2baf73eae1c5135acf10290b063d0a65827611ba6874a326883d9be3b238a1b6

Resubmissions

02-06-2022 16:55

220602-ve6t9scebq 10

09-04-2022 21:37

220409-1gfnradag2 9

Analysis

max time kernel
0s
max time network
32s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
02-06-2022 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2BAFxor.o
Size

611KB
MD5

cc3cfcdb09c10250d5b6430a1ffa5340
SHA1

d31cd0f813ac9a6f997d7d5a0cabac6d078907e2
SHA256

2baf73eae1c5135acf10290b063d0a65827611ba6874a326883d9be3b238a1b6
SHA512

a519cd6606a3383dbfb80d0ab96877d416bc089f5076b92b47e31edc3e0ef7b6ed21e38e4577e063a48c97d1842557667bef046a70be87b5d71792ab14a988b5

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 4 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

/bin/fidfhvpauc /bin/fidfhvpauc
/bin/ydvxgwccxe /bin/ydvxgwccxe
/bin/bbcdjuqsxi /bin/bbcdjuqsxi
/bin/bjttonswai /bin/bjttonswai
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task
T1053

Processes:

sedsh

description ioc process

/etc/crontab /etc/crontab sed
/etc/crontab /etc/crontab sh

description	ioc
/bin/fidfhvpauc	/bin/fidfhvpauc
/bin/ydvxgwccxe	/bin/ydvxgwccxe
/bin/bbcdjuqsxi	/bin/bbcdjuqsxi
/bin/bjttonswai	/bin/bjttonswai

description	ioc	process
/etc/crontab	/etc/crontab	sed
/etc/crontab	/etc/crontab	sh

Modifies rc script 1 TTPs 12 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

update-rc.d

description	ioc	process
/etc/rc6.d/	/etc/rc6.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc1.d/S902BAFxor.o	/etc/rc1.d/S902BAFxor.o
/etc/rc2.d/S902BAFxor.o	/etc/rc2.d/S902BAFxor.o
/etc/rc5.d/S902BAFxor.o	/etc/rc5.d/S902BAFxor.o
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc3.d/S902BAFxor.o	/etc/rc3.d/S902BAFxor.o
/etc/rc4.d/S902BAFxor.o	/etc/rc4.d/S902BAFxor.o
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc3.d/	/etc/rc3.d/	update-rc.d

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

Processes:

update-rc.d

description	ioc	process
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d
/usr/bin/fidfhvpauc	/usr/bin/fidfhvpauc
/usr/bin/ydvxgwccxe	/usr/bin/ydvxgwccxe
/usr/bin/bbcdjuqsxi	/usr/bin/bbcdjuqsxi
/usr/bin/bjttonswai	/usr/bin/bjttonswai

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
/proc/filesystems	/proc/filesystems	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	sed

Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

/tmp/fidfhvpauc /tmp/fidfhvpauc
/tmp/ydvxgwccxe /tmp/ydvxgwccxe
/tmp/bbcdjuqsxi /tmp/bbcdjuqsxi
/tmp/bjttonswai /tmp/bjttonswai

description	ioc
/tmp/fidfhvpauc	/tmp/fidfhvpauc
/tmp/ydvxgwccxe	/tmp/ydvxgwccxe
/tmp/bbcdjuqsxi	/tmp/bbcdjuqsxi
/tmp/bjttonswai	/tmp/bjttonswai

./2BAFxor.o
./2BAFxor.o
1⤵
PID:592

/bin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/sbin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/bin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/sbin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/local/bin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/local/sbin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/X11R6/bin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:598

/bin/sed
sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
2⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:599

/bin/update-rc.d
update-rc.d 2BAFxor.o defaults
1⤵
PID:597

/sbin/update-rc.d
update-rc.d 2BAFxor.o defaults
1⤵
PID:597

/usr/bin/update-rc.d
update-rc.d 2BAFxor.o defaults
1⤵
PID:597

/usr/sbin/update-rc.d
update-rc.d 2BAFxor.o defaults
1⤵
- Modifies rc script
- Write file to user bin folder
PID:597

/bin/systemctl
systemctl daemon-reload
2⤵
- Reads runtime system information
PID:603

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe ifconfig 593
1⤵
PID:624

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe pwd 593
1⤵
PID:627

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe id 593
1⤵
PID:630

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe ls 593
1⤵
PID:633

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe "cat resolv.conf" 593
1⤵
PID:636

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi ifconfig 593
1⤵
PID:639

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi id 593
1⤵
PID:642

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi bash 593
1⤵
PID:645

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi "sleep 1" 593
1⤵
PID:648

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi "netstat -antop" 593
1⤵
PID:651

/usr/bin/bjttonswai
/usr/bin/bjttonswai pwd 593
1⤵
PID:654

/usr/bin/bjttonswai
/usr/bin/bjttonswai "echo \"find\"" 593
1⤵
PID:657

/usr/bin/bjttonswai
/usr/bin/bjttonswai who 593
1⤵
PID:660

/usr/bin/bjttonswai
/usr/bin/bjttonswai "sleep 1" 593
1⤵
PID:663

/usr/bin/bjttonswai
/usr/bin/bjttonswai "route -n" 593
1⤵
PID:666

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hijack Execution Flow

T1574

Scheduled Task

T1053

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Hijack Execution Flow

T1574

Scheduled Task

T1053

Boot or Logon Autostart Execution

T1547

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads