ab3c8f59b3b6a17814c71012cfb0cba141fcf1fe7a6fbbeada59023ed5342e67 | Triage

Analysis

max time kernel
0s
max time network
125s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29/09/2022, 05:27

Sharing

Report Analysis Logs

General

Target

djobgbiuie.virus
Size

647KB
MD5

2b083aaf4c29ab9952be58294a5fea6f
SHA1

742cc974582435a39f871a843a1509ee2326dca4
SHA256

ab3c8f59b3b6a17814c71012cfb0cba141fcf1fe7a6fbbeada59023ed5342e67
SHA512

78942fb4e91e9221e4296db70790cca085e2d63c0a10032595b5c72970d34ff9adefe62e056e97e0c63ecfa9aa9bdf7e669a02d81176b1fd7ff280c6663f0862
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN

Score

7^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task

description	ioc	Process
/etc/crontab	/etc/crontab	sed
/etc/crontab	/etc/crontab	sh

Modifies rc script 1 TTPs 12 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

Boot or Logon Autostart Execution

description	ioc	Process
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc3.d/	/etc/rc3.d/	update-rc.d
/etc/rc6.d/	/etc/rc6.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc2.d/S90okmjfjzjci	/etc/rc2.d/S90okmjfjzjci	Process not Found
/etc/rc3.d/S90okmjfjzjci	/etc/rc3.d/S90okmjfjzjci	Process not Found
/etc/rc4.d/S90okmjfjzjci	/etc/rc4.d/S90okmjfjzjci	Process not Found
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc1.d/S90okmjfjzjci	/etc/rc1.d/S90okmjfjzjci	Process not Found
/etc/rc5.d/S90okmjfjzjci	/etc/rc5.d/S90okmjfjzjci	Process not Found
/etc/rc5.d/	/etc/rc5.d/	update-rc.d

Unexpected DNS network traffic destination 38 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

description	ioc	Process
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	systemctl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
/tmp/djobgbiuie.virus	/tmp/djobgbiuie.virus

/tmp/djobgbiuie.virus
/tmp/djobgbiuie.virus
1⤵
PID:571

/boot/okmjfjzjci
/boot/okmjfjzjci
1⤵
PID:574

/bin/chkconfig
chkconfig --add okmjfjzjci
1⤵
PID:577

/sbin/chkconfig
chkconfig --add okmjfjzjci
1⤵
PID:577

/usr/bin/chkconfig
chkconfig --add okmjfjzjci
1⤵
PID:577

/usr/sbin/chkconfig
chkconfig --add okmjfjzjci
1⤵
PID:577

/usr/local/bin/chkconfig
chkconfig --add okmjfjzjci
1⤵
PID:577

/usr/local/sbin/chkconfig
chkconfig --add okmjfjzjci
1⤵
PID:577

/usr/X11R6/bin/chkconfig
chkconfig --add okmjfjzjci
1⤵
PID:577

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:580
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
  2⤵
  - Creates/modifies Cron job
  - Reads runtime system information
  PID:581

/bin/update-rc.d
update-rc.d okmjfjzjci defaults
1⤵
PID:579

/sbin/update-rc.d
update-rc.d okmjfjzjci defaults
1⤵
PID:579

/usr/bin/update-rc.d
update-rc.d okmjfjzjci defaults
1⤵
PID:579

/usr/sbin/update-rc.d
update-rc.d okmjfjzjci defaults
1⤵
- Modifies rc script
- Write file to user bin folder
PID:579
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:584

/boot/hcombbpcrc
/boot/hcombbpcrc "ls -la" 575
1⤵
PID:586

/boot/xfhspuicqd
/boot/xfhspuicqd top 575
1⤵
PID:608

/boot/pdvtarlvjf
/boot/pdvtarlvjf id 575
1⤵
PID:611

/boot/pvodliyyus
/boot/pvodliyyus su 575
1⤵
PID:614

/boot/qavglsixdg
/boot/qavglsixdg "netstat -an" 575
1⤵
PID:617

/boot/fymnbkeknk
/boot/fymnbkeknk "ps -ef" 575
1⤵
PID:620

/boot/cueafdhiyu
/boot/cueafdhiyu su 575
1⤵
PID:623

/boot/sdqygpkjsl
/boot/sdqygpkjsl "netstat -antop" 575
1⤵
PID:626

/boot/awedlqcnvs
/boot/awedlqcnvs whoami 575
1⤵
PID:629

/boot/vgjsrfvoom
/boot/vgjsrfvoom whoami 575
1⤵
PID:632

/boot/zcdxkhmsco
/boot/zcdxkhmsco pwd 575
1⤵
PID:635

/boot/wdfhxggmdl
/boot/wdfhxggmdl ls 575
1⤵
PID:638

/boot/ojqhagdqgg
/boot/ojqhagdqgg "netstat -an" 575
1⤵
PID:641

/boot/bjwvbwcetn
/boot/bjwvbwcetn "echo \"find\"" 575
1⤵
PID:644

/boot/geskklsblh
/boot/geskklsblh "route -n" 575
1⤵
PID:662

/boot/qjiftbkbbr
/boot/qjiftbkbbr "ps -ef" 575
1⤵
PID:665

/boot/dcbfvbwrxi
/boot/dcbfvbwrxi gnome-terminal 575
1⤵
PID:668

/boot/xsaxodykaw
/boot/xsaxodykaw "cd /etc" 575
1⤵
PID:671

/boot/hhtwspxhot
/boot/hhtwspxhot bash 575
1⤵
PID:674

/boot/ybdkuaxpad
/boot/ybdkuaxpad "cd /etc" 575
1⤵
PID:677

/boot/tobvchhphq
/boot/tobvchhphq uptime 575
1⤵
PID:680

/boot/fiahnhaxoz
/boot/fiahnhaxoz "ls -la" 575
1⤵
PID:683

/boot/dgudhazxzi
/boot/dgudhazxzi gnome-terminal 575
1⤵
PID:686

/boot/iekfniqymo
/boot/iekfniqymo top 575
1⤵
PID:689

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads