2154547c69bf8bee7f296bd8ce56ffa4115da65c2308e9fc6d5079b2eb9dec93

Resubmissions

20/04/2023, 08:22

230420-j9nrdsae71 10

15/03/2023, 16:53

230315-vd9vjaec89 10

27/11/2022, 17:44

221127-wbfpcaah7t 10

Analysis

max time kernel
0s
max time network
71s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27/11/2022, 17:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

atrdadsrcc
Size

659KB
MD5

1d79488a09ef56ae2e60e1985b18e7a2
SHA1

0b25e8f36a9738bb4d2dd2cd711f1aa7213db517
SHA256

4aaa0b0d1ccb91b090df97a47b15536157f6f141cdce67867d339d0f01b3981d
SHA512

b77fda07473e8f3e7ff2a1e25bb556164e3fddb40fe791a0b96538dfcc766f96c6e15082dccc77e79fff73f34497d0c43643134a633ff8740bbc4a287ec0c91b
SSDEEP

12288:aBo9ETRNT9Wn1J0OhS18tDm8PCExfLZ9JCCpyvOH36ybCQ7YLVN1/lFkThVArw:aBo9ANo70OE8A8PCExfLZ/CTvQrKLd/Q

Score

7^/10

persistence

Malware Config

Signatures

Modifies rc script 1 TTPs 12 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/rc1.d/S90tlygvafotd	/etc/rc1.d/S90tlygvafotd	Process not Found
/etc/rc4.d/S90tlygvafotd	/etc/rc4.d/S90tlygvafotd	Process not Found
/etc/rc5.d/S90tlygvafotd	/etc/rc5.d/S90tlygvafotd	Process not Found
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc3.d/	/etc/rc3.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc2.d/S90tlygvafotd	/etc/rc2.d/S90tlygvafotd	Process not Found
/etc/rc3.d/S90tlygvafotd	/etc/rc3.d/S90tlygvafotd	Process not Found
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc6.d/	/etc/rc6.d/	update-rc.d

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	systemctl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
/tmp/atrdadsrcc	/tmp/atrdadsrcc

/tmp/atrdadsrcc
/tmp/atrdadsrcc
1⤵
PID:581

/boot/tlygvafotd
/boot/tlygvafotd
1⤵
PID:584

/bin/chkconfig
chkconfig --add tlygvafotd
1⤵
PID:587

/sbin/chkconfig
chkconfig --add tlygvafotd
1⤵
PID:587

/usr/bin/chkconfig
chkconfig --add tlygvafotd
1⤵
PID:587

/usr/sbin/chkconfig
chkconfig --add tlygvafotd
1⤵
PID:587

/usr/local/bin/chkconfig
chkconfig --add tlygvafotd
1⤵
PID:587

/usr/local/sbin/chkconfig
chkconfig --add tlygvafotd
1⤵
PID:587

/usr/X11R6/bin/chkconfig
chkconfig --add tlygvafotd
1⤵
PID:587

/bin/update-rc.d
update-rc.d tlygvafotd defaults
1⤵
PID:589

/sbin/update-rc.d
update-rc.d tlygvafotd defaults
1⤵
PID:589

/usr/bin/update-rc.d
update-rc.d tlygvafotd defaults
1⤵
PID:589

/usr/sbin/update-rc.d
update-rc.d tlygvafotd defaults
1⤵
- Modifies rc script
- Write file to user bin folder
PID:589
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:595

/boot/ooraldguzz
/boot/ooraldguzz "netstat -an" 585
1⤵
PID:594

/boot/ooraldguzz
/boot/ooraldguzz "echo \"find\"" 585
1⤵
PID:602

/boot/ooraldguzz
/boot/ooraldguzz uptime 585
1⤵
PID:619

/boot/ooraldguzz
/boot/ooraldguzz "ifconfig eth0" 585
1⤵
PID:623

/boot/ooraldguzz
/boot/ooraldguzz who 585
1⤵
PID:626

/boot/bnhkqbhktb
/boot/bnhkqbhktb "route -n" 585
1⤵
PID:629

/boot/bnhkqbhktb
/boot/bnhkqbhktb "echo \"find\"" 585
1⤵
PID:632

/boot/bnhkqbhktb
/boot/bnhkqbhktb sh 585
1⤵
PID:635

/boot/bnhkqbhktb
/boot/bnhkqbhktb bash 585
1⤵
PID:638

/boot/bnhkqbhktb
/boot/bnhkqbhktb "ls -la" 585
1⤵
PID:641

/boot/paloaqonex
/boot/paloaqonex uptime 585
1⤵
PID:644

/boot/paloaqonex
/boot/paloaqonex su 585
1⤵
PID:647

/boot/paloaqonex
/boot/paloaqonex "sleep 1" 585
1⤵
PID:650

/boot/paloaqonex
/boot/paloaqonex "sleep 1" 585
1⤵
PID:653

/boot/paloaqonex
/boot/paloaqonex "ls -la" 585
1⤵
PID:656

/boot/wfzzaljihm
/boot/wfzzaljihm bash 585
1⤵
PID:659

/boot/wfzzaljihm
/boot/wfzzaljihm sh 585
1⤵
PID:662

/boot/wfzzaljihm
/boot/wfzzaljihm bash 585
1⤵
PID:665

/boot/wfzzaljihm
/boot/wfzzaljihm "ps -ef" 585
1⤵
PID:668

/boot/wfzzaljihm
/boot/wfzzaljihm who 585
1⤵
PID:671

/boot/rmrroislxa
/boot/rmrroislxa "route -n" 585
1⤵
PID:674

/boot/rmrroislxa
/boot/rmrroislxa pwd 585
1⤵
PID:677

/boot/rmrroislxa
/boot/rmrroislxa gnome-terminal 585
1⤵
PID:680

/boot/rmrroislxa
/boot/rmrroislxa "netstat -an" 585
1⤵
PID:683

/boot/rmrroislxa
/boot/rmrroislxa sh 585
1⤵
PID:686

/boot/zkbrzcgwdy
/boot/zkbrzcgwdy "cd /etc" 585
1⤵
PID:689

/boot/zkbrzcgwdy
/boot/zkbrzcgwdy "netstat -antop" 585
1⤵
PID:691

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads