3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd

Analysis

max time kernel
0s
max time network
102s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
17-06-2022 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd
Size

4.5MB
MD5

cc92abe1b08778b79d0369caf016c97e
SHA1

fe47cccdfc35063c6e54786ea704cad5addce866
SHA256

3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd
SHA512

9e2477d18fc560978a422a50b32b71707def72a7d2470b75b6672fc2ba8584ecf5fe618108748b002312ae6d072f255f0981a26ee6ea788d4acdd5f6f7e32ede

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE ZHtrap CnC Checkin
suricata: ET MALWARE ZHtrap CnC Checkin
suricata
suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established
suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established
suricata

Deletes system logs 1 TTPs 3 IoCs

Indicator Removal on Host

T1070

Processes:

3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd

description	ioc	process
/var/log/installer/cdebconf/questions.dat	/var/log/installer/cdebconf/questions.dat	3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd
/var/log/installer/cdebconf/templates.dat	/var/log/installer/cdebconf/templates.dat	3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd
/var/log/installer/initial-status.gz	/var/log/installer/initial-status.gz	3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd

Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd

description ioc process

/etc/init.d/System.sh /etc/init.d/System.sh 3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd

description	ioc	process
/etc/init.d/System.sh	/etc/init.d/System.sh	3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd

Write file to user bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

Processes:

3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd

description	ioc	process
/usr/local/sbin/7z	/usr/local/sbin/7z	3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd
/usr/bin/gettext.sh	/usr/bin/gettext.sh

./3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd
./3d8d25e2204f25260c42a29ad2f6c5c21f18f90ce80cb338bc678e242fba68cd
1⤵
- Deletes system logs
- Modifies init.d
- Write file to user bin folder
PID:571

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Indicator Removal on Host

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads