24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073

Resubmissions

12/03/2025, 02:34

250312-c2nm4atrw3 10

12/03/2025, 02:33

250312-c2afgavzgv 10

17/06/2022, 07:14

220617-h2mnpaddf2 10

Analysis

max time kernel
16467s
max time network
156s
platform
linux_armhf
resource
debian9-armhf-en-20211208
submitted
17/06/2022, 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
Size

4.6MB
MD5

6ffabd3e67705be52bff0d21ce13caf0
SHA1

a484ed721ff2b6bf651c8d057408e6af7a85d709
SHA256

24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
SHA512

d18ce8518e43e79a8b8809cbf842e7f7658fe3e83a15e8e3bb4dc2eec892b0cdff8b83bd7ce82eae8619e9e075d076283d0d6f3e5e69e270e43bd09856011dbe

Score

10^/10

persistence suricata

Malware Config

Signatures

suricata: ET MALWARE ZHtrap CnC Checkin
suricata: ET MALWARE ZHtrap CnC Checkin
suricata
suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established
suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established
suricata

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/bin/README_FOR_DECRYPT.txtt	/bin/README_FOR_DECRYPT.txtt	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sbin/README_FOR_DECRYPT.txtt	/sbin/README_FOR_DECRYPT.txtt	Process not Found

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/init.d/System.sh	/etc/init.d/System.sh	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073

Write file to user bin folder 1 TTPs 5 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/local/sbin/README_FOR_DECRYPT.txtt	/usr/local/sbin/README_FOR_DECRYPT.txtt	Process not Found
/usr/sbin/README_FOR_DECRYPT.txtt	/usr/sbin/README_FOR_DECRYPT.txtt	Process not Found
/usr/local/sbin/7z	/usr/local/sbin/7z	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/usr/bin/README_FOR_DECRYPT.txtt	/usr/bin/README_FOR_DECRYPT.txtt	Process not Found
/usr/local/bin/README_FOR_DECRYPT.txtt	/usr/local/bin/README_FOR_DECRYPT.txtt	Process not Found

Reads CPU attributes 1 TTPs 7 IoCs

System Information Discovery

T1082

description	ioc
/sys/devices/system/cpu/cpu0	/sys/devices/system/cpu/cpu0
/sys/devices/system/cpu/cpu0/hotplug	/sys/devices/system/cpu/cpu0/hotplug
/sys/devices/system/cpu/cpu0/power	/sys/devices/system/cpu/cpu0/power
/sys/devices/system/cpu/cpu0/topology	/sys/devices/system/cpu/cpu0/topology
/sys/devices/system/cpu/cpufreq	/sys/devices/system/cpu/cpufreq
/sys/devices/system/cpu/hotplug	/sys/devices/system/cpu/hotplug
/sys/devices/system/cpu/power	/sys/devices/system/cpu/power

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc
/proc/1/attr	/proc/1/attr
/proc/129	/proc/129
/proc/4/fdinfo	/proc/4/fdinfo
/proc/8/map_files	/proc/8/map_files
/proc/sys	/proc/sys
/proc/10/map_files	/proc/10/map_files
/proc/16/ns	/proc/16/ns
/proc/351/task/360/fd	/proc/351/task/360/fd
/proc/353/task/353/fd	/proc/353/task/353/fd
/proc/sys/kernel/random	/proc/sys/kernel/random
/proc/151/map_files	/proc/151/map_files
/proc/151/task/151/net/dev_snmp6	/proc/151/task/151/net/dev_snmp6
/proc/17/net/dev_snmp6	/proc/17/net/dev_snmp6
/proc/231/task/241/net/stat	/proc/231/task/241/net/stat
/proc/272	/proc/272
/proc/347/net	/proc/347/net
/proc/276/net	/proc/276/net
/proc/351/fd	/proc/351/fd
/proc/6/task	/proc/6/task
/proc/8/net/dev_snmp6	/proc/8/net/dev_snmp6
/proc/129/task	/proc/129/task
/proc/231/task/240/attr	/proc/231/task/240/attr
/proc/353/task/354/net/dev_snmp6	/proc/353/task/354/net/dev_snmp6
/proc/10/task	/proc/10/task
/proc/151/task/151/net/netfilter	/proc/151/task/151/net/netfilter
/proc/25/task/25/attr	/proc/25/task/25/attr
/proc/351/task/351/net/dev_snmp6	/proc/351/task/351/net/dev_snmp6
/proc/351/task/352/net/stat	/proc/351/task/352/net/stat
/proc/9/fd	/proc/9/fd
/proc/103/fd	/proc/103/fd
/proc/145	/proc/145
/proc/17/task/17/fdinfo	/proc/17/task/17/fdinfo
/proc/272/attr	/proc/272/attr
/proc/28/task/28	/proc/28/task/28
/proc/218/task/229	/proc/218/task/229
/proc/42/net/netfilter	/proc/42/net/netfilter
/proc/9/task/9/fdinfo	/proc/9/task/9/fdinfo
/proc/103/net/dev_snmp6	/proc/103/net/dev_snmp6
/proc/145/net	/proc/145/net
/proc/29/net	/proc/29/net
/proc/7/task/7/fdinfo	/proc/7/task/7/fdinfo
/proc/9/attr	/proc/9/attr
/proc/351/task/361/net/stat	/proc/351/task/361/net/stat
/proc/18/task/18/net/netfilter	/proc/18/task/18/net/netfilter
/proc/20	/proc/20
/proc/218/task/218/fdinfo	/proc/218/task/218/fdinfo
/proc/218/task/229/net/dev_snmp6	/proc/218/task/229/net/dev_snmp6
/proc/218/task/229/net/netfilter	/proc/218/task/229/net/netfilter
/proc/26/task/26/net	/proc/26/task/26/net
/proc/15/map_files	/proc/15/map_files
/proc/218/task/229/net/stat	/proc/218/task/229/net/stat
/proc/23/task/23/fd	/proc/23/task/23/fd
/proc/6/net/stat	/proc/6/net/stat
/proc/4/net/stat	/proc/4/net/stat
/proc/43/net/netfilter	/proc/43/net/netfilter
/proc/13/task	/proc/13/task
/proc/151/fd	/proc/151/fd
/proc/28/task	/proc/28/task
/proc/351/net/dev_snmp6	/proc/351/net/dev_snmp6
/proc/8/ns	/proc/8/ns
/proc/8/net	/proc/8/net
/proc/105/attr	/proc/105/attr
/proc/13/net/stat	/proc/13/net/stat
/proc/16/net/dev_snmp6	/proc/16/net/dev_snmp6

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4	/tmp/systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4	Process not Found
/tmp/systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4/tmp	/tmp/systemd-private-c3233288b684421da5109ee2d9cf168d-systemd-timesyncd.service-Qv0tw4/tmp	Process not Found
/tmp/24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073.pid	/tmp/24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073.pid	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/tmp/.ICE-unix	/tmp/.ICE-unix	Process not Found
/tmp/.Test-unix	/tmp/.Test-unix	Process not Found
/tmp/.X11-unix	/tmp/.X11-unix	Process not Found
/tmp/.XIM-unix	/tmp/.XIM-unix	Process not Found
/tmp/.font-unix	/tmp/.font-unix	Process not Found

./24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
./24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
1⤵
- Writes file to system bin folder
- Modifies init.d
- Write file to user bin folder
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:351

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

description	ioc	Process
/sys/fs/cgroup/pids/init.scope	/sys/fs/cgroup/pids/init.scope	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_exit_chmod	/sys/kernel/debug/tracing/events/syscalls/sys_exit_chmod	Process not Found
/sys/kernel/debug/tracing/events/vb2/vb2_buf_queue	/sys/kernel/debug/tracing/events/vb2/vb2_buf_queue	Process not Found
/sys/kernel/debug/tracing/events/vmscan/mm_vmscan_memcg_reclaim_end	/sys/kernel/debug/tracing/events/vmscan/mm_vmscan_memcg_reclaim_end	Process not Found
/sys/devices/platform/a003c00.virtio_mmio/virtio0/power	/sys/devices/platform/a003c00.virtio_mmio/virtio0/power	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/i2c/i2c_read	/sys/kernel/debug/tracing/events/i2c/i2c_read	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_exit_getuid	/sys/kernel/debug/tracing/events/syscalls/sys_exit_getuid	Process not Found
/sys/devices/platform/a000c00.virtio_mmio/power	/sys/devices/platform/a000c00.virtio_mmio/power	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/irq/0	/sys/kernel/irq/0	Process not Found
/sys/kernel/irq/43	/sys/kernel/irq/43	Process not Found
/sys/kernel/debug/tracing/events/filelock/posix_lock_inode	/sys/kernel/debug/tracing/events/filelock/posix_lock_inode	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/devices/system/clockevents/broadcast	/sys/devices/system/clockevents/broadcast	Process not Found
/sys/fs/cgroup/pids/user.slice/user-0.slice/session-1.scope	/sys/fs/cgroup/pids/user.slice/user-0.slice/session-1.scope	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/fib/fib_table_lookup_nh	/sys/kernel/debug/tracing/events/fib/fib_table_lookup_nh	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/irq/9	/sys/kernel/irq/9	Process not Found
/sys/fs/cgroup/devices/system.slice/systemd-timesyncd.service	/sys/fs/cgroup/devices/system.slice/systemd-timesyncd.service	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_enter_write	/sys/kernel/debug/tracing/events/syscalls/sys_enter_write	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_exit_dup3	/sys/kernel/debug/tracing/events/syscalls/sys_exit_dup3	Process not Found
/sys/kernel/debug/tracing/events/i2c/i2c_write	/sys/kernel/debug/tracing/events/i2c/i2c_write	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/power/clock_set_rate	/sys/kernel/debug/tracing/events/power/clock_set_rate	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/random/add_device_randomness	/sys/kernel/debug/tracing/events/random/add_device_randomness	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_exit_bdflush	/sys/kernel/debug/tracing/events/syscalls/sys_exit_bdflush	Process not Found
/sys/devices/virtual/tty/tty11/power	/sys/devices/virtual/tty/tty11/power	Process not Found
/sys/devices/virtual/tty/tty52/power	/sys/devices/virtual/tty/tty52/power	Process not Found
/sys/fs/cgroup/blkio/user.slice	/sys/fs/cgroup/blkio/user.slice	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_exit_fchmodat	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fchmodat	Process not Found
/sys/bus/platform/drivers/tegra124-dfll	/sys/bus/platform/drivers/tegra124-dfll	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/kmem	/sys/kernel/debug/tracing/events/kmem	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/net/netif_rx	/sys/kernel/debug/tracing/events/net/netif_rx	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/module/module	/sys/module/module	Process not Found
/sys/fs/cgroup/memory/user.slice/user-0.slice	/sys/fs/cgroup/memory/user.slice/user-0.slice	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/module/module_get	/sys/kernel/debug/tracing/events/module/module_get	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_exit_fdatasync	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fdatasync	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_exit_lremovexattr	/sys/kernel/debug/tracing/events/syscalls/sys_exit_lremovexattr	Process not Found
/sys/devices/virtual/misc/psaux/power	/sys/devices/virtual/misc/psaux/power	Process not Found
/sys/kernel/debug/tracing/events/kmem/mm_page_alloc	/sys/kernel/debug/tracing/events/kmem/mm_page_alloc	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/regmap/regmap_async_io_complete	/sys/kernel/debug/tracing/events/regmap/regmap_async_io_complete	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/devices/virtual/net/lo/statistics	/sys/devices/virtual/net/lo/statistics	Process not Found
/sys/devices/virtual/tty/tty9/power	/sys/devices/virtual/tty/tty9/power	Process not Found
/sys/kernel/debug/tracing/events/fence/fence_wait_start	/sys/kernel/debug/tracing/events/fence/fence_wait_start	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_enter_semget	/sys/kernel/debug/tracing/events/syscalls/sys_enter_semget	Process not Found
/sys/bus/amba/devices	/sys/bus/amba/devices	Process not Found
/sys/bus/platform/drivers/efi-framebuffer	/sys/bus/platform/drivers/efi-framebuffer	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/devices/platform/a003c00.virtio_mmio/virtio0/block/vda/vda5/trace	/sys/devices/platform/a003c00.virtio_mmio/virtio0/block/vda/vda5/trace	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/compaction/mm_compaction_try_to_compact_pages	/sys/kernel/debug/tracing/events/compaction/mm_compaction_try_to_compact_pages	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/kmem/kmem_cache_alloc_node	/sys/kernel/debug/tracing/events/kmem/kmem_cache_alloc_node	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_enter_io_cancel	/sys/kernel/debug/tracing/events/syscalls/sys_enter_io_cancel	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_msgctl	/sys/kernel/debug/tracing/events/syscalls/sys_enter_msgctl	Process not Found
/sys/bus/media/devices	/sys/bus/media/devices	Process not Found
/sys/bus/platform/drivers/armada-375-usb-cluster	/sys/bus/platform/drivers/armada-375-usb-cluster	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/bus/sdio/devices	/sys/bus/sdio/devices	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_enter_msync	/sys/kernel/debug/tracing/events/syscalls/sys_enter_msync	Process not Found
/sys/kernel/debug/tracing/events/writeback/writeback_congestion_wait	/sys/kernel/debug/tracing/events/writeback/writeback_congestion_wait	Process not Found
/sys/kernel/debug/tracing/events/writeback/writeback_start	/sys/kernel/debug/tracing/events/writeback/writeback_start	Process not Found
/sys/bus/platform/drivers/tegra-fuse	/sys/bus/platform/drivers/tegra-fuse	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/bus/virtio/devices	/sys/bus/virtio/devices	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/block/block_rq_issue	/sys/kernel/debug/tracing/events/block/block_rq_issue	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_enter_chdir	/sys/kernel/debug/tracing/events/syscalls/sys_enter_chdir	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/syscalls/sys_enter_newuname	/sys/kernel/debug/tracing/events/syscalls/sys_enter_newuname	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_set_robust_list	/sys/kernel/debug/tracing/events/syscalls/sys_enter_set_robust_list	Process not Found
/sys/kernel/debug/tracing/events/syscalls/sys_enter_socketpair	/sys/kernel/debug/tracing/events/syscalls/sys_enter_socketpair	Process not Found
/sys/devices/virtual/vc/vcsa5/power	/sys/devices/virtual/vc/vcsa5/power	Process not Found
/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit	/sys/kernel/debug/tracing/events/ext4/ext4_sync_file_exit	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073
/sys/kernel/debug/tracing/events/random	/sys/kernel/debug/tracing/events/random	24b5cdfc8de10c99929b230f0dcbf7fcefe9de448eeb6c75675cfe6c44633073

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads