Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

Mozi.mxhdsgyia
Size

132KB
Sample

220425-3mkk1adcgj
MD5

59ce0baba11893f90527fc951ac69912
SHA1

5857a7dd621c4c3ebb0b5a3bec915d409f70d39f
SHA256

4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7
SHA512

c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647

Score

10^/10

discovery linux persistence suricata

Malware Config

Targets

- Target
  
  Mozi.mxhdsgyia
- Size
  
  132KB
- MD5
  
  59ce0baba11893f90527fc951ac69912
- SHA1
  
  5857a7dd621c4c3ebb0b5a3bec915d409f70d39f
- SHA256
  
  4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7
- SHA512
  
  c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647
Score

10^/10

discovery persistence suricata
- suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution
  suricata: ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution
  suricata
- suricata: ET MALWARE Mirai Variant User-Agent (Outbound)
  suricata: ET MALWARE Mirai Variant User-Agent (Outbound)
  suricata
- Contacts a large (19835) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies the Watchdog daemon
  Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
- Writes file to system bin folder
- Modifies hosts file
  Adds to hosts file used for mapping hosts to IP addresses.
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral1

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Network Configuration Discovery

T1016

Network Service Scanning

T1046

System Network Connections Discovery

T1049

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

behavioral1

discoverypersistencesuricata