Sec440‐Linux‐Hunt‐Podman - ConnorEast/Tech-Journal GitHub Wiki
~~~ sudo apt install podman
~~~ unqualified-search-registries = ["docker.io"]
~~~ sudo apt install python3-pip
~~~ pip install podman-compose
~~~ sudo apt install git
~~~ git clone https://github.com/thedunston/LinuxContainerAnalysis
~~~ wget https://research.cyfidant.com/thuglyfeLinux.zip
~~~ unzip thuglyfeLinux.zip
cd thuglyfeLinux
~~~ bash linux_malware_analysis_container samples/thuglyfe/thug_simulator
~~~ ltrace-full samples/thuglyfe/thug_simulator
podman cp d6386143ff06:/tmp/ltrace_analysis/trace_behavior_20251106_162130.txt trace_analysis.txt
This is an executable file so the contents can not be viewed normally. Permissions are viewable within the image below.
This is a .service file which is focused on executing the malicious SVCHost file upon start. The file thuglyfe.service having "-rwxr-xr-x" permissions.
Lists the file permissions "RW" and the contents of the file. This file shows when the environment was setup, when the ssh brute force attempt was simulated, and the malicious binary deployment.
This document holds the contents of the basic system information. its a generic ubuntu Linux box created September 29th.
This file would typically hold IP configuration information. Given it was run in a podman instance, it does not have a networking interface.
This section would typically house the networking information such as local and remote connections as well as active ports. this is empty due to being in a podman instance
This lists all of the current user accounts on the system prior to the implementation of the malicious user account.
This shows the user accounts as well as their respective home directory locations.
When run within the podman instance it shows
When run within the podman instance it shows
When run within the podman instance it shows
Shows all currently install packages
When run within the podman instance it shows
When run within the podman instance it shows Nothing
