Analysis

  • max time kernel
    0s
  • max time network
    32s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • submitted
    08-07-2022 05:39

General

  • Target

    bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5

  • Size

    535KB

  • MD5

    41765670191769f8f994501277f29de3

  • SHA1

    4b8ffeca421ad2bfefcfec7e3a111344fbd3d7f6

  • SHA256

    bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5

  • SHA512

    3f07ed855b6b99a0d276dc094ca2101a4e841b54dffbddc2c6f05161e71187f3912a4d1e163d70979ecf1ad73d7fac155aed2c6840a8cc7a353ffaab40a7de10

Score
10/10

Malware Config

Signatures

  • suricata: ET MALWARE DDoS.XOR Checkin

    suricata: ET MALWARE DDoS.XOR Checkin

  • suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

    suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

  • Writes file to system bin folder 1 TTPs 3 IoCs
  • Creates/modifies Cron job 1 TTPs 2 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Modifies rc script 1 TTPs 12 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Write file to user bin folder 1 TTPs 4 IoCs
  • Reads runtime system information 7 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
    ./bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
    1⤵
      PID:571
    • /bin/chkconfig
      chkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
      1⤵
        PID:574
      • /sbin/chkconfig
        chkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
        1⤵
          PID:574
        • /usr/bin/chkconfig
          chkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
          1⤵
            PID:574
          • /bin/sh
            sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
            1⤵
            • Creates/modifies Cron job
            PID:577
            • /bin/sed
              sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
              2⤵
              • Creates/modifies Cron job
              • Reads runtime system information
              PID:578
          • /usr/sbin/chkconfig
            chkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
            1⤵
              PID:574
            • /usr/local/bin/chkconfig
              chkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
              1⤵
                PID:574
              • /usr/local/sbin/chkconfig
                chkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
                1⤵
                  PID:574
                • /usr/X11R6/bin/chkconfig
                  chkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
                  1⤵
                    PID:574
                  • /bin/update-rc.d
                    update-rc.d bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 defaults
                    1⤵
                      PID:576
                    • /sbin/update-rc.d
                      update-rc.d bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 defaults
                      1⤵
                        PID:576
                      • /usr/bin/update-rc.d
                        update-rc.d bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 defaults
                        1⤵
                          PID:576
                        • /usr/sbin/update-rc.d
                          update-rc.d bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 defaults
                          1⤵
                          • Modifies rc script
                          • Write file to user bin folder
                          PID:576
                          • /bin/systemctl
                            systemctl daemon-reload
                            2⤵
                            • Reads runtime system information
                            PID:583
                        • /usr/bin/qjmdwykndz
                          /usr/bin/qjmdwykndz ifconfig 572
                          1⤵
                            PID:584
                          • /usr/bin/qjmdwykndz
                            /usr/bin/qjmdwykndz "cat resolv.conf" 572
                            1⤵
                              PID:601
                            • /usr/bin/qjmdwykndz
                              /usr/bin/qjmdwykndz ls 572
                              1⤵
                                PID:605
                              • /usr/bin/qjmdwykndz
                                /usr/bin/qjmdwykndz sh 572
                                1⤵
                                  PID:608
                                • /usr/bin/qjmdwykndz
                                  /usr/bin/qjmdwykndz su 572
                                  1⤵
                                    PID:615
                                  • /usr/bin/nhsqbfsokw
                                    /usr/bin/nhsqbfsokw uptime 572
                                    1⤵
                                      PID:618
                                    • /usr/bin/nhsqbfsokw
                                      /usr/bin/nhsqbfsokw "netstat -antop" 572
                                      1⤵
                                        PID:621
                                      • /usr/bin/nhsqbfsokw
                                        /usr/bin/nhsqbfsokw "cd /etc" 572
                                        1⤵
                                          PID:624
                                        • /usr/bin/nhsqbfsokw
                                          /usr/bin/nhsqbfsokw ifconfig 572
                                          1⤵
                                            PID:627
                                          • /usr/bin/nhsqbfsokw
                                            /usr/bin/nhsqbfsokw "netstat -antop" 572
                                            1⤵
                                              PID:630
                                            • /usr/bin/vbrcxopyvv
                                              /usr/bin/vbrcxopyvv "ls -la" 572
                                              1⤵
                                                PID:633
                                              • /usr/bin/vbrcxopyvv
                                                /usr/bin/vbrcxopyvv "netstat -an" 572
                                                1⤵
                                                  PID:636
                                                • /usr/bin/vbrcxopyvv
                                                  /usr/bin/vbrcxopyvv "netstat -an" 572
                                                  1⤵
                                                    PID:639
                                                  • /usr/bin/vbrcxopyvv
                                                    /usr/bin/vbrcxopyvv "netstat -antop" 572
                                                    1⤵
                                                      PID:642
                                                    • /usr/bin/vbrcxopyvv
                                                      /usr/bin/vbrcxopyvv gnome-terminal 572
                                                      1⤵
                                                        PID:645
                                                      • /usr/bin/lveprrgpds
                                                        /usr/bin/lveprrgpds "ps -ef" 572
                                                        1⤵
                                                          PID:648

                                                        Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads