Overview

overview

10

Static

static

10

a9f55f5a8b...5890e8

ubuntu-18.04-amd64

9

Analysis

  • max time kernel
    0s
  • max time network
    103s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    08-11-2022 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9f55f5a8b912b37eb511967d4d919d21469b17fc0e10abb42884a8e705890e8

  • Size

    549KB

  • MD5

    edd7e70f803541a0d29595065d25cac9

  • SHA1

    44d43ff65bbbcec481fde7dffc838e6c6b33b846

  • SHA256

    a9f55f5a8b912b37eb511967d4d919d21469b17fc0e10abb42884a8e705890e8

  • SHA512

    170ef329299d7201850fe845392914245ac679315119f8c5454cb17edc5c0b8af026951e4f6470c7fdaf8333ec1fa68c778d4e2f03e6aed00b48c546868d2405

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score
9/10
persistence

Malware Config

Signatures

  • Writes file to system bin folder 1 TTPs 22 IoCs
  • Modifies rc script 1 TTPs 5 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

    persistence
  • Unexpected DNS network traffic destination 8 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/a9f55f5a8b912b37eb511967d4d919d21469b17fc0e10abb42884a8e705890e8
    /tmp/a9f55f5a8b912b37eb511967d4d919d21469b17fc0e10abb42884a8e705890e8
    1⤵
      PID:571
    • /bin/gnycdhqrwzm
      /bin/gnycdhqrwzm
      1⤵
        PID:575
      • /bin/qbveivsbihbl
        /bin/qbveivsbihbl -d 576
        1⤵
          PID:580
        • /bin/wtoyreinrscto
          /bin/wtoyreinrscto -d 576
          1⤵
            PID:587
          • /bin/jcoswuyi
            /bin/jcoswuyi -d 576
            1⤵
              PID:590
            • /bin/bipadfyaaoyus
              /bin/bipadfyaaoyus -d 576
              1⤵
                PID:593
              • /bin/lblfreo
                /bin/lblfreo -d 576
                1⤵
                  PID:596
                • /bin/irrgzru
                  /bin/irrgzru -d 576
                  1⤵
                    PID:599
                  • /bin/zlffqdfqtfklo
                    /bin/zlffqdfqtfklo -d 576
                    1⤵
                      PID:602
                    • /bin/wsedjltfidy
                      /bin/wsedjltfidy -d 576
                      1⤵
                        PID:605
                      • /bin/laufewqjbiog
                        /bin/laufewqjbiog -d 576
                        1⤵
                          PID:608
                        • /bin/hnluchtwnyf
                          /bin/hnluchtwnyf -d 576
                          1⤵
                            PID:611
                          • /bin/uyevgh
                            /bin/uyevgh -d 576
                            1⤵
                              PID:614
                            • /bin/urojfzwnssrdxw
                              /bin/urojfzwnssrdxw -d 576
                              1⤵
                                PID:617
                              • /bin/shrxhbzmstmw
                                /bin/shrxhbzmstmw -d 576
                                1⤵
                                  PID:620
                                • /bin/sdfpxuycvxrnpi
                                  /bin/sdfpxuycvxrnpi -d 576
                                  1⤵
                                    PID:623
                                  • /bin/ogninggwhh
                                    /bin/ogninggwhh -d 576
                                    1⤵
                                      PID:626
                                    • /bin/dvfwllj
                                      /bin/dvfwllj -d 576
                                      1⤵
                                        PID:629
                                      • /bin/arbyyihzl
                                        /bin/arbyyihzl -d 576
                                        1⤵
                                          PID:632
                                        • /bin/wevzcc
                                          /bin/wevzcc -d 576
                                          1⤵
                                            PID:635
                                          • /bin/xjfnpcskjovwz
                                            /bin/xjfnpcskjovwz -d 576
                                            1⤵
                                              PID:638
                                            • /bin/wssxqae
                                              /bin/wssxqae -d 576
                                              1⤵
                                                PID:641
                                              • /bin/rfpujrrsygh
                                                /bin/rfpujrrsygh -d 576
                                                1⤵
                                                  PID:644
                                                • /bin/atmpqlqhjjz
                                                  /bin/atmpqlqhjjz -d 576
                                                  1⤵
                                                    PID:647

                                                  Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads