Analysis
-
max time kernel
0s -
max time network
32s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
08-07-2022 05:39
Static task
static1
Behavioral task
behavioral1
Sample
bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
-
Size
535KB
-
MD5
41765670191769f8f994501277f29de3
-
SHA1
4b8ffeca421ad2bfefcfec7e3a111344fbd3d7f6
-
SHA256
bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5
-
SHA512
3f07ed855b6b99a0d276dc094ca2101a4e841b54dffbddc2c6f05161e71187f3912a4d1e163d70979ecf1ad73d7fac155aed2c6840a8cc7a353ffaab40a7de10
Malware Config
Signatures
-
suricata: ET MALWARE DDoS.XOR Checkin
suricata: ET MALWARE DDoS.XOR Checkin
-
suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)
suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)
-
Writes file to system bin folder 1 TTPs 3 IoCs
description ioc /bin/nhsqbfsokw /bin/nhsqbfsokw /bin/vbrcxopyvv /bin/vbrcxopyvv /bin/qjmdwykndz /bin/qjmdwykndz -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process /etc/crontab /etc/crontab sed /etc/crontab /etc/crontab sh -
Modifies rc script 1 TTPs 12 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
description ioc Process /etc/rc2.d/ /etc/rc2.d/ update-rc.d /etc/rc6.d/ /etc/rc6.d/ update-rc.d /etc/rc2.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 /etc/rc2.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 Process not Found /etc/rc5.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 /etc/rc5.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 Process not Found /etc/rc0.d/ /etc/rc0.d/ update-rc.d /etc/rc4.d/ /etc/rc4.d/ update-rc.d /etc/rc3.d/ /etc/rc3.d/ update-rc.d /etc/rc1.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 /etc/rc1.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 Process not Found /etc/rc3.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 /etc/rc3.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 Process not Found /etc/rc4.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 /etc/rc4.d/S90bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 Process not Found /etc/rc5.d/ /etc/rc5.d/ update-rc.d /etc/rc1.d/ /etc/rc1.d/ update-rc.d -
Write file to user bin folder 1 TTPs 4 IoCs
description ioc Process /usr/sbin/update-rc.d /usr/sbin/update-rc.d update-rc.d /usr/bin/qjmdwykndz /usr/bin/qjmdwykndz Process not Found /usr/bin/nhsqbfsokw /usr/bin/nhsqbfsokw Process not Found /usr/bin/vbrcxopyvv /usr/bin/vbrcxopyvv Process not Found -
Reads runtime system information 7 IoCs
Reads data from /proc virtual filesystem.
description ioc Process /proc/cmdline /proc/cmdline systemctl /proc/filesystems /proc/filesystems sed /proc/filesystems /proc/filesystems systemctl /proc/self/stat /proc/self/stat systemctl /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease systemctl /proc/1/environ /proc/1/environ systemctl /proc/1/sched /proc/1/sched systemctl -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc /tmp/qjmdwykndz /tmp/qjmdwykndz /tmp/nhsqbfsokw /tmp/nhsqbfsokw /tmp/vbrcxopyvv /tmp/vbrcxopyvv
Processes
-
./bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5./bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a51⤵PID:571
-
/bin/chkconfigchkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a51⤵PID:574
-
/sbin/chkconfigchkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a51⤵PID:574
-
/usr/bin/chkconfigchkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a51⤵PID:574
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
PID:577 -
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab2⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:578
-
-
/usr/sbin/chkconfigchkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a51⤵PID:574
-
/usr/local/bin/chkconfigchkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a51⤵PID:574
-
/usr/local/sbin/chkconfigchkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a51⤵PID:574
-
/usr/X11R6/bin/chkconfigchkconfig --add bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a51⤵PID:574
-
/bin/update-rc.dupdate-rc.d bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 defaults1⤵PID:576
-
/sbin/update-rc.dupdate-rc.d bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 defaults1⤵PID:576
-
/usr/bin/update-rc.dupdate-rc.d bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 defaults1⤵PID:576
-
/usr/sbin/update-rc.dupdate-rc.d bf806503ac5be57798f50d5b50901b295fc27b66bb5bfc8da9ee19f4ede394a5 defaults1⤵
- Modifies rc script
- Write file to user bin folder
PID:576 -
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
PID:583
-
-
/usr/bin/qjmdwykndz/usr/bin/qjmdwykndz ifconfig 5721⤵PID:584
-
/usr/bin/qjmdwykndz/usr/bin/qjmdwykndz "cat resolv.conf" 5721⤵PID:601
-
/usr/bin/qjmdwykndz/usr/bin/qjmdwykndz ls 5721⤵PID:605
-
/usr/bin/qjmdwykndz/usr/bin/qjmdwykndz sh 5721⤵PID:608
-
/usr/bin/qjmdwykndz/usr/bin/qjmdwykndz su 5721⤵PID:615
-
/usr/bin/nhsqbfsokw/usr/bin/nhsqbfsokw uptime 5721⤵PID:618
-
/usr/bin/nhsqbfsokw/usr/bin/nhsqbfsokw "netstat -antop" 5721⤵PID:621
-
/usr/bin/nhsqbfsokw/usr/bin/nhsqbfsokw "cd /etc" 5721⤵PID:624
-
/usr/bin/nhsqbfsokw/usr/bin/nhsqbfsokw ifconfig 5721⤵PID:627
-
/usr/bin/nhsqbfsokw/usr/bin/nhsqbfsokw "netstat -antop" 5721⤵PID:630
-
/usr/bin/vbrcxopyvv/usr/bin/vbrcxopyvv "ls -la" 5721⤵PID:633
-
/usr/bin/vbrcxopyvv/usr/bin/vbrcxopyvv "netstat -an" 5721⤵PID:636
-
/usr/bin/vbrcxopyvv/usr/bin/vbrcxopyvv "netstat -an" 5721⤵PID:639
-
/usr/bin/vbrcxopyvv/usr/bin/vbrcxopyvv "netstat -antop" 5721⤵PID:642
-
/usr/bin/vbrcxopyvv/usr/bin/vbrcxopyvv gnome-terminal 5721⤵PID:645
-
/usr/bin/lveprrgpds/usr/bin/lveprrgpds "ps -ef" 5721⤵PID:648