f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3

Resubmissions

02-06-2022 16:54

220602-vewz3aghc6 10

05-01-2022 12:00

220105-n6djgaaehl 1

Analysis

max time kernel
0s
max time network
150s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
02-06-2022 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3
Size

546KB
MD5

429164dbad09cd108d22105e628a3daa
SHA1

85cd14daabf7ffa7dfec07fd50e8e82eca9b5855
SHA256

f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3
SHA512

0bac37f71c3a5062884e65d3c0b4f3466b73cb8611e300662f6ecfb80d44e8a724c845c55746d5341965b2b56c62f366822f86cd4113df80f7fca85e445b5923

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE DDoS.XOR Checkin via HTTP
suricata: ET MALWARE DDoS.XOR Checkin via HTTP
suricata

Writes file to system bin folder 1 TTPs 25 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
/bin/fgbriop	/bin/fgbriop
/bin/irxcceuntnzvb	/bin/irxcceuntnzvb
/bin/fydyuiuakbi	/bin/fydyuiuakbi
/bin/ztbavgya	/bin/ztbavgya
/bin/dsgovdlckwbjnj	/bin/dsgovdlckwbjnj
/bin/qsmuvnxbeuktu	/bin/qsmuvnxbeuktu
/bin/doashveu	/bin/doashveu
/bin/kwfuairifqjor	/bin/kwfuairifqjor
/bin/bjhbbuiaxhy	/bin/bjhbbuiaxhy
/bin/yhxaiubbhjb	/bin/yhxaiubbhjb
/bin/cmahxcrwcwd	/bin/cmahxcrwcwd
/bin/zypihdln	/bin/zypihdln
/bin/hmjtpxeusmkprx	/bin/hmjtpxeusmkprx
/bin/yhxaiubbhjb.sh	/bin/yhxaiubbhjb.sh
/bin/dxjkdicbxixyy	/bin/dxjkdicbxixyy
/bin/xachyhbzm	/bin/xachyhbzm
/bin/ctsliebb	/bin/ctsliebb
/bin/gpuioamxmxr	/bin/gpuioamxmxr
/bin/vkdvvef	/bin/vkdvvef
/bin/sxdoraxe	/bin/sxdoraxe
/bin/ejgodgqfkms	/bin/ejgodgqfkms
/bin/sximdigek	/bin/sximdigek
/bin/apkkediwf	/bin/apkkediwf
/bin/lqqjymnmzisr	/bin/lqqjymnmzisr
/bin/zbmtnfja	/bin/zbmtnfja

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task
T1053

Processes:

description ioc

/etc/cron.hourly/yhxaiubbhjb.sh /etc/cron.hourly/yhxaiubbhjb.sh
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

description ioc

/etc/init.d/yhxaiubbhjb /etc/init.d/yhxaiubbhjb

description	ioc
/etc/cron.hourly/yhxaiubbhjb.sh	/etc/cron.hourly/yhxaiubbhjb.sh

description	ioc
/etc/init.d/yhxaiubbhjb	/etc/init.d/yhxaiubbhjb

Modifies rc script 1 TTPs 5 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

description	ioc
/etc/rc1.d/S90yhxaiubbhjb	/etc/rc1.d/S90yhxaiubbhjb
/etc/rc2.d/S90yhxaiubbhjb	/etc/rc2.d/S90yhxaiubbhjb
/etc/rc3.d/S90yhxaiubbhjb	/etc/rc3.d/S90yhxaiubbhjb
/etc/rc4.d/S90yhxaiubbhjb	/etc/rc4.d/S90yhxaiubbhjb
/etc/rc5.d/S90yhxaiubbhjb	/etc/rc5.d/S90yhxaiubbhjb

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
/tmp/f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3	/tmp/f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3

./f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3
./f48d2e608faeb0747b32205489e8ca88a3b10ecfd3c2cc2ff31fabf11fac03b3
1⤵
PID:570

/bin/bjhbbuiaxhy
/bin/bjhbbuiaxhy
1⤵
PID:574

/bin/lqqjymnmzisr
/bin/lqqjymnmzisr -d 575
1⤵
PID:579

/bin/doashveu
/bin/doashveu -d 575
1⤵
PID:582

/bin/dxjkdicbxixyy
/bin/dxjkdicbxixyy -d 575
1⤵
PID:589

/bin/zbmtnfja
/bin/zbmtnfja -d 575
1⤵
PID:592

/bin/xachyhbzm
/bin/xachyhbzm -d 575
1⤵
PID:595

/bin/kwfuairifqjor
/bin/kwfuairifqjor -d 575
1⤵
PID:598

/bin/cmahxcrwcwd
/bin/cmahxcrwcwd -d 575
1⤵
PID:601

/bin/fgbriop
/bin/fgbriop -d 575
1⤵
PID:604

/bin/irxcceuntnzvb
/bin/irxcceuntnzvb -d 575
1⤵
PID:607

/bin/fydyuiuakbi
/bin/fydyuiuakbi -d 575
1⤵
PID:610

/bin/ejgodgqfkms
/bin/ejgodgqfkms -d 575
1⤵
PID:613

/bin/ztbavgya
/bin/ztbavgya -d 575
1⤵
PID:616

/bin/vkdvvef
/bin/vkdvvef -d 575
1⤵
PID:619

/bin/zypihdln
/bin/zypihdln -d 575
1⤵
PID:622

/bin/sximdigek
/bin/sximdigek -d 575
1⤵
PID:625

/bin/dsgovdlckwbjnj
/bin/dsgovdlckwbjnj -d 575
1⤵
PID:628

/bin/sxdoraxe
/bin/sxdoraxe -d 575
1⤵
PID:631

/bin/hmjtpxeusmkprx
/bin/hmjtpxeusmkprx -d 575
1⤵
PID:634

/bin/ctsliebb
/bin/ctsliebb -d 575
1⤵
PID:637

/bin/gpuioamxmxr
/bin/gpuioamxmxr -d 575
1⤵
PID:640

/bin/apkkediwf
/bin/apkkediwf -d 575
1⤵
PID:643

/bin/qsmuvnxbeuktu
/bin/qsmuvnxbeuktu -d 575
1⤵
PID:646

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hijack Execution Flow

T1574

Scheduled Task

T1053

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Hijack Execution Flow

T1574

Scheduled Task

T1053

Boot or Logon Autostart Execution

T1547

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads