71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19

Analysis

max time kernel
0s
max time network
73s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
17-02-2022 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
Size

549KB
MD5

b4ff3961cefcc5e151e319666bae6f5e
SHA1

e1e985a90a116edea41d99b3e2a85a697f760d48
SHA256

71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
SHA512

e4a6eed3bbedf52e8b636ddfa34bde662dd9f8b7fd7745dc7689605b966bf24b0ed76bf9e418dab5d32668b9b6ecdc09b0e5da8cd011a274d8186cc169f4d52e

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 17 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
/bin/yaoxwvxzm	/bin/yaoxwvxzm
/bin/umawelsvjq	/bin/umawelsvjq
/bin/fotatnpvl	/bin/fotatnpvl
/bin/qcrbhhuicizz	/bin/qcrbhhuicizz
/bin/sfbhxw	/bin/sfbhxw
/bin/vbhvly	/bin/vbhvly
/bin/niyxaar	/bin/niyxaar
/bin/edlmgs	/bin/edlmgs
/bin/qjuowwhvtnsrp	/bin/qjuowwhvtnsrp
/bin/gpzwxksj	/bin/gpzwxksj
/bin/nifhvwjpv	/bin/nifhvwjpv
/bin/fjpzdhjssoghfh	/bin/fjpzdhjssoghfh
/bin/fixipgcju	/bin/fixipgcju
/bin/jawtdg	/bin/jawtdg
/bin/pldmmpzzagj	/bin/pldmmpzzagj
/bin/gdoptq	/bin/gdoptq
/bin/drggbbszf	/bin/drggbbszf

Modifies rc script 1 TTPs 5 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

description	ioc
/etc/rc1.d/S90mdqcecwum	/etc/rc1.d/S90mdqcecwum
/etc/rc2.d/S90mdqcecwum	/etc/rc2.d/S90mdqcecwum
/etc/rc3.d/S90mdqcecwum	/etc/rc3.d/S90mdqcecwum
/etc/rc4.d/S90mdqcecwum	/etc/rc4.d/S90mdqcecwum
/etc/rc5.d/S90mdqcecwum	/etc/rc5.d/S90mdqcecwum

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
/tmp/71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19	/tmp/71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19

./71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
./71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
1⤵
PID:593

/bin/muwcecqdm
/bin/muwcecqdm
1⤵
PID:597

/bin/gpzwxksj
/bin/gpzwxksj -d 598
1⤵
PID:602

/bin/yaoxwvxzm
/bin/yaoxwvxzm -d 598
1⤵
PID:605

/bin/nifhvwjpv
/bin/nifhvwjpv -d 598
1⤵
PID:612

/bin/qjuowwhvtnsrp
/bin/qjuowwhvtnsrp -d 598
1⤵
PID:615

/bin/pldmmpzzagj
/bin/pldmmpzzagj -d 598
1⤵
PID:618

/bin/umawelsvjq
/bin/umawelsvjq -d 598
1⤵
PID:622

/bin/fjpzdhjssoghfh
/bin/fjpzdhjssoghfh -d 598
1⤵
PID:625

/bin/fotatnpvl
/bin/fotatnpvl -d 598
1⤵
PID:628

/bin/gdoptq
/bin/gdoptq -d 598
1⤵
PID:631

/bin/fixipgcju
/bin/fixipgcju -d 598
1⤵
PID:634

/bin/qcrbhhuicizz
/bin/qcrbhhuicizz -d 598
1⤵
PID:637

/bin/sfbhxw
/bin/sfbhxw -d 598
1⤵
PID:640

/bin/vbhvly
/bin/vbhvly -d 598
1⤵
PID:643

/bin/niyxaar
/bin/niyxaar -d 598
1⤵
PID:646

/bin/jawtdg
/bin/jawtdg -d 598
1⤵
PID:649

/bin/edlmgs
/bin/edlmgs -d 598
1⤵
PID:652

/bin/drggbbszf
/bin/drggbbszf -d 598
1⤵
PID:655

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads