f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3

Processes:

description	ioc
/bin/fgbriop	/bin/fgbriop
/bin/irxcceuntnzvb	/bin/irxcceuntnzvb
/bin/fydyuiuakbi	/bin/fydyuiuakbi
/bin/ztbavgya	/bin/ztbavgya
/bin/dsgovdlckwbjnj	/bin/dsgovdlckwbjnj
/bin/qsmuvnxbeuktu	/bin/qsmuvnxbeuktu
/bin/doashveu	/bin/doashveu
/bin/kwfuairifqjor	/bin/kwfuairifqjor
/bin/bjhbbuiaxhy	/bin/bjhbbuiaxhy
/bin/yhxaiubbhjb	/bin/yhxaiubbhjb
/bin/cmahxcrwcwd	/bin/cmahxcrwcwd
/bin/zypihdln	/bin/zypihdln
/bin/hmjtpxeusmkprx	/bin/hmjtpxeusmkprx
/bin/yhxaiubbhjb.sh	/bin/yhxaiubbhjb.sh
/bin/dxjkdicbxixyy	/bin/dxjkdicbxixyy
/bin/xachyhbzm	/bin/xachyhbzm
/bin/ctsliebb	/bin/ctsliebb
/bin/gpuioamxmxr	/bin/gpuioamxmxr
/bin/vkdvvef	/bin/vkdvvef
/bin/sxdoraxe	/bin/sxdoraxe
/bin/ejgodgqfkms	/bin/ejgodgqfkms
/bin/sximdigek	/bin/sximdigek
/bin/apkkediwf	/bin/apkkediwf
/bin/lqqjymnmzisr	/bin/lqqjymnmzisr
/bin/zbmtnfja	/bin/zbmtnfja

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

Processes:

description	ioc
/etc/cron.hourly/yhxaiubbhjb.sh	/etc/cron.hourly/yhxaiubbhjb.sh

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

Processes:

description	ioc
/etc/init.d/yhxaiubbhjb	/etc/init.d/yhxaiubbhjb

Modifies rc script 1 TTPs 5 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

Processes:

description	ioc
/etc/rc1.d/S90yhxaiubbhjb	/etc/rc1.d/S90yhxaiubbhjb
/etc/rc2.d/S90yhxaiubbhjb	/etc/rc2.d/S90yhxaiubbhjb
/etc/rc3.d/S90yhxaiubbhjb	/etc/rc3.d/S90yhxaiubbhjb
/etc/rc4.d/S90yhxaiubbhjb	/etc/rc4.d/S90yhxaiubbhjb
/etc/rc5.d/S90yhxaiubbhjb	/etc/rc5.d/S90yhxaiubbhjb

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
/tmp/f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3	/tmp/f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3

./f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3
./f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3
1⤵
PID:570

/bin/bjhbbuiaxhy
/bin/bjhbbuiaxhy
1⤵
PID:574

/bin/lqqjymnmzisr
/bin/lqqjymnmzisr -d 575
1⤵
PID:579

/bin/doashveu
/bin/doashveu -d 575
1⤵
PID:582

/bin/dxjkdicbxixyy
/bin/dxjkdicbxixyy -d 575
1⤵
PID:589

/bin/zbmtnfja
/bin/zbmtnfja -d 575
1⤵
PID:592

/bin/xachyhbzm
/bin/xachyhbzm -d 575
1⤵
PID:595

/bin/kwfuairifqjor
/bin/kwfuairifqjor -d 575
1⤵
PID:598

/bin/cmahxcrwcwd
/bin/cmahxcrwcwd -d 575
1⤵
PID:601

/bin/fgbriop
/bin/fgbriop -d 575
1⤵
PID:604

/bin/irxcceuntnzvb
/bin/irxcceuntnzvb -d 575
1⤵
PID:607

/bin/fydyuiuakbi
/bin/fydyuiuakbi -d 575
1⤵
PID:610

/bin/ejgodgqfkms
/bin/ejgodgqfkms -d 575
1⤵
PID:613

/bin/ztbavgya
/bin/ztbavgya -d 575
1⤵
PID:616

/bin/vkdvvef
/bin/vkdvvef -d 575
1⤵
PID:619

/bin/zypihdln
/bin/zypihdln -d 575
1⤵
PID:622

/bin/sximdigek
/bin/sximdigek -d 575
1⤵
PID:625

/bin/dsgovdlckwbjnj
/bin/dsgovdlckwbjnj -d 575
1⤵
PID:628

/bin/sxdoraxe
/bin/sxdoraxe -d 575
1⤵
PID:631

/bin/hmjtpxeusmkprx
/bin/hmjtpxeusmkprx -d 575
1⤵
PID:634

/bin/ctsliebb
/bin/ctsliebb -d 575
1⤵
PID:637

/bin/gpuioamxmxr
/bin/gpuioamxmxr -d 575
1⤵
PID:640

/bin/apkkediwf
/bin/apkkediwf -d 575
1⤵
PID:643

/bin/qsmuvnxbeuktu
/bin/qsmuvnxbeuktu -d 575
1⤵
PID:646

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Defense Evasion

Hijack Execution Flow