4f02cc4d5426b63e3eca3ada3c9a8a111a952c0e373c5500519ea8eea5ade853

Analysis

max time kernel
0s
max time network
129s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29-07-2022 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23s
Size

549KB
MD5

63d6cd74a7cd01bf3a3921c36e90237f
SHA1

f697783da228c7787cf1c6a67a10a8c065d6aaa7
SHA256

4f02cc4d5426b63e3eca3ada3c9a8a111a952c0e373c5500519ea8eea5ade853
SHA512

51b1aef53c8277b8700630b144f15c9a41df358a43d71ef0b9352bbdf71c8777774f1ef1e361c8c95930143b54fcde590885242df3da60dce5b1a1d3761e2db3

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 16 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
/bin/wqputy	/bin/wqputy
/bin/rjzykbfln	/bin/rjzykbfln
/bin/yxtwdkq	/bin/yxtwdkq
/bin/cuoequr	/bin/cuoequr
/bin/pjwamxwnjnkq	/bin/pjwamxwnjnkq
/bin/ljgxdusycq	/bin/ljgxdusycq
/bin/tgnenkihcijue	/bin/tgnenkihcijue
/bin/jxkuvtxi	/bin/jxkuvtxi
/bin/zubmrwfqfekd	/bin/zubmrwfqfekd
/bin/wyafdauceycm	/bin/wyafdauceycm
/bin/msufhjojxbjfa	/bin/msufhjojxbjfa
/bin/vpbgfpuxl	/bin/vpbgfpuxl
/bin/lhoqwjpklwgb	/bin/lhoqwjpklwgb
/bin/jdesfndbtkncyf	/bin/jdesfndbtkncyf
/bin/uybmtuiexnxe	/bin/uybmtuiexnxe
/bin/agxkvzl	/bin/agxkvzl

Modifies rc script 1 TTPs 5 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

description	ioc
/etc/rc2.d/S90svafdsp	/etc/rc2.d/S90svafdsp
/etc/rc3.d/S90svafdsp	/etc/rc3.d/S90svafdsp
/etc/rc4.d/S90svafdsp	/etc/rc4.d/S90svafdsp
/etc/rc5.d/S90svafdsp	/etc/rc5.d/S90svafdsp
/etc/rc1.d/S90svafdsp	/etc/rc1.d/S90svafdsp

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
/tmp/23s	/tmp/23s

/tmp/23s
/tmp/23s
1⤵
PID:570

/bin/psdfavs
/bin/psdfavs
1⤵
PID:574

/bin/rjzykbfln
/bin/rjzykbfln -d 575
1⤵
PID:579

/bin/yxtwdkq
/bin/yxtwdkq -d 575
1⤵
PID:586

/bin/msufhjojxbjfa
/bin/msufhjojxbjfa -d 575
1⤵
PID:589

/bin/ljgxdusycq
/bin/ljgxdusycq -d 575
1⤵
PID:592

/bin/vpbgfpuxl
/bin/vpbgfpuxl -d 575
1⤵
PID:595

/bin/wqputy
/bin/wqputy -d 575
1⤵
PID:599

/bin/tgnenkihcijue
/bin/tgnenkihcijue -d 575
1⤵
PID:602

/bin/lhoqwjpklwgb
/bin/lhoqwjpklwgb -d 575
1⤵
PID:605

/bin/cuoequr
/bin/cuoequr -d 575
1⤵
PID:608

/bin/jdesfndbtkncyf
/bin/jdesfndbtkncyf -d 575
1⤵
PID:611

/bin/jxkuvtxi
/bin/jxkuvtxi -d 575
1⤵
PID:614

/bin/uybmtuiexnxe
/bin/uybmtuiexnxe -d 575
1⤵
PID:617

/bin/agxkvzl
/bin/agxkvzl -d 575
1⤵
PID:620

/bin/zubmrwfqfekd
/bin/zubmrwfqfekd -d 575
1⤵
PID:623

/bin/wyafdauceycm
/bin/wyafdauceycm -d 575
1⤵
PID:626

/bin/pjwamxwnjnkq
/bin/pjwamxwnjnkq -d 575
1⤵
PID:629

/bin/rvqwdpxfwa
/bin/rvqwdpxfwa -d 575
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads