ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73

Resubmissions

20-04-2023 08:22

230420-j9z5esae8v 10

15-03-2023 12:26

15-03-2023 08:33

14-03-2023 11:18

26-12-2022 18:04

Analysis

max time kernel
0s
max time network
81s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
15-03-2023 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73.elf
Size

549KB
MD5

f9191bab1e834d4aef3380700639cee9
SHA1

9c20269df6694260a24ac783de2e30d627a6928a
SHA256

ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73
SHA512

3d2758fe2d06183e627b5cc24919c08c84108f2efd7ab0a162029d55537476410d9535d50f3eb059f7153f7482c134284862eea121201f82838aace4b12283b5
SSDEEP

12288:VeRvuKqiVZ4En5drNK0pPEfJKlHZ8mG97Qxee6yzmx:VIv/qiVNHNDEfJKHZ8mG9QeeO

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 23 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
/bin/hfqxdd	/bin/hfqxdd
/bin/cplgyf	/bin/cplgyf
/bin/nfifbc	/bin/nfifbc
/bin/cornlihmmt	/bin/cornlihmmt
/bin/zfavcdhoxybvbo	/bin/zfavcdhoxybvbo
/bin/xrfxnhauxavaxy	/bin/xrfxnhauxavaxy
/bin/ylxykochsiadve	/bin/ylxykochsiadve
/bin/dzhlezkkehmt	/bin/dzhlezkkehmt
/bin/gbbzsqe	/bin/gbbzsqe
/bin/zckegi	/bin/zckegi
/bin/ewkxugjlfk	/bin/ewkxugjlfk
/bin/udlbdakdwhf	/bin/udlbdakdwhf
/bin/yjleei	/bin/yjleei
/bin/tehbescjhv	/bin/tehbescjhv
/bin/dmpdewumlcod	/bin/dmpdewumlcod
/bin/tcpnysyx	/bin/tcpnysyx
/bin/rjmrus	/bin/rjmrus
/bin/mhyzqexcdrlneq	/bin/mhyzqexcdrlneq
/bin/awlcmd	/bin/awlcmd
/bin/rgyuplqv	/bin/rgyuplqv
/bin/zmtkvq	/bin/zmtkvq
/bin/uubkzhwqq	/bin/uubkzhwqq
/bin/ybnbjrxk	/bin/ybnbjrxk

Modifies rc script 1 TTPs 5 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

description	ioc
/etc/rc1.d/S90xikpalazgaia	/etc/rc1.d/S90xikpalazgaia
/etc/rc2.d/S90xikpalazgaia	/etc/rc2.d/S90xikpalazgaia
/etc/rc3.d/S90xikpalazgaia	/etc/rc3.d/S90xikpalazgaia
/etc/rc4.d/S90xikpalazgaia	/etc/rc4.d/S90xikpalazgaia
/etc/rc5.d/S90xikpalazgaia	/etc/rc5.d/S90xikpalazgaia

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

description	ioc
/dev/shm/sem.7cmjSa	/dev/shm/sem.7cmjSa

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

description	ioc
/tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73.elf	/tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73.elf

/tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73.elf
/tmp/ea40ecec0b30982fbb1662e67f97f0e9d6f43d2d587f2f588525fae683abea73.elf
1⤵
PID:594

/bin/aiagzalapkix
/bin/aiagzalapkix
1⤵
PID:598

/bin/gbbzsqe
/bin/gbbzsqe -d 599
1⤵
PID:603

/bin/awlcmd
/bin/awlcmd -d 599
1⤵
PID:610

/bin/tehbescjhv
/bin/tehbescjhv -d 599
1⤵
PID:613

/bin/dmpdewumlcod
/bin/dmpdewumlcod -d 599
1⤵
PID:616

/bin/rgyuplqv
/bin/rgyuplqv -d 599
1⤵
PID:619

/bin/zmtkvq
/bin/zmtkvq -d 599
1⤵
PID:623

/bin/zckegi
/bin/zckegi -d 599
1⤵
PID:626

/bin/uubkzhwqq
/bin/uubkzhwqq -d 599
1⤵
PID:629

/bin/nfifbc
/bin/nfifbc -d 599
1⤵
PID:632

/bin/cornlihmmt
/bin/cornlihmmt -d 599
1⤵
PID:635

/bin/tcpnysyx
/bin/tcpnysyx -d 599
1⤵
PID:638

/bin/ylxykochsiadve
/bin/ylxykochsiadve -d 599
1⤵
PID:668

/bin/udlbdakdwhf
/bin/udlbdakdwhf -d 599
1⤵
PID:671

/bin/hfqxdd
/bin/hfqxdd -d 599
1⤵
PID:674

/bin/cplgyf
/bin/cplgyf -d 599
1⤵
PID:677

/bin/yjleei
/bin/yjleei -d 599
1⤵
PID:680

/bin/rjmrus
/bin/rjmrus -d 599
1⤵
PID:683

/bin/dzhlezkkehmt
/bin/dzhlezkkehmt -d 599
1⤵
PID:686

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads