72f61ae2fbc105c21408cbe910da2b939ea98d26cafaf43a9fabe89361db9dec

General

Target

72Fxor.o
Size

525KB
MD5

1a0e8787503fd9777f08c0b2f4bc8a53
SHA1

9881f9d168e6cbba550bd132634c918cee7367c0
SHA256

72f61ae2fbc105c21408cbe910da2b939ea98d26cafaf43a9fabe89361db9dec
SHA512

64e69d34057158b29b6ca1cd53f44990fde65b5011dec7852d9095350564e6fbfe22a5b9c5bb2fc5304b4bf077c2b2644f1dbeae2c78ad08a6411b79425dbc9e

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

T1574

description	ioc
/bin/kuqcferimv	/bin/kuqcferimv
/bin/jwxzpbwkuj	/bin/jwxzpbwkuj
/bin/bkhxuwzuxp	/bin/bkhxuwzuxp
/bin/rnnbgteets	/bin/rnnbgteets

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
/etc/crontab	/etc/crontab	sed
/etc/crontab	/etc/crontab	sh

Modifies rc script 1 TTPs 12 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc4.d/S9072Fxor.o	/etc/rc4.d/S9072Fxor.o	Process not Found
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc3.d/S9072Fxor.o	/etc/rc3.d/S9072Fxor.o	Process not Found
/etc/rc5.d/S9072Fxor.o	/etc/rc5.d/S9072Fxor.o	Process not Found
/etc/rc3.d/	/etc/rc3.d/	update-rc.d
/etc/rc6.d/	/etc/rc6.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc1.d/S9072Fxor.o	/etc/rc1.d/S9072Fxor.o	Process not Found
/etc/rc2.d/S9072Fxor.o	/etc/rc2.d/S9072Fxor.o	Process not Found

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d
/usr/bin/kuqcferimv	/usr/bin/kuqcferimv	Process not Found
/usr/bin/jwxzpbwkuj	/usr/bin/jwxzpbwkuj	Process not Found
/usr/bin/bkhxuwzuxp	/usr/bin/bkhxuwzuxp	Process not Found
/usr/bin/rnnbgteets	/usr/bin/rnnbgteets	Process not Found

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
/tmp/bkhxuwzuxp	/tmp/bkhxuwzuxp
/tmp/rnnbgteets	/tmp/rnnbgteets
/tmp/kuqcferimv	/tmp/kuqcferimv
/tmp/jwxzpbwkuj	/tmp/jwxzpbwkuj

./72Fxor.o
./72Fxor.o
1⤵
PID:577

/bin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/sbin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/bin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/sbin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/local/bin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/local/sbin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/usr/X11R6/bin/chkconfig
chkconfig --add 72Fxor.o
1⤵
PID:580

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc4.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc4.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:583
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc4.sh/d" /etc/crontab
  2⤵
  - Creates/modifies Cron job
  - Reads runtime system information
  PID:584

/bin/update-rc.d
update-rc.d 72Fxor.o defaults
1⤵
PID:582

/sbin/update-rc.d
update-rc.d 72Fxor.o defaults
1⤵
PID:582

/usr/bin/update-rc.d
update-rc.d 72Fxor.o defaults
1⤵
PID:582

/usr/sbin/update-rc.d
update-rc.d 72Fxor.o defaults
1⤵
- Modifies rc script
- Write file to user bin folder
PID:582
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:588