72f61ae2fbc105c21408cbe910da2b939ea98d26cafaf43a9fabe89361db9dec | Triage

Resubmissions

02-06-2022 16:54

220602-vesbwacebm 10

09-04-2022 21:38

220409-1g1zpahgfj 9

Analysis

max time kernel
0s
max time network
25s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
02-06-2022 16:54

Sharing

Report Analysis Logs

General

Target

72Fxor.o
Size

525KB
MD5

1a0e8787503fd9777f08c0b2f4bc8a53
SHA1

9881f9d168e6cbba550bd132634c918cee7367c0
SHA256

72f61ae2fbc105c21408cbe910da2b939ea98d26cafaf43a9fabe89361db9dec
SHA512

64e69d34057158b29b6ca1cd53f44990fde65b5011dec7852d9095350564e6fbfe22a5b9c5bb2fc5304b4bf077c2b2644f1dbeae2c78ad08a6411b79425dbc9e

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 4 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

/bin/kuqcferimv /bin/kuqcferimv
/bin/jwxzpbwkuj /bin/jwxzpbwkuj
/bin/bkhxuwzuxp /bin/bkhxuwzuxp
/bin/rnnbgteets /bin/rnnbgteets
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task
T1053

Processes:

sedsh

description ioc process

/etc/crontab /etc/crontab sed
/etc/crontab /etc/crontab sh

Modifies rc script 1 TTPs 12 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

Boot or Logon Autostart Execution

Processes:

update-rc.d

description	ioc	process
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc4.d/S9072Fxor.o	/etc/rc4.d/S9072Fxor.o
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc3.d/S9072Fxor.o	/etc/rc3.d/S9072Fxor.o
/etc/rc5.d/S9072Fxor.o	/etc/rc5.d/S9072Fxor.o
/etc/rc3.d/	/etc/rc3.d/	update-rc.d
/etc/rc6.d/	/etc/rc6.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc1.d/S9072Fxor.o	/etc/rc1.d/S9072Fxor.o
/etc/rc2.d/S9072Fxor.o	/etc/rc2.d/S9072Fxor.o

Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 103.25.9.228
Destination IP 103.25.9.228
Destination IP 103.25.9.228
Destination IP 103.25.9.228

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

Processes:

update-rc.d

description	ioc	process
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d
/usr/bin/kuqcferimv	/usr/bin/kuqcferimv
/usr/bin/jwxzpbwkuj	/usr/bin/jwxzpbwkuj
/usr/bin/bkhxuwzuxp	/usr/bin/bkhxuwzuxp
/usr/bin/rnnbgteets	/usr/bin/rnnbgteets

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl

Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

/tmp/bkhxuwzuxp /tmp/bkhxuwzuxp
/tmp/rnnbgteets /tmp/rnnbgteets
/tmp/kuqcferimv /tmp/kuqcferimv
/tmp/jwxzpbwkuj /tmp/jwxzpbwkuj

./72Fxor.o
./72Fxor.o
1⤵
PID:577

/bin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/sbin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/bin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/sbin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/local/bin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/local/sbin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/X11R6/bin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc4.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc4.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:583

/bin/sed
sed -i "/\\/etc\\/cron.hourly\\/gcc4.sh/d" /etc/crontab
2⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:584

/bin/update-rc.d
update-rc.d 72Fxor.o defaults
1⤵
PID:582

/sbin/update-rc.d
update-rc.d 72Fxor.o defaults
1⤵
PID:582

/usr/bin/update-rc.d
update-rc.d 72Fxor.o defaults
1⤵
PID:582

/usr/sbin/update-rc.d
update-rc.d 72Fxor.o defaults
1⤵
- Modifies rc script
- Write file to user bin folder
PID:582

/bin/systemctl
systemctl daemon-reload
2⤵
- Reads runtime system information
PID:588

/usr/bin/jwxzpbwkuj
/usr/bin/jwxzpbwkuj "sleep 1" 578
1⤵
PID:610

/usr/bin/jwxzpbwkuj
/usr/bin/jwxzpbwkuj "echo \"find\"" 578
1⤵
PID:613

/usr/bin/jwxzpbwkuj
/usr/bin/jwxzpbwkuj "netstat -antop" 578
1⤵
PID:616

/usr/bin/jwxzpbwkuj
/usr/bin/jwxzpbwkuj top 578
1⤵
PID:619

/usr/bin/jwxzpbwkuj
/usr/bin/jwxzpbwkuj "echo \"find\"" 578
1⤵
PID:622

/usr/bin/bkhxuwzuxp
/usr/bin/bkhxuwzuxp "cd /etc" 578
1⤵
PID:625

/usr/bin/bkhxuwzuxp
/usr/bin/bkhxuwzuxp "route -n" 578
1⤵
PID:628

/usr/bin/bkhxuwzuxp
/usr/bin/bkhxuwzuxp "ls -la" 578
1⤵
PID:631

/usr/bin/bkhxuwzuxp
/usr/bin/bkhxuwzuxp ifconfig 578
1⤵
PID:634

/usr/bin/bkhxuwzuxp
/usr/bin/bkhxuwzuxp "echo \"find\"" 578
1⤵
PID:637

/usr/bin/rnnbgteets
/usr/bin/rnnbgteets "sleep 1" 578
1⤵
PID:640

/usr/bin/rnnbgteets
/usr/bin/rnnbgteets who 578
1⤵
PID:643

/usr/bin/rnnbgteets
/usr/bin/rnnbgteets "cd /etc" 578
1⤵
PID:646

/usr/bin/rnnbgteets
/usr/bin/rnnbgteets "echo \"find\"" 578
1⤵
PID:649

/usr/bin/rnnbgteets
/usr/bin/rnnbgteets who 578
1⤵
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Hijack Execution Flow

Scheduled Task

Boot or Logon Autostart Execution

Privilege Escalation

Hijack Execution Flow

Scheduled Task

Boot or Logon Autostart Execution

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...