Analysis

  • max time kernel
    0s
  • max time network
    115s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • submitted
    14-07-2022 05:39

General

  • Target

    47bf33fd353be8b334f188c839dac4a6a1b71fe220a1c98122628cc5fddabe3d

  • Size

    544KB

  • MD5

    2fd1d1a39b6c6a58fb55967d3c23dfac

  • SHA1

    9aafe38a1eb05565479bf6cf30ea32b4ef51bbeb

  • SHA256

    47bf33fd353be8b334f188c839dac4a6a1b71fe220a1c98122628cc5fddabe3d

  • SHA512

    99063a0f2cbf0473821ee0bc242f6edfc676f4e7b9ea61f7a1a9c84c5df30a6b42afb8a3e8e8e2c8380bfe98b261dc5100710e793a7162ce5eb17fc02770948b

Score
10/10

Malware Config

Signatures

  • suricata: ET MALWARE DDoS.XOR Checkin via HTTP

    suricata: ET MALWARE DDoS.XOR Checkin via HTTP

  • Writes file to system bin folder 1 TTPs 22 IoCs
  • Modifies rc script 1 TTPs 5 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./47bf33fd353be8b334f188c839dac4a6a1b71fe220a1c98122628cc5fddabe3d
    ./47bf33fd353be8b334f188c839dac4a6a1b71fe220a1c98122628cc5fddabe3d
    1⤵
      PID:577
    • /bin/qqzfyjbcspcak
      /bin/qqzfyjbcspcak
      1⤵
        PID:581
      • /bin/jokskpsapph
        /bin/jokskpsapph -d 582
        1⤵
          PID:586
        • /bin/jlgkoznqbtq
          /bin/jlgkoznqbtq -d 582
          1⤵
            PID:589
          • /bin/kjjdlkigwfvjt
            /bin/kjjdlkigwfvjt -d 582
            1⤵
              PID:596
            • /bin/gposnxguj
              /bin/gposnxguj -d 582
              1⤵
                PID:599
              • /bin/vymwrexbnjhzvr
                /bin/vymwrexbnjhzvr -d 582
                1⤵
                  PID:602
                • /bin/ryedrfji
                  /bin/ryedrfji -d 582
                  1⤵
                    PID:605
                  • /bin/dyslsdip
                    /bin/dyslsdip -d 582
                    1⤵
                      PID:608
                    • /bin/sblvqwep
                      /bin/sblvqwep -d 582
                      1⤵
                        PID:611
                      • /bin/yylwcq
                        /bin/yylwcq -d 582
                        1⤵
                          PID:614
                        • /bin/jbyefwwq
                          /bin/jbyefwwq -d 582
                          1⤵
                            PID:617
                          • /bin/bagcxuwahsqeyi
                            /bin/bagcxuwahsqeyi -d 582
                            1⤵
                              PID:620
                            • /bin/jvlanubnzgmxz
                              /bin/jvlanubnzgmxz -d 582
                              1⤵
                                PID:623
                              • /bin/zzkbygyyq
                                /bin/zzkbygyyq -d 582
                                1⤵
                                  PID:626
                                • /bin/ruszsrfbo
                                  /bin/ruszsrfbo -d 582
                                  1⤵
                                    PID:629
                                  • /bin/bbnfoolalmf
                                    /bin/bbnfoolalmf -d 582
                                    1⤵
                                      PID:632
                                    • /bin/orqmaqn
                                      /bin/orqmaqn -d 582
                                      1⤵
                                        PID:635
                                      • /bin/kekcfevkhjfl
                                        /bin/kekcfevkhjfl -d 582
                                        1⤵
                                          PID:638
                                        • /bin/sqbgddtq
                                          /bin/sqbgddtq -d 582
                                          1⤵
                                            PID:641
                                          • /bin/ieeyseohuang
                                            /bin/ieeyseohuang -d 582
                                            1⤵
                                              PID:644
                                            • /bin/yftjkewcu
                                              /bin/yftjkewcu -d 582
                                              1⤵
                                                PID:647
                                              • /bin/kyefqpnwvlozby
                                                /bin/kyefqpnwvlozby -d 582
                                                1⤵
                                                  PID:650
                                                • /bin/blbgengjgpvl
                                                  /bin/blbgengjgpvl -d 582
                                                  1⤵
                                                    PID:653

                                                  Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads