71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19

Analysis

max time kernel
0s
max time network
104s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
05-04-2022 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23sgqdsvuhq
Size

549KB
MD5

b4ff3961cefcc5e151e319666bae6f5e
SHA1

e1e985a90a116edea41d99b3e2a85a697f760d48
SHA256

71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
SHA512

e4a6eed3bbedf52e8b636ddfa34bde662dd9f8b7fd7745dc7689605b966bf24b0ed76bf9e418dab5d32668b9b6ecdc09b0e5da8cd011a274d8186cc169f4d52e

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE DDoS.XOR Checkin via HTTP
suricata: ET MALWARE DDoS.XOR Checkin via HTTP
suricata

Writes file to system bin folder 1 TTPs 16 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
/bin/ccrmab	/bin/ccrmab
/bin/jkebetcpxtarn	/bin/jkebetcpxtarn
/bin/ulfvywqh	/bin/ulfvywqh
/bin/oxasev	/bin/oxasev
/bin/ufqkminrob	/bin/ufqkminrob
/bin/mbdeknfixl	/bin/mbdeknfixl
/bin/psrvfs	/bin/psrvfs
/bin/qsiwnvlidd	/bin/qsiwnvlidd
/bin/dcdlhjtnud	/bin/dcdlhjtnud
/bin/ddtnzh	/bin/ddtnzh
/bin/ypddnh	/bin/ypddnh
/bin/glhkruaehvlxhq	/bin/glhkruaehvlxhq
/bin/zwovzp	/bin/zwovzp
/bin/nvhsxbgzeg	/bin/nvhsxbgzeg
/bin/mnvfpkeikvyb	/bin/mnvfpkeikvyb
/bin/scvrlo	/bin/scvrlo

Modifies rc script 1 TTPs 5 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

description	ioc
/etc/rc3.d/S90jkouaackjy	/etc/rc3.d/S90jkouaackjy
/etc/rc4.d/S90jkouaackjy	/etc/rc4.d/S90jkouaackjy
/etc/rc5.d/S90jkouaackjy	/etc/rc5.d/S90jkouaackjy
/etc/rc1.d/S90jkouaackjy	/etc/rc1.d/S90jkouaackjy
/etc/rc2.d/S90jkouaackjy	/etc/rc2.d/S90jkouaackjy

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

/tmp/23sgqdsvuhq /tmp/23sgqdsvuhq

description	ioc
/tmp/23sgqdsvuhq	/tmp/23sgqdsvuhq

./23sgqdsvuhq
./23sgqdsvuhq
1⤵
PID:592

/bin/yjkcaauokj
/bin/yjkcaauokj
1⤵
PID:596

/bin/mbdeknfixl
/bin/mbdeknfixl -d 597
1⤵
PID:601

/bin/ccrmab
/bin/ccrmab -d 597
1⤵
PID:604

/bin/jkebetcpxtarn
/bin/jkebetcpxtarn -d 597
1⤵
PID:611

/bin/psrvfs
/bin/psrvfs -d 597
1⤵
PID:614

/bin/nvhsxbgzeg
/bin/nvhsxbgzeg -d 597
1⤵
PID:617

/bin/mnvfpkeikvyb
/bin/mnvfpkeikvyb -d 597
1⤵
PID:621

/bin/qsiwnvlidd
/bin/qsiwnvlidd -d 597
1⤵
PID:624

/bin/glhkruaehvlxhq
/bin/glhkruaehvlxhq -d 597
1⤵
PID:627

/bin/ulfvywqh
/bin/ulfvywqh -d 597
1⤵
PID:630

/bin/dcdlhjtnud
/bin/dcdlhjtnud -d 597
1⤵
PID:633

/bin/oxasev
/bin/oxasev -d 597
1⤵
PID:636

/bin/ddtnzh
/bin/ddtnzh -d 597
1⤵
PID:639

/bin/ufqkminrob
/bin/ufqkminrob -d 597
1⤵
PID:642

/bin/zwovzp
/bin/zwovzp -d 597
1⤵
PID:645

/bin/ypddnh
/bin/ypddnh -d 597
1⤵
PID:648

/bin/scvrlo
/bin/scvrlo -d 597
1⤵
PID:651

/bin/rgwfrlyhmzg
/bin/rgwfrlyhmzg -d 597
1⤵
PID:654

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads