverse Engineering Go Binaries with Ghidra, shedding light on\r\nwhy extracting strings from our GO binary poses challenges. After reading about the problems in the blog of\r\nDorka, I stumbled upon the GhidraScripts maintained by Max Kersten. After loading the scripts into the Script\r\nManager from Ghidra and running them (the GhidraScripts GitHub repository contains a README that will\r\nguide through every step), the magic behind those scripts found more function names and readable strings (Figure\r\nhttps://dfir.ch/posts/sysrv/\r\nPage 3 of 9\n\n4).\r\nFigure 4: Script Manager within Ghidra\r\nReturning to the functions pane, we now have function names that are more or less meaningful:\r\nFigure 5: More functions within Ghidra\r\nPerforming the same search for “cron,” as previously demonstrated (refer to Figure 3), yields more meaningful\r\nresults:\r\nhttps://dfir.ch/posts/sysrv/\r\nPage 4 of 9\n\nFigure 6: Readable strings within Ghidra\r\nstrace\r\nWe utilize strace for the dynamic analysis of the malware. See my post [s|l]trace - Linux Malware Analysis as a\r\nstrace primer. Upon executing the binary in a controlled environment (with strace and logging activated), the\r\nbinary operates under the name kthreaddk, a frequently observed identifier for this strain of malware, as\r\nnumerous Google search results indicate infections attributed to Sysrv.\r\n2530 execve(\"./9d9150e2def883bdaa588b47cf5300934ef952bea3acd5ad0e86e1deaa7d89c5\", [\"./9d9150e2def883bdaa588b47\r\n2537 execve(\"kthreaddk\", [\"kthreaddk\"], 0xc420138090 /* 17 vars */ \u003cunfinished ...\u003e\r\nPersistence\r\nOne of the initial steps following execution involves establishing persistence through a cronjob, utilizing\r\nrandomized paths, as we will explore subsequently. Take note of the string “/usr/bin/crontab -,” which matches the\r\nstring we uncovered within Ghidra after utilizing the Ghidra Scripts to extract readable strings from the binary\r\n(refer to Figure 6).\r\n2550 execve(\"/bin/sh\", [\"/bin/sh\", \"-c\", \"echo '* * * * * /dev/disk/by-partuuid/3hxr47' | /usr/bin/crontab -\"]\r\nMutex\r\nAt intervals of one minute, the sample establishes a connection to localhost through a predetermined port (in our\r\ninstance, 51933). The malware refrains from re-infecting the system if the port is open.\r\nsrc_port = 44388\r\ndst_ip = 0.0.0.0\r\ndst_port = 51933\r\nprotocol = TCP\r\nProcess listing\r\nThe binary is copied around to different paths. Here’s an example of running ps on the infected machine, revealing\r\nthe malicious binary executed under the following path: /etc/apparmor.d/abstractions/ubuntu-browsers.d/3hxr47.\r\n# ps aux\r\nhttps://dfir.ch/posts/sysrv/\r\nPage 5 of 9\n\nroot 3711 0.0 0.0 2616 496 ? Ss 15:12 0:00 /bin/sh -c /etc/apparmor.d/abstractions/ubuntu-browsers.d/3hxr4\r\nroot 3712 2.4 2.8 115804 100868 ? Sl 15:12 1:06 /etc/apparmor.d/abstractions/ubuntu-browsers.d/3hxr47\r\nCron Jobs\r\nThe various and changing paths of the malware are recorded within the cron log files, as illustrated in the\r\nfollowing excerpt:\r\nFeb 18 15:11:01 miner cron[752]: (root) RELOAD (crontabs/root)\r\nFeb 18 15:11:01 miner CRON[3692]: (root) CMD (/etc/apparmor.d/abstractions/ubuntu-browsers.d/3hxr47)\r\nFeb 18 15:12:01 miner CRON[3711]: (root) CMD (/etc/apparmor.d/abstractions/ubuntu-browsers.d/3hxr47)\r\nFeb 18 15:12:03 miner crontab[3725]: (root) REPLACE (root)\r\nFeb 18 15:13:01 miner CRON[3819]: (root) CMD (/dev/block/mujqjo)\r\nFeb 18 15:13:04 miner crontab[3830]: (root) REPLACE (root)\r\nFeb 18 15:14:01 miner cron[752]: (root) RELOAD (crontabs/root)\r\nconfig.json\r\nSteven Folek (@Pir00t) used the watch command in his blog post (see the link in the introduction section) to fetch\r\na copy of the config.json file. We can employ strace once more to observe the contents of the JSON file as it’s\r\nbeing written to disk. However, we need to augment the maximum string length to capture using the parameter -s\r\nwhen initiating strace. Otherwise, strace only captures the initial 32 characters of the content.\r\nWhile running strace command on DVOCmd command, the string size is by default 32 characters. You will see\r\n“…” after 32 characters, preventing from getting useful information. To get the maximum length of a string to\r\ndisplay, you need to use -s strsize option in the strace command. By default, the limit is to display 32 characters\r\nonly.\r\n2532 openat(AT_FDCWD, \"/etc/byobu/3hxr47/config.json\", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0777) = 7\r\n2532 write(7, \"{\\n \\\"api\\\": {\\n [..]]{ \\\"url\\\": \\\"194.38.23.2:8080\\\" } ],\\n \\\"retries\\\": 5,\\n\r\n\\\"retry-pause\\\": 5,\\n \\\"syslog\\\": false,\\n \\\"user-agent\\\": null,\\n \\\"verbose\\\": 0,\\n\r\n \\\"watch\\\": false,\\n \\\"pause-on-battery\\\": false\\n}\", 1047) = 1047\r\n2532 close(7)\r\nWithin the configuration file, we encounter the same IP address from which the loader script was retrieved\r\n(194.38.23[.]2), albeit with a different port (8080).\r\nExploits\r\nAs observed by other researchers, the Sysrv malware family integrates several exploits. These exploits are\r\nemployed against random targets across the internet, aiming to exploit vulnerable systems and propagate to further\r\nhttps://dfir.ch/posts/sysrv/\r\nPage 6 of 9\n\nhosts. Presented below is a sample exploit aimed at a WordPress site within our analyzed sample.\r\nFigure 7: Built-In WordPress exploit\r\nWe identify the identical URL (highlighted in green in Figure 7) within publicly available exploit code on Exploit-DB, aligning the exploit code found on Exploit-DB with the exploit code contained within the malware sample.\r\nFigure 8: Same URL as in the Built-In exploit above\r\nIn addition to numerous other exploits not discussed in this blog post, we also uncover a list of hardcoded\r\nusername/password combinations utilized for brute-forcing login pages.\r\nhttps://dfir.ch/posts/sysrv/\r\nPage 7 of 9\n\nFigure 9: List of username/password combination\r\nAnd the moral of the story is …\r\nPatch Management: It is crucial to promptly patch your externally facing applications and devices to\r\nmitigate potential security vulnerabilities. Regularly updating software and firmware helps safeguard\r\nagainst emerging threats and enhances overall system security.\r\nDNS Logging (Crypto Mining): Whenever I analyze a crypto miner infection, I must think about\r\nFlorian’s tweet.\r\nhttps://dfir.ch/posts/sysrv/\r\nPage 8 of 9\n\nEDR all assets: Whenever possible, deploy an Endpoint Detection and Response (EDR) agent or leverage\r\nagentless solutions to continuously monitor your devices and hosts for signs of compromise.\r\nOutlook\r\nIn an upcoming blog post, we will explore the intersection of system monitoring and security in Linux\r\nenvironments, focusing on the tools Sysmon for Linux and Kunai. Sysmon for Linux, an adaptation of Microsoft’s\r\nrenowned Sysinternals tool, brings powerful system monitoring capabilities to Linux systems. Meanwhile, Kunai,\r\noffers a comprehensive solution for analyzing, correlating, and responding to security events in real-time. By\r\ncombining the capabilities of Sysmon for Linux and Kunai,we can proactively identify suspicious activities.\r\nSource: https://dfir.ch/posts/sysrv/\r\nhttps://dfir.ch/posts/sysrv/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://dfir.ch/posts/sysrv/"
	],
	"report_names": [
		"sysrv"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434757,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/243c3c5089789e3b641c19f5ff997c631beacc9f.pdf",
		"text": "https://archive.orkl.eu/243c3c5089789e3b641c19f5ff997c631beacc9f.txt",
		"img": "https://archive.orkl.eu/243c3c5089789e3b641c19f5ff997c631beacc9f.jpg"
	}
}