3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d

General

Target

3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d
Size

4.1MB
MD5

bc81eac9992a160197188e614a30883a
SHA1

75855deba701913f65968e10050134b8ff5c8e9a
SHA256

3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d
SHA512

362c6d10e1f54f6a4575cdcab3730cedb8141b321d66523b3959cc7e8b1fe09ac6b156bc0c1924172e36076a5a19c30efd8bff10e8a70421a18808ddeca22790

Score

10^/10

suricata: ET MALWARE ZHtrap CnC Checkin
suricata: ET MALWARE ZHtrap CnC Checkin
suricata
suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established
suricata: ET MALWARE ZHtrap CnC Response - Connection Successfully Established
suricata

Writes file to system bin folder 1 TTPs 13 IoCs

Hijack Execution Flow

description	ioc	Process
/sbin/README_FOR_DECRYPT.txtt/arpa	/sbin/README_FOR_DECRYPT.txtt/arpa	find
/sbin/README_FOR_DECRYPT.txtt/protocols	/sbin/README_FOR_DECRYPT.txtt/protocols	find
/sbin/README_FOR_DECRYPT.txtt/rpc	/sbin/README_FOR_DECRYPT.txtt/rpc	find
/sbin/README_FOR_DECRYPT.txtt/xen	/sbin/README_FOR_DECRYPT.txtt/xen	find
/sbin/README_FOR_DECRYPT.txtt/netrose	/sbin/README_FOR_DECRYPT.txtt/netrose	find
/sbin/README_FOR_DECRYPT.txtt	/sbin/README_FOR_DECRYPT.txtt	Process not Found
/sbin/README_FOR_DECRYPT.txtt/video	/sbin/README_FOR_DECRYPT.txtt/video	find
/sbin/README_FOR_DECRYPT.txtt/netpacket	/sbin/README_FOR_DECRYPT.txtt/netpacket	find
/sbin/README_FOR_DECRYPT.txtt/netinet	/sbin/README_FOR_DECRYPT.txtt/netinet	find
/sbin/README_FOR_DECRYPT.txtt/netatalk	/sbin/README_FOR_DECRYPT.txtt/netatalk	find
/sbin/README_FOR_DECRYPT.txtt/linux	/sbin/README_FOR_DECRYPT.txtt/linux	find
/sbin/README_FOR_DECRYPT.txtt/netiucv	/sbin/README_FOR_DECRYPT.txtt/netiucv	find
/sbin/README_FOR_DECRYPT.txtt/scsi	/sbin/README_FOR_DECRYPT.txtt/scsi	find

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

Boot or Logon Autostart Execution

description	ioc	Process
/etc/init.d/System.sh	/etc/init.d/System.sh	3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

description	ioc	Process
/usr/local/sbin/7z	/usr/local/sbin/7z	3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d
/sys/README_FOR_DECRYPT.txtt	/sys/README_FOR_DECRYPT.txtt	Process not Found

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	find

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d.pid	/tmp/3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d.pid	3a79225b5d6e1726e24b18ee35ad2a1b3656de80f4931d9fbd6ec3d7d9c7438d