Analysis
-
max time kernel
0s -
max time network
143s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
09-01-2022 01:49
Static task
static1
Behavioral task
behavioral1
Sample
71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
Resource
ubuntu1804-amd64-en-20211208
linux_amd64
0 signatures
0 seconds
General
-
Target
71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
-
Size
549KB
-
MD5
b4ff3961cefcc5e151e319666bae6f5e
-
SHA1
e1e985a90a116edea41d99b3e2a85a697f760d48
-
SHA256
71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
-
SHA512
e4a6eed3bbedf52e8b636ddfa34bde662dd9f8b7fd7745dc7689605b966bf24b0ed76bf9e418dab5d32668b9b6ecdc09b0e5da8cd011a274d8186cc169f4d52e
Score
9/10
Malware Config
Signatures
-
Writes file to system bin folder 1 TTPs 16 IoCs
Processes:
description ioc /bin/wfdtjalrxz /bin/wfdtjalrxz /bin/rsekjnitfgor /bin/rsekjnitfgor /bin/wkeupxwolb /bin/wkeupxwolb /bin/bfxfrgsbbzhp /bin/bfxfrgsbbzhp /bin/rawiiomj /bin/rawiiomj /bin/tygizovnhtyde /bin/tygizovnhtyde /bin/vlhryxrszdswa /bin/vlhryxrszdswa /bin/ktwescx /bin/ktwescx /bin/gpwcedvdibghyi /bin/gpwcedvdibghyi /bin/lvcncbn /bin/lvcncbn /bin/hjbmoypycxha /bin/hjbmoypycxha /bin/koznjku /bin/koznjku /bin/mzhlory /bin/mzhlory /bin/xvawln /bin/xvawln /bin/cezyphmbqbwq /bin/cezyphmbqbwq /bin/izuadsql /bin/izuadsql -
Modifies rc script 1 TTPs 5 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
description ioc /etc/rc2.d/S90onbvyv /etc/rc2.d/S90onbvyv /etc/rc3.d/S90onbvyv /etc/rc3.d/S90onbvyv /etc/rc4.d/S90onbvyv /etc/rc4.d/S90onbvyv /etc/rc5.d/S90onbvyv /etc/rc5.d/S90onbvyv /etc/rc1.d/S90onbvyv /etc/rc1.d/S90onbvyv -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc /tmp/71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19 /tmp/71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
Processes
-
./71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19./71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f191⤵PID:592
-
/bin/vyvbno/bin/vyvbno1⤵PID:596
-
/bin/wfdtjalrxz/bin/wfdtjalrxz -d 5971⤵PID:601
-
/bin/vlhryxrszdswa/bin/vlhryxrszdswa -d 5971⤵PID:604
-
/bin/rsekjnitfgor/bin/rsekjnitfgor -d 5971⤵PID:606
-
/bin/koznjku/bin/koznjku -d 5971⤵PID:614
-
/bin/ktwescx/bin/ktwescx -d 5971⤵PID:617
-
/bin/bfxfrgsbbzhp/bin/bfxfrgsbbzhp -d 5971⤵PID:621
-
/bin/mzhlory/bin/mzhlory -d 5971⤵PID:624
-
/bin/wkeupxwolb/bin/wkeupxwolb -d 5971⤵PID:627
-
/bin/rawiiomj/bin/rawiiomj -d 5971⤵PID:630
-
/bin/tygizovnhtyde/bin/tygizovnhtyde -d 5971⤵PID:633
-
/bin/xvawln/bin/xvawln -d 5971⤵PID:636
-
/bin/cezyphmbqbwq/bin/cezyphmbqbwq -d 5971⤵PID:639
-
/bin/gpwcedvdibghyi/bin/gpwcedvdibghyi -d 5971⤵PID:642
-
/bin/lvcncbn/bin/lvcncbn -d 5971⤵PID:645
-
/bin/izuadsql/bin/izuadsql -d 5971⤵PID:648
-
/bin/hjbmoypycxha/bin/hjbmoypycxha -d 5971⤵PID:651
-
/bin/locpbe/bin/locpbe -d 5971⤵PID:654