Analysis
-
max time kernel
0s -
max time network
23s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
01-07-2022 04:53
Static task
static1
Behavioral task
behavioral1
Sample
86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee
-
Size
611KB
-
MD5
55a111f4625348cffd6d910e49f5dbdc
-
SHA1
0cb723f7dcf9ae320501ee93dba2363699811576
-
SHA256
86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee
-
SHA512
c2d30d334e2f30684474c72034ab170bf662aff8130606eb4eee7bc39bfd75f4c5d111957621ae290e821be3cd31d2f517e275dda571299671397248502301d7
Malware Config
Signatures
-
Writes file to system bin folder 1 TTPs 3 IoCs
description ioc /bin/zyicuggrkg /bin/zyicuggrkg /bin/nddhsildsx /bin/nddhsildsx /bin/mabzfgoatz /bin/mabzfgoatz -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process /etc/crontab /etc/crontab sh /etc/crontab /etc/crontab sed -
Modifies rc script 1 TTPs 12 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
description ioc Process /etc/rc1.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee /etc/rc1.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee Process not Found /etc/rc4.d/ /etc/rc4.d/ update-rc.d /etc/rc3.d/ /etc/rc3.d/ update-rc.d /etc/rc0.d/ /etc/rc0.d/ update-rc.d /etc/rc5.d/ /etc/rc5.d/ update-rc.d /etc/rc2.d/ /etc/rc2.d/ update-rc.d /etc/rc6.d/ /etc/rc6.d/ update-rc.d /etc/rc2.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee /etc/rc2.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee Process not Found /etc/rc3.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee /etc/rc3.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee Process not Found /etc/rc4.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee /etc/rc4.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee Process not Found /etc/rc5.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee /etc/rc5.d/S9086a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee Process not Found /etc/rc1.d/ /etc/rc1.d/ update-rc.d -
Write file to user bin folder 1 TTPs 4 IoCs
description ioc Process /usr/bin/mabzfgoatz /usr/bin/mabzfgoatz Process not Found /usr/sbin/update-rc.d /usr/sbin/update-rc.d update-rc.d /usr/bin/zyicuggrkg /usr/bin/zyicuggrkg Process not Found /usr/bin/nddhsildsx /usr/bin/nddhsildsx Process not Found -
Reads runtime system information 7 IoCs
Reads data from /proc virtual filesystem.
description ioc Process /proc/filesystems /proc/filesystems systemctl /proc/self/stat /proc/self/stat systemctl /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease systemctl /proc/1/environ /proc/1/environ systemctl /proc/1/sched /proc/1/sched systemctl /proc/cmdline /proc/cmdline systemctl /proc/filesystems /proc/filesystems sed -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc /tmp/zyicuggrkg /tmp/zyicuggrkg /tmp/nddhsildsx /tmp/nddhsildsx /tmp/mabzfgoatz /tmp/mabzfgoatz
Processes
-
./86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee./86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee1⤵PID:577
-
/bin/chkconfigchkconfig --add 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee1⤵PID:580
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
PID:583 -
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab2⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:584
-
-
/sbin/chkconfigchkconfig --add 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee1⤵PID:580
-
/usr/bin/chkconfigchkconfig --add 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee1⤵PID:580
-
/usr/sbin/chkconfigchkconfig --add 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee1⤵PID:580
-
/usr/local/bin/chkconfigchkconfig --add 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee1⤵PID:580
-
/usr/local/sbin/chkconfigchkconfig --add 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee1⤵PID:580
-
/usr/X11R6/bin/chkconfigchkconfig --add 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee1⤵PID:580
-
/bin/update-rc.dupdate-rc.d 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee defaults1⤵PID:582
-
/sbin/update-rc.dupdate-rc.d 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee defaults1⤵PID:582
-
/usr/bin/update-rc.dupdate-rc.d 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee defaults1⤵PID:582
-
/usr/sbin/update-rc.dupdate-rc.d 86a8a2107448d28214e43a86e1367feec9e7f45201a3013c57bc200bf760e1ee defaults1⤵
- Modifies rc script
- Write file to user bin folder
PID:582 -
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
PID:588
-
-
/usr/bin/zyicuggrkg/usr/bin/zyicuggrkg gnome-terminal 5781⤵PID:591
-
/usr/bin/zyicuggrkg/usr/bin/zyicuggrkg ifconfig 5781⤵PID:612
-
/usr/bin/zyicuggrkg/usr/bin/zyicuggrkg sh 5781⤵PID:615
-
/usr/bin/zyicuggrkg/usr/bin/zyicuggrkg "grep \"A\"" 5781⤵PID:618
-
/usr/bin/zyicuggrkg/usr/bin/zyicuggrkg gnome-terminal 5781⤵PID:621
-
/usr/bin/nddhsildsx/usr/bin/nddhsildsx "sleep 1" 5781⤵PID:624
-
/usr/bin/nddhsildsx/usr/bin/nddhsildsx "route -n" 5781⤵PID:627
-
/usr/bin/nddhsildsx/usr/bin/nddhsildsx "route -n" 5781⤵PID:630
-
/usr/bin/nddhsildsx/usr/bin/nddhsildsx su 5781⤵PID:633
-
/usr/bin/nddhsildsx/usr/bin/nddhsildsx whoami 5781⤵PID:636
-
/usr/bin/mabzfgoatz/usr/bin/mabzfgoatz "netstat -an" 5781⤵PID:639
-
/usr/bin/mabzfgoatz/usr/bin/mabzfgoatz ifconfig 5781⤵PID:642
-
/usr/bin/mabzfgoatz/usr/bin/mabzfgoatz top 5781⤵PID:645
-
/usr/bin/mabzfgoatz/usr/bin/mabzfgoatz "netstat -an" 5781⤵PID:648
-
/usr/bin/mabzfgoatz/usr/bin/mabzfgoatz "cat resolv.conf" 5781⤵PID:651
-
/usr/bin/vczfiruabf/usr/bin/vczfiruabf "route -n" 5781⤵PID:654