Analysis

  • max time kernel
    0s
  • max time network
    29s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • submitted
    12-07-2022 09:49

General

  • Target

    4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f

  • Size

    535KB

  • MD5

    d4e910512ed8d1b88c960ac60320db24

  • SHA1

    dfde60603b15b4672e05fbb9002e4ba559c29dd1

  • SHA256

    4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f

  • SHA512

    0415413ca7e92f7dc51e7c696b4b72fb2a60e757d6112e0b7270ffe4fe1c17ec5d31f722b95d74a85c3cde264c14bdc4d9cd5bcd52b453f59b82afea2aa5f58b

Score
10/10

Malware Config

Signatures

  • suricata: ET MALWARE DDoS.XOR Checkin

    suricata: ET MALWARE DDoS.XOR Checkin

  • suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

    suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)

  • Writes file to system bin folder 1 TTPs 3 IoCs
  • Creates/modifies Cron job 1 TTPs 2 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Modifies rc script 1 TTPs 12 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Write file to user bin folder 1 TTPs 4 IoCs
  • Reads runtime system information 7 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
    ./4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
    1⤵
      PID:580
    • /bin/chkconfig
      chkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
      1⤵
        PID:583
      • /bin/sh
        sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
        1⤵
        • Creates/modifies Cron job
        PID:586
        • /bin/sed
          sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
          2⤵
          • Creates/modifies Cron job
          • Reads runtime system information
          PID:587
      • /sbin/chkconfig
        chkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
        1⤵
          PID:583
        • /usr/bin/chkconfig
          chkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
          1⤵
            PID:583
          • /usr/sbin/chkconfig
            chkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
            1⤵
              PID:583
            • /usr/local/bin/chkconfig
              chkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
              1⤵
                PID:583
              • /usr/local/sbin/chkconfig
                chkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
                1⤵
                  PID:583
                • /usr/X11R6/bin/chkconfig
                  chkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
                  1⤵
                    PID:583
                  • /bin/update-rc.d
                    update-rc.d 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f defaults
                    1⤵
                      PID:585
                    • /sbin/update-rc.d
                      update-rc.d 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f defaults
                      1⤵
                        PID:585
                      • /usr/bin/update-rc.d
                        update-rc.d 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f defaults
                        1⤵
                          PID:585
                        • /usr/sbin/update-rc.d
                          update-rc.d 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f defaults
                          1⤵
                          • Modifies rc script
                          • Write file to user bin folder
                          PID:585
                          • /bin/systemctl
                            systemctl daemon-reload
                            2⤵
                            • Reads runtime system information
                            PID:591
                        • /usr/bin/duucgfjgct
                          /usr/bin/duucgfjgct "ps -ef" 581
                          1⤵
                            PID:593
                          • /usr/bin/duucgfjgct
                            /usr/bin/duucgfjgct "ls -la" 581
                            1⤵
                              PID:610
                            • /usr/bin/duucgfjgct
                              /usr/bin/duucgfjgct gnome-terminal 581
                              1⤵
                                PID:614
                              • /usr/bin/duucgfjgct
                                /usr/bin/duucgfjgct uptime 581
                                1⤵
                                  PID:617
                                • /usr/bin/duucgfjgct
                                  /usr/bin/duucgfjgct "sleep 1" 581
                                  1⤵
                                    PID:624
                                  • /usr/bin/ujozaagxvz
                                    /usr/bin/ujozaagxvz "echo \"find\"" 581
                                    1⤵
                                      PID:627
                                    • /usr/bin/ujozaagxvz
                                      /usr/bin/ujozaagxvz uptime 581
                                      1⤵
                                        PID:630
                                      • /usr/bin/ujozaagxvz
                                        /usr/bin/ujozaagxvz "netstat -antop" 581
                                        1⤵
                                          PID:633
                                        • /usr/bin/ujozaagxvz
                                          /usr/bin/ujozaagxvz "netstat -an" 581
                                          1⤵
                                            PID:636
                                          • /usr/bin/ujozaagxvz
                                            /usr/bin/ujozaagxvz bash 581
                                            1⤵
                                              PID:639
                                            • /usr/bin/nctcjpjnar
                                              /usr/bin/nctcjpjnar id 581
                                              1⤵
                                                PID:642
                                              • /usr/bin/nctcjpjnar
                                                /usr/bin/nctcjpjnar "echo \"find\"" 581
                                                1⤵
                                                  PID:645
                                                • /usr/bin/nctcjpjnar
                                                  /usr/bin/nctcjpjnar pwd 581
                                                  1⤵
                                                    PID:648
                                                  • /usr/bin/nctcjpjnar
                                                    /usr/bin/nctcjpjnar pwd 581
                                                    1⤵
                                                      PID:651
                                                    • /usr/bin/nctcjpjnar
                                                      /usr/bin/nctcjpjnar "cd /etc" 581
                                                      1⤵
                                                        PID:654
                                                      • /usr/bin/bozphupvpx
                                                        /usr/bin/bozphupvpx "ifconfig eth0" 581
                                                        1⤵
                                                          PID:657

                                                        Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads