This Ubuntu Linux honeypot was put online in Azure in early October to watch what happens with those exploiting CVE-2021-41773.
Initially, there was a large number of crypto miners that hit the system. You will see one cron script meant to remove files named kinsing in /tmp. This was a way of preventing these miners so more interesting things could occur.
There are three files:
– sdb.vhd.gz – VHD of the main drive obtained through an Azure disk snapshot
– ubuntu.20211208.mem.gz – Dump of memory using Lime
– uac.tgz – Results of UAC running on the system
Items were obtained in the order above – the drive was snapshotted, memory was grabbed, then UAC was run.
As a soc analyst, analyze the artifacts and answer the questions.