Overview

overview

9

Static

static

net110_pro...Sev.sh

ubuntu-18.04-amd64

7

net110_pro...Sev.sh

debian-9-armhf

7

net110_pro...Sev.sh

debian-9-mips

7

net110_pro...Sev.sh

debian-9-mipsel

7

net110_pro...er.exe

windows7-x64

8

net110_pro...er.exe

windows10-2004-x64

8

net110_pro...ineBMP

ubuntu-18.04-amd64

net110_pro...bmp.sh

ubuntu-18.04-amd64

5

net110_pro...bmp.sh

debian-9-armhf

5

net110_pro...bmp.sh

debian-9-mips

5

net110_pro...bmp.sh

debian-9-mipsel

5

net110_pro...md5sum

ubuntu-18.04-amd64

net110_pro...tch.sh

ubuntu-18.04-amd64

5

net110_pro...tch.sh

debian-9-armhf

5

net110_pro...tch.sh

debian-9-mips

5

net110_pro...tch.sh

debian-9-mipsel

5

net110_pro...tup.sh

ubuntu-18.04-amd64

5

net110_pro...tup.sh

debian-9-armhf

5

net110_pro...tup.sh

debian-9-mips

5

net110_pro...tup.sh

debian-9-mipsel

5

net110_pro...ate.sh

ubuntu-18.04-amd64

5

net110_pro...ate.sh

debian-9-armhf

5

net110_pro...ate.sh

debian-9-mips

5

net110_pro...ate.sh

debian-9-mipsel

5

net110_pro...sh.bak

ubuntu-18.04-amd64

5

net110_pro...sh.bak

debian-9-armhf

5

net110_pro...sh.bak

debian-9-mips

5

net110_pro...sh.bak

debian-9-mipsel

5

net110_pro...ll.exe

windows7-x64

9

net110_pro...ll.exe

windows10-2004-x64

9

net110_pro...own.sh

ubuntu-18.04-amd64

5

net110_pro...own.sh

debian-9-armhf

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5cdb2e2e81d7673d70304a8136c89f51f6be80d9286245ea425fd2526670f560

  • Size

    9.0MB

  • Sample

    221126-hcxscshe93

  • MD5

    a541b61cdee344be36e7f4a64ce3c2b3

  • SHA1

    7e6c1c8c4c00ef09f2f65bd96cf2902f3c6303f8

  • SHA256

    5cdb2e2e81d7673d70304a8136c89f51f6be80d9286245ea425fd2526670f560

  • SHA512

    0a5c1478bcb251ac4635b5fe1b0243c71c93fd9a523f13e6142d4dfefd50067ea7f528859e077d1527941cd80145093eea6107ae32ffda60c407e161263fb627

  • SSDEEP

    196608:Fw0MeZQ34Ov2xALSYuRufhwUDlHbwbCGEocc4t:FxcvkRREhDblGELn

Score
9/10
linuxpersistenceupx

Malware Config

Targets

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/MakeRzxSev.sh

    • Size

      1KB

    • MD5

      6acfc27bf16bf39d7cd6618fc2b57137

    • SHA1

      3a3759c509e8ca578c504f162d2e1ee336193f3c

    • SHA256

      6637f76dce8486449059e817169f96e81992bd88ef686e094154036754d9556e

    • SHA512

      4d4ce060047d41364fd0a7a4c6e615af6657c46347abafe6e93bf8363dfa2648185c229699525397938c77ca4b802893cbffe39b572f534ddb5f7b9402f34bda

    Score
    7/10
    persistence

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

      persistence

    • Reads CPU attributes

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral1behavioral2behavioral3behavioral4

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/adwater.exe

    • Size

      5.5MB

    • MD5

      8e0b88f85d2bada6ac75c19a50c1982b

    • SHA1

      067da10b22fed830134e7eca058eb472b2bdfda7

    • SHA256

      6f6cda0e966bc74a3aa73cf799ef4c244c87b90adfebe7adb642bb349f5abf3c

    • SHA512

      992b48d435667e02124495838733bd9a4888f2b93b5a6dd107fbd184266455612c9ffba0aff3522492beeb7ea075f233bba5e4888470d78842606631cfd7f779

    • SSDEEP

      98304:Qzjwk9MdsL86/n1Yv0a4/2vLixXexcgesSYunR/qVzVdZfqQHbO:uw0MeZQ34Ov2xALSYuRufhK

    Score
    8/10

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/combineBMP

    • Size

      41KB

    • MD5

      a5395d640fa66fc3fac628ef00271238

    • SHA1

      fac76f1057bce5612330f0d9a84fa08265c8a929

    • SHA256

      db42bbbc28754bad82605b5df763164ca284216b87163a81f5e5c3d94afd3a39

    • SHA512

      eafa020126a3f7ab1962fb89c0ffcf2b151d8700bafbc5dc692df08afc9da4052b62d0e3ea2dafb8a846d73a6864bb192b76a80a7c74bd5503348f62f8af32e9

    • SSDEEP

      768:22tYOPOggKcVTlWSuBQoNm5fLejehmRwb5ZWwWZE1LBYF3csjhoc1SX:20YOP6XCFM56jehmRwb5bW21GF1oXX

    Score
    1/10
    behavioral7

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/combinebmp.sh

    • Size

      9KB

    • MD5

      999b33afef6bc13debd642ef0c88dbfb

    • SHA1

      36fab9dea5a1c79847d99fe6a5a7b6dbed79112c

    • SHA256

      726696bc07c0daaf45cc5550fa0f1b9416fe7167c9a00791e4d74f0d4d10f63b

    • SHA512

      f855e35d9d3495a7c8dbf8bc34482c4867364f09893d2c96338e4179a61a0ae1995228e7ec9cf13115cb3c9da1ef5713fc39cf403e539fdfe0e6d6f2b57d4b2a

    • SSDEEP

      192:VRYnS0eRYDIgPRSOhLDnGBZMTCRsfJzvU9Y3STFLnOeW+:A11u0+6ZY3x

    Score
    5/10

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral10behavioral11behavioral8behavioral9

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/md5sum

    • Size

      28KB

    • MD5

      df8511cdfa66f5c96fcceacdde1220db

    • SHA1

      fb7a28feee1257bfad70e1de9ad694f3d16ca884

    • SHA256

      4590b5ed08df0d1d1e5cf1684839497734a3d1fdbad244fd25b1e5ce30722d87

    • SHA512

      e9f7dd7dc86a86546f97856a910835a83515b30d0332566d68f6e33a6f4d5309070994f5adc3573064ecba7d3fa07f94ec25c03decc43751c4a95fade244f0c2

    • SSDEEP

      384:fAdCbVJ24lPBzsqPYk5+qb8srg6mRbeTt03hK2s8nx0tznr8uzfGFlZl5vqaSVyj:0h49BzsgYI+avFMy0ZhoLQlJbNlPqx0

    Score
    1/10
    behavioral12

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/patch.sh

    • Size

      11KB

    • MD5

      1051641879724c3d7a90f2c2b1d9e27a

    • SHA1

      0d6162a33ed174a787be911e244d7f820f73813b

    • SHA256

      88c7d21be11fb4f17854646a020bd54da08f9f27940d7c393f1b8471053497b8

    • SHA512

      9bbff7d1c87c05e96b59b7f555ebc2ffcbafba03df6687d18f639470644eeae4ab23345493a2d77f7cc3d124a0dc6c0d0a7ef66a9d97e0e6909fd01187648126

    • SSDEEP

      192:KVRYnS0eRYDIgPRCOcLBehBYZM3Ce2pVLuz81CqrXFLnOpGPui:D1ciNyl1DVUix

    Score
    5/10

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral13behavioral14behavioral15behavioral16

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/setup.sh

    • Size

      11KB

    • MD5

      ece71d3ea17f81f4abab93f0da2f8940

    • SHA1

      4eb5340ea777f74147cd155eb9ef55256729f012

    • SHA256

      f2fffc93c2223d2aeddc26533085489ac9428c611ccfd376bc25f2d2ed7077c8

    • SHA512

      2485d90545a5067b3381fef41dd540372166d7e764ec926f2e7ed46e66e5840a669fc97e2afd0557717425faaa7cb12b722f4a5ba471e5ba362a684c4ef9367b

    • SSDEEP

      192:wVxYnC+ISPRCOmtQr4T8TYf43NSpd9YHU9pITCqnzGx87:bQM1StGCooE

    Score
    5/10

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral17behavioral18behavioral19behavioral20

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/update.sh

    • Size

      12KB

    • MD5

      e4b9f042966fd379fdf21fc9d19a1f7d

    • SHA1

      01854777b0fad562f4bda7e718ffef94eb89c4ba

    • SHA256

      e7b2cbb2655015c820788ab7d9c33981baebb7fe485449d00a0c1c2b4275f076

    • SHA512

      915e72aaa7a21d0860e8238de54dc8845df6a625d7f8eee5f12b597b78862ee21fe12049926f92368c96d44eec7a0f704045534e0f26a241c2ec980c933075ec

    • SSDEEP

      192:KYRYnS0eRYDIgPRCOcLBW8JhBYZM3Ce2pVLuz81CqrXFLnOFGxAJzV:E1cNNyl1DVaoY

    Score
    5/10

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral21behavioral22behavioral23behavioral24

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/update.sh.bak

    • Size

      12KB

    • MD5

      69e780f7523ab1590f00d6bac5b90262

    • SHA1

      25658e5ce356bd173c7ebdf1eeebdd8ca8f18dd9

    • SHA256

      4ef39ab076e4036e387218721f3510ee85d1f58fa96e9a2f33cd9754039142f5

    • SHA512

      84ae3d56aa5992f57821f6348e0308f7edb3bee78aaf16a52f0dde6b96e27527ed3eb9ece65d8a9709be1a6b54ea1e305217f434a1246d67bbb744efe4f44931

    • SSDEEP

      192:KVRYnS0eRYDIgPRCOcLBW8JhBYZM3Ce2pVLuz81CqrXFLnOFGxAJzV:D1cNNyl1DVaoY

    Score
    5/10

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral25behavioral26behavioral27behavioral28

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/waterwall.exe

    • Size

      3.4MB

    • MD5

      165b8525383e78f8305c0af30a11143c

    • SHA1

      4af49033d7997be45ef1ac9519bb28ed8d37affc

    • SHA256

      1403df6b61415d3023e111c3985d7175ec25806c46eb148381b27205d98650dc

    • SHA512

      5837cb3b15cdabb83f88979fbe30acf3fd11b335eb90476836f66e50e73f91bc6399b885c578ee63024c5a0ee70dd196cc91c6c00d6b30be7b0d38e577aa015b

    • SSDEEP

      98304:QbUDli9gt7fwLHPL+32QSpBSvoG50NA9tWDR:mUDlHbwbCGEocc4tI

    Score
    9/10
    upx

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      net110_prober_v2.0.0.56_build011000_20140828/xDown.sh

    • Size

      10KB

    • MD5

      0fd588e45c0af687ef4e99d5c918da66

    • SHA1

      a56acbe1b0fd9b2e56c858bb27996fe6d6cfee46

    • SHA256

      52d2e0f7f08c6afb8a2a707571a0263a67c9b7bf93735cb7809149d3b79f7d82

    • SHA512

      b84d40a1f710c7585453d0c3b4b23c90405078ee77101142d73e5546689a0f015482e9fb6c86c34d96cd9f4383b125136cf2fccd00af64f6d6378cd9e12232e3

    • SSDEEP

      192:/dUa0GKrCB8pHRYDIgtV1MXy5td+6eWWp19qQytWatSu3n:ZOp0tVXSEmakOn

    Score
    5/10

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Defense Evasion

Credential Access

Discovery

System Information Discovery

5
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

Score
N/A

behavioral1

persistence
Score
7/10

behavioral2

persistence
Score
7/10

behavioral3

persistence
Score
7/10

behavioral4

persistence
Score
7/10

behavioral5

Score
8/10

behavioral6

Score
8/10

behavioral7

Score
1/10

behavioral8

Score
5/10

behavioral9

Score
5/10

behavioral10

Score
5/10

behavioral11

Score
5/10

behavioral12

Score
1/10

behavioral13

Score
5/10

behavioral14

Score
5/10

behavioral15

Score
5/10

behavioral16

Score
5/10

behavioral17

Score
5/10

behavioral18

Score
5/10

behavioral19

Score
5/10

behavioral20

Score
5/10

behavioral21

Score
5/10

behavioral22

Score
5/10

behavioral23

Score
5/10

behavioral24

Score
5/10

behavioral25

Score
5/10

behavioral26

Score
5/10

behavioral27

Score
5/10

behavioral28

Score
5/10

behavioral29

upx
Score
9/10

behavioral30

upx
Score
9/10

behavioral31

Score
5/10

behavioral32

Score
5/10