2baf73eae1c5135acf10290b063d0a65827611ba6874a326883d9be3b238a1b6 | Triage

Resubmissions

02-06-2022 16:55

220602-ve6t9scebq 10

09-04-2022 21:37

220409-1gfnradag2 9

Analysis

max time kernel
0s
max time network
32s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
02-06-2022 16:55

Sharing

Report Analysis Logs

General

Target

2BAFxor.o
Size

611KB
MD5

cc3cfcdb09c10250d5b6430a1ffa5340
SHA1

d31cd0f813ac9a6f997d7d5a0cabac6d078907e2
SHA256

2baf73eae1c5135acf10290b063d0a65827611ba6874a326883d9be3b238a1b6
SHA512

a519cd6606a3383dbfb80d0ab96877d416bc089f5076b92b47e31edc3e0ef7b6ed21e38e4577e063a48c97d1842557667bef046a70be87b5d71792ab14a988b5

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

description	ioc
/bin/fidfhvpauc	/bin/fidfhvpauc
/bin/ydvxgwccxe	/bin/ydvxgwccxe
/bin/bbcdjuqsxi	/bin/bbcdjuqsxi
/bin/bjttonswai	/bin/bjttonswai

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task

description	ioc	Process
/etc/crontab	/etc/crontab	sed
/etc/crontab	/etc/crontab	sh

Modifies rc script 1 TTPs 12 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

Boot or Logon Autostart Execution

description	ioc	Process
/etc/rc6.d/	/etc/rc6.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc1.d/S902BAFxor.o	/etc/rc1.d/S902BAFxor.o	Process not Found
/etc/rc2.d/S902BAFxor.o	/etc/rc2.d/S902BAFxor.o	Process not Found
/etc/rc5.d/S902BAFxor.o	/etc/rc5.d/S902BAFxor.o	Process not Found
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc3.d/S902BAFxor.o	/etc/rc3.d/S902BAFxor.o	Process not Found
/etc/rc4.d/S902BAFxor.o	/etc/rc4.d/S902BAFxor.o	Process not Found
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc3.d/	/etc/rc3.d/	update-rc.d

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

description	ioc	Process
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d
/usr/bin/fidfhvpauc	/usr/bin/fidfhvpauc	Process not Found
/usr/bin/ydvxgwccxe	/usr/bin/ydvxgwccxe	Process not Found
/usr/bin/bbcdjuqsxi	/usr/bin/bbcdjuqsxi	Process not Found
/usr/bin/bjttonswai	/usr/bin/bjttonswai	Process not Found

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	sed

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
/tmp/fidfhvpauc	/tmp/fidfhvpauc
/tmp/ydvxgwccxe	/tmp/ydvxgwccxe
/tmp/bbcdjuqsxi	/tmp/bbcdjuqsxi
/tmp/bjttonswai	/tmp/bjttonswai

./2BAFxor.o
./2BAFxor.o
1⤵
PID:592

/bin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/sbin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/bin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/sbin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/local/bin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/local/sbin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/usr/X11R6/bin/chkconfig
chkconfig --add 2BAFxor.o
1⤵
PID:595

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:598
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Creates/modifies Cron job
  - Reads runtime system information
  PID:599

/bin/update-rc.d
update-rc.d 2BAFxor.o defaults
1⤵
PID:597

/sbin/update-rc.d
update-rc.d 2BAFxor.o defaults
1⤵
PID:597

/usr/bin/update-rc.d
update-rc.d 2BAFxor.o defaults
1⤵
PID:597

/usr/sbin/update-rc.d
update-rc.d 2BAFxor.o defaults
1⤵
- Modifies rc script
- Write file to user bin folder
PID:597
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:603

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe ifconfig 593
1⤵
PID:624

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe pwd 593
1⤵
PID:627

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe id 593
1⤵
PID:630

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe ls 593
1⤵
PID:633

/usr/bin/ydvxgwccxe
/usr/bin/ydvxgwccxe "cat resolv.conf" 593
1⤵
PID:636

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi ifconfig 593
1⤵
PID:639

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi id 593
1⤵
PID:642

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi bash 593
1⤵
PID:645

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi "sleep 1" 593
1⤵
PID:648

/usr/bin/bbcdjuqsxi
/usr/bin/bbcdjuqsxi "netstat -antop" 593
1⤵
PID:651

/usr/bin/bjttonswai
/usr/bin/bjttonswai pwd 593
1⤵
PID:654

/usr/bin/bjttonswai
/usr/bin/bjttonswai "echo \"find\"" 593
1⤵
PID:657

/usr/bin/bjttonswai
/usr/bin/bjttonswai who 593
1⤵
PID:660

/usr/bin/bjttonswai
/usr/bin/bjttonswai "sleep 1" 593
1⤵
PID:663

/usr/bin/bjttonswai
/usr/bin/bjttonswai "route -n" 593
1⤵
PID:666

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads