Analysis
-
max time kernel
0s -
max time network
25s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
02-06-2022 16:54
Static task
static1
Behavioral task
behavioral1
Sample
72Fxor.o
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
72Fxor.o
-
Size
525KB
-
MD5
1a0e8787503fd9777f08c0b2f4bc8a53
-
SHA1
9881f9d168e6cbba550bd132634c918cee7367c0
-
SHA256
72f61ae2fbc105c21408cbe910da2b939ea98d26cafaf43a9fabe89361db9dec
-
SHA512
64e69d34057158b29b6ca1cd53f44990fde65b5011dec7852d9095350564e6fbfe22a5b9c5bb2fc5304b4bf077c2b2644f1dbeae2c78ad08a6411b79425dbc9e
Malware Config
Signatures
-
Writes file to system bin folder 1 TTPs 4 IoCs
Processes:
description ioc /bin/kuqcferimv /bin/kuqcferimv /bin/jwxzpbwkuj /bin/jwxzpbwkuj /bin/bkhxuwzuxp /bin/bkhxuwzuxp /bin/rnnbgteets /bin/rnnbgteets -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
sedshdescription ioc process /etc/crontab /etc/crontab sed /etc/crontab /etc/crontab sh -
Modifies rc script 1 TTPs 12 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
Processes:
update-rc.ddescription ioc process /etc/rc5.d/ /etc/rc5.d/ update-rc.d /etc/rc4.d/ /etc/rc4.d/ update-rc.d /etc/rc2.d/ /etc/rc2.d/ update-rc.d /etc/rc4.d/S9072Fxor.o /etc/rc4.d/S9072Fxor.o /etc/rc0.d/ /etc/rc0.d/ update-rc.d /etc/rc3.d/S9072Fxor.o /etc/rc3.d/S9072Fxor.o /etc/rc5.d/S9072Fxor.o /etc/rc5.d/S9072Fxor.o /etc/rc3.d/ /etc/rc3.d/ update-rc.d /etc/rc6.d/ /etc/rc6.d/ update-rc.d /etc/rc1.d/ /etc/rc1.d/ update-rc.d /etc/rc1.d/S9072Fxor.o /etc/rc1.d/S9072Fxor.o /etc/rc2.d/S9072Fxor.o /etc/rc2.d/S9072Fxor.o -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 103.25.9.228 Destination IP 103.25.9.228 Destination IP 103.25.9.228 Destination IP 103.25.9.228 -
Write file to user bin folder 1 TTPs 5 IoCs
Processes:
update-rc.ddescription ioc process /usr/sbin/update-rc.d /usr/sbin/update-rc.d update-rc.d /usr/bin/kuqcferimv /usr/bin/kuqcferimv /usr/bin/jwxzpbwkuj /usr/bin/jwxzpbwkuj /usr/bin/bkhxuwzuxp /usr/bin/bkhxuwzuxp /usr/bin/rnnbgteets /usr/bin/rnnbgteets -
Reads runtime system information 7 IoCs
Reads data from /proc virtual filesystem.
Processes:
systemctlseddescription ioc process /proc/1/sched /proc/1/sched systemctl /proc/cmdline /proc/cmdline systemctl /proc/filesystems /proc/filesystems sed /proc/filesystems /proc/filesystems systemctl /proc/self/stat /proc/self/stat systemctl /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease systemctl /proc/1/environ /proc/1/environ systemctl -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc /tmp/bkhxuwzuxp /tmp/bkhxuwzuxp /tmp/rnnbgteets /tmp/rnnbgteets /tmp/kuqcferimv /tmp/kuqcferimv /tmp/jwxzpbwkuj /tmp/jwxzpbwkuj
Processes
-
./72Fxor.o./72Fxor.o1⤵
-
/bin/chkconfigchkconfig --add 72Fxor.o1⤵
-
/sbin/chkconfigchkconfig --add 72Fxor.o1⤵
-
/usr/bin/chkconfigchkconfig --add 72Fxor.o1⤵
-
/usr/sbin/chkconfigchkconfig --add 72Fxor.o1⤵
-
/usr/local/bin/chkconfigchkconfig --add 72Fxor.o1⤵
-
/usr/local/sbin/chkconfigchkconfig --add 72Fxor.o1⤵
-
/usr/X11R6/bin/chkconfigchkconfig --add 72Fxor.o1⤵
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc4.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc4.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
-
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc4.sh/d" /etc/crontab2⤵
- Creates/modifies Cron job
- Reads runtime system information
-
/bin/update-rc.dupdate-rc.d 72Fxor.o defaults1⤵
-
/sbin/update-rc.dupdate-rc.d 72Fxor.o defaults1⤵
-
/usr/bin/update-rc.dupdate-rc.d 72Fxor.o defaults1⤵
-
/usr/sbin/update-rc.dupdate-rc.d 72Fxor.o defaults1⤵
- Modifies rc script
- Write file to user bin folder
-
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
-
/usr/bin/jwxzpbwkuj/usr/bin/jwxzpbwkuj "sleep 1" 5781⤵
-
/usr/bin/jwxzpbwkuj/usr/bin/jwxzpbwkuj "echo \"find\"" 5781⤵
-
/usr/bin/jwxzpbwkuj/usr/bin/jwxzpbwkuj "netstat -antop" 5781⤵
-
/usr/bin/jwxzpbwkuj/usr/bin/jwxzpbwkuj top 5781⤵
-
/usr/bin/jwxzpbwkuj/usr/bin/jwxzpbwkuj "echo \"find\"" 5781⤵
-
/usr/bin/bkhxuwzuxp/usr/bin/bkhxuwzuxp "cd /etc" 5781⤵
-
/usr/bin/bkhxuwzuxp/usr/bin/bkhxuwzuxp "route -n" 5781⤵
-
/usr/bin/bkhxuwzuxp/usr/bin/bkhxuwzuxp "ls -la" 5781⤵
-
/usr/bin/bkhxuwzuxp/usr/bin/bkhxuwzuxp ifconfig 5781⤵
-
/usr/bin/bkhxuwzuxp/usr/bin/bkhxuwzuxp "echo \"find\"" 5781⤵
-
/usr/bin/rnnbgteets/usr/bin/rnnbgteets "sleep 1" 5781⤵
-
/usr/bin/rnnbgteets/usr/bin/rnnbgteets who 5781⤵
-
/usr/bin/rnnbgteets/usr/bin/rnnbgteets "cd /etc" 5781⤵
-
/usr/bin/rnnbgteets/usr/bin/rnnbgteets "echo \"find\"" 5781⤵
-
/usr/bin/rnnbgteets/usr/bin/rnnbgteets who 5781⤵