Overview

overview

10

Static

static

10

112

ubuntu-18.04-amd64

9

Analysis

  • max time kernel
    4006s
  • max time network
    110s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221111-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28-12-2022 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    112

  • Size

    549KB

  • MD5

    f9191bab1e834d4aef3380700639cee9

  • SHA1

    9c20269df6694260a24ac783de2e30d627a6928a

  • SHA256

    ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

  • SHA512

    3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5

  • SSDEEP

    12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score
9/10
persistence

Malware Config

Signatures

  • Writes file to system bin folder 1 TTPs 27 IoCs
  • Modifies rc script 1 TTPs 5 IoCs

    Adding/modifying system rc scripts is a common persistence mechanism.

    persistence
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/112
    /tmp/112
    1⤵
      PID:581
    • /bin/wgpsuiblsjbzl
      /bin/wgpsuiblsjbzl
      1⤵
        PID:585
      • /bin/dyzmefavgq
        /bin/dyzmefavgq -d 586
        1⤵
          PID:590
        • /bin/hpkyavypypvhm
          /bin/hpkyavypypvhm -d 586
          1⤵
            PID:597
          • /bin/bzftjezygij
            /bin/bzftjezygij -d 586
            1⤵
              PID:600
            • /bin/bjyiyi
              /bin/bjyiyi -d 586
              1⤵
                PID:603
              • /bin/agjpey
                /bin/agjpey -d 586
                1⤵
                  PID:606
                • /bin/kdulczglffm
                  /bin/kdulczglffm -d 586
                  1⤵
                    PID:725
                  • /bin/ovexwn
                    /bin/ovexwn -d 586
                    1⤵
                      PID:728
                    • /bin/hogpomyetytg
                      /bin/hogpomyetytg -d 586
                      1⤵
                        PID:731
                      • /bin/wbvacboih
                        /bin/wbvacboih -d 586
                        1⤵
                          PID:734
                        • /bin/vxvbwurubfdst
                          /bin/vxvbwurubfdst -d 586
                          1⤵
                            PID:737
                          • /bin/tzkrura
                            /bin/tzkrura -d 586
                            1⤵
                              PID:741
                            • /bin/uxtyzhiiheh
                              /bin/uxtyzhiiheh -d 586
                              1⤵
                                PID:744
                              • /bin/hfayad
                                /bin/hfayad -d 586
                                1⤵
                                  PID:747
                                • /bin/dwburafixyknu
                                  /bin/dwburafixyknu -d 586
                                  1⤵
                                    PID:750
                                  • /bin/gsjpbtwhcdohdp
                                    /bin/gsjpbtwhcdohdp -d 586
                                    1⤵
                                      PID:753
                                    • /bin/humfvjwyqgvo
                                      /bin/humfvjwyqgvo -d 586
                                      1⤵
                                        PID:756
                                      • /bin/ikbrckif
                                        /bin/ikbrckif -d 586
                                        1⤵
                                          PID:759
                                        • /bin/hmhkdqpsaw
                                          /bin/hmhkdqpsaw -d 586
                                          1⤵
                                            PID:762
                                          • /bin/mdixbgnibdb
                                            /bin/mdixbgnibdb -d 586
                                            1⤵
                                              PID:765
                                            • /bin/ncesopxvwm
                                              /bin/ncesopxvwm -d 586
                                              1⤵
                                                PID:768
                                              • /bin/gruvjuux
                                                /bin/gruvjuux -d 586
                                                1⤵
                                                  PID:771
                                                • /bin/zhgbnulq
                                                  /bin/zhgbnulq -d 586
                                                  1⤵
                                                    PID:774
                                                  • /bin/oenskfgzebv
                                                    /bin/oenskfgzebv -d 586
                                                    1⤵
                                                      PID:777
                                                    • /bin/fdhzzs
                                                      /bin/fdhzzs -d 586
                                                      1⤵
                                                        PID:780
                                                      • /bin/vqfuxlxnfkffyl
                                                        /bin/vqfuxlxnfkffyl -d 586
                                                        1⤵
                                                          PID:783
                                                        • /bin/qyzyzd
                                                          /bin/qyzyzd -d 586
                                                          1⤵
                                                            PID:786
                                                          • /bin/xwgafizy
                                                            /bin/xwgafizy -d 586
                                                            1⤵
                                                              PID:789

                                                            Network

                                                            MITRE ATT&CK Enterprise v6

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads