Analysis
-
max time kernel
0s -
max time network
29s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
12-07-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
-
Size
535KB
-
MD5
d4e910512ed8d1b88c960ac60320db24
-
SHA1
dfde60603b15b4672e05fbb9002e4ba559c29dd1
-
SHA256
4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f
-
SHA512
0415413ca7e92f7dc51e7c696b4b72fb2a60e757d6112e0b7270ffe4fe1c17ec5d31f722b95d74a85c3cde264c14bdc4d9cd5bcd52b453f59b82afea2aa5f58b
Malware Config
Signatures
-
suricata: ET MALWARE DDoS.XOR Checkin
suricata: ET MALWARE DDoS.XOR Checkin
-
suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)
suricata: ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)
-
Writes file to system bin folder 1 TTPs 3 IoCs
description ioc /bin/duucgfjgct /bin/duucgfjgct /bin/ujozaagxvz /bin/ujozaagxvz /bin/nctcjpjnar /bin/nctcjpjnar -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process /etc/crontab /etc/crontab sed /etc/crontab /etc/crontab sh -
Modifies rc script 1 TTPs 12 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
description ioc Process /etc/rc1.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f /etc/rc1.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f Process not Found /etc/rc2.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f /etc/rc2.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f Process not Found /etc/rc3.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f /etc/rc3.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f Process not Found /etc/rc0.d/ /etc/rc0.d/ update-rc.d /etc/rc1.d/ /etc/rc1.d/ update-rc.d /etc/rc4.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f /etc/rc4.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f Process not Found /etc/rc5.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f /etc/rc5.d/S904b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f Process not Found /etc/rc5.d/ /etc/rc5.d/ update-rc.d /etc/rc4.d/ /etc/rc4.d/ update-rc.d /etc/rc3.d/ /etc/rc3.d/ update-rc.d /etc/rc2.d/ /etc/rc2.d/ update-rc.d /etc/rc6.d/ /etc/rc6.d/ update-rc.d -
Write file to user bin folder 1 TTPs 4 IoCs
description ioc Process /usr/bin/ujozaagxvz /usr/bin/ujozaagxvz Process not Found /usr/bin/nctcjpjnar /usr/bin/nctcjpjnar Process not Found /usr/sbin/update-rc.d /usr/sbin/update-rc.d update-rc.d /usr/bin/duucgfjgct /usr/bin/duucgfjgct Process not Found -
Reads runtime system information 7 IoCs
Reads data from /proc virtual filesystem.
description ioc Process /proc/filesystems /proc/filesystems sed /proc/filesystems /proc/filesystems systemctl /proc/self/stat /proc/self/stat systemctl /proc/sys/kernel/osrelease /proc/sys/kernel/osrelease systemctl /proc/1/environ /proc/1/environ systemctl /proc/1/sched /proc/1/sched systemctl /proc/cmdline /proc/cmdline systemctl -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc /tmp/duucgfjgct /tmp/duucgfjgct /tmp/ujozaagxvz /tmp/ujozaagxvz /tmp/nctcjpjnar /tmp/nctcjpjnar
Processes
-
./4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f./4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f1⤵PID:580
-
/bin/chkconfigchkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f1⤵PID:583
-
/bin/shsh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"1⤵
- Creates/modifies Cron job
PID:586 -
/bin/sedsed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab2⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:587
-
-
/sbin/chkconfigchkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f1⤵PID:583
-
/usr/bin/chkconfigchkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f1⤵PID:583
-
/usr/sbin/chkconfigchkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f1⤵PID:583
-
/usr/local/bin/chkconfigchkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f1⤵PID:583
-
/usr/local/sbin/chkconfigchkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f1⤵PID:583
-
/usr/X11R6/bin/chkconfigchkconfig --add 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f1⤵PID:583
-
/bin/update-rc.dupdate-rc.d 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f defaults1⤵PID:585
-
/sbin/update-rc.dupdate-rc.d 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f defaults1⤵PID:585
-
/usr/bin/update-rc.dupdate-rc.d 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f defaults1⤵PID:585
-
/usr/sbin/update-rc.dupdate-rc.d 4b7b1f678e499bab4d7b16503d15089b81e9358a69439ca06fcacabcd73ed48f defaults1⤵
- Modifies rc script
- Write file to user bin folder
PID:585 -
/bin/systemctlsystemctl daemon-reload2⤵
- Reads runtime system information
PID:591
-
-
/usr/bin/duucgfjgct/usr/bin/duucgfjgct "ps -ef" 5811⤵PID:593
-
/usr/bin/duucgfjgct/usr/bin/duucgfjgct "ls -la" 5811⤵PID:610
-
/usr/bin/duucgfjgct/usr/bin/duucgfjgct gnome-terminal 5811⤵PID:614
-
/usr/bin/duucgfjgct/usr/bin/duucgfjgct uptime 5811⤵PID:617
-
/usr/bin/duucgfjgct/usr/bin/duucgfjgct "sleep 1" 5811⤵PID:624
-
/usr/bin/ujozaagxvz/usr/bin/ujozaagxvz "echo \"find\"" 5811⤵PID:627
-
/usr/bin/ujozaagxvz/usr/bin/ujozaagxvz uptime 5811⤵PID:630
-
/usr/bin/ujozaagxvz/usr/bin/ujozaagxvz "netstat -antop" 5811⤵PID:633
-
/usr/bin/ujozaagxvz/usr/bin/ujozaagxvz "netstat -an" 5811⤵PID:636
-
/usr/bin/ujozaagxvz/usr/bin/ujozaagxvz bash 5811⤵PID:639
-
/usr/bin/nctcjpjnar/usr/bin/nctcjpjnar id 5811⤵PID:642
-
/usr/bin/nctcjpjnar/usr/bin/nctcjpjnar "echo \"find\"" 5811⤵PID:645
-
/usr/bin/nctcjpjnar/usr/bin/nctcjpjnar pwd 5811⤵PID:648
-
/usr/bin/nctcjpjnar/usr/bin/nctcjpjnar pwd 5811⤵PID:651
-
/usr/bin/nctcjpjnar/usr/bin/nctcjpjnar "cd /etc" 5811⤵PID:654
-
/usr/bin/bozphupvpx/usr/bin/bozphupvpx "ifconfig eth0" 5811⤵PID:657