Analysis
-
max time kernel
0s -
max time network
104s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
05-04-2022 12:19
Static task
static1
Behavioral task
behavioral1
Sample
23sgqdsvuhq
Resource
ubuntu1804-amd64-en-20211208
linux_amd64
0 signatures
0 seconds
General
-
Target
23sgqdsvuhq
-
Size
549KB
-
MD5
b4ff3961cefcc5e151e319666bae6f5e
-
SHA1
e1e985a90a116edea41d99b3e2a85a697f760d48
-
SHA256
71ef590b32ef90a021be7bafd074b7698ffefab7f935e371568bef5eb2543f19
-
SHA512
e4a6eed3bbedf52e8b636ddfa34bde662dd9f8b7fd7745dc7689605b966bf24b0ed76bf9e418dab5d32668b9b6ecdc09b0e5da8cd011a274d8186cc169f4d52e
Score
10/10
Malware Config
Signatures
-
suricata: ET MALWARE DDoS.XOR Checkin via HTTP
suricata: ET MALWARE DDoS.XOR Checkin via HTTP
-
Writes file to system bin folder 1 TTPs 16 IoCs
Processes:
description ioc /bin/ccrmab /bin/ccrmab /bin/jkebetcpxtarn /bin/jkebetcpxtarn /bin/ulfvywqh /bin/ulfvywqh /bin/oxasev /bin/oxasev /bin/ufqkminrob /bin/ufqkminrob /bin/mbdeknfixl /bin/mbdeknfixl /bin/psrvfs /bin/psrvfs /bin/qsiwnvlidd /bin/qsiwnvlidd /bin/dcdlhjtnud /bin/dcdlhjtnud /bin/ddtnzh /bin/ddtnzh /bin/ypddnh /bin/ypddnh /bin/glhkruaehvlxhq /bin/glhkruaehvlxhq /bin/zwovzp /bin/zwovzp /bin/nvhsxbgzeg /bin/nvhsxbgzeg /bin/mnvfpkeikvyb /bin/mnvfpkeikvyb /bin/scvrlo /bin/scvrlo -
Modifies rc script 1 TTPs 5 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
description ioc /etc/rc3.d/S90jkouaackjy /etc/rc3.d/S90jkouaackjy /etc/rc4.d/S90jkouaackjy /etc/rc4.d/S90jkouaackjy /etc/rc5.d/S90jkouaackjy /etc/rc5.d/S90jkouaackjy /etc/rc1.d/S90jkouaackjy /etc/rc1.d/S90jkouaackjy /etc/rc2.d/S90jkouaackjy /etc/rc2.d/S90jkouaackjy -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc /tmp/23sgqdsvuhq /tmp/23sgqdsvuhq
Processes
-
./23sgqdsvuhq./23sgqdsvuhq1⤵PID:592
-
/bin/yjkcaauokj/bin/yjkcaauokj1⤵PID:596
-
/bin/mbdeknfixl/bin/mbdeknfixl -d 5971⤵PID:601
-
/bin/ccrmab/bin/ccrmab -d 5971⤵PID:604
-
/bin/jkebetcpxtarn/bin/jkebetcpxtarn -d 5971⤵PID:611
-
/bin/psrvfs/bin/psrvfs -d 5971⤵PID:614
-
/bin/nvhsxbgzeg/bin/nvhsxbgzeg -d 5971⤵PID:617
-
/bin/mnvfpkeikvyb/bin/mnvfpkeikvyb -d 5971⤵PID:621
-
/bin/qsiwnvlidd/bin/qsiwnvlidd -d 5971⤵PID:624
-
/bin/glhkruaehvlxhq/bin/glhkruaehvlxhq -d 5971⤵PID:627
-
/bin/ulfvywqh/bin/ulfvywqh -d 5971⤵PID:630
-
/bin/dcdlhjtnud/bin/dcdlhjtnud -d 5971⤵PID:633
-
/bin/oxasev/bin/oxasev -d 5971⤵PID:636
-
/bin/ddtnzh/bin/ddtnzh -d 5971⤵PID:639
-
/bin/ufqkminrob/bin/ufqkminrob -d 5971⤵PID:642
-
/bin/zwovzp/bin/zwovzp -d 5971⤵PID:645
-
/bin/ypddnh/bin/ypddnh -d 5971⤵PID:648
-
/bin/scvrlo/bin/scvrlo -d 5971⤵PID:651
-
/bin/rgwfrlyhmzg/bin/rgwfrlyhmzg -d 5971⤵PID:654