2154547c69bf8bee7f296bd8ce56ffa4115da65c2308e9fc6d5079b2eb9dec93

Resubmissions

20/04/2023, 08:22

230420-j9nrdsae71 10

15/03/2023, 16:53

230315-vd9vjaec89 10

27/11/2022, 17:44

221127-wbfpcaah7t 10

Analysis

max time kernel
0s
max time network
34s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
15/03/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

atrdadsrcc
Size

659KB
MD5

1d79488a09ef56ae2e60e1985b18e7a2
SHA1

0b25e8f36a9738bb4d2dd2cd711f1aa7213db517
SHA256

4aaa0b0d1ccb91b090df97a47b15536157f6f141cdce67867d339d0f01b3981d
SHA512

b77fda07473e8f3e7ff2a1e25bb556164e3fddb40fe791a0b96538dfcc766f96c6e15082dccc77e79fff73f34497d0c43643134a633ff8740bbc4a287ec0c91b
SSDEEP

12288:aBo9ETRNT9Wn1J0OhS18tDm8PCExfLZ9JCCpyvOH36ybCQ7YLVN1/lFkThVArw:aBo9ANo70OE8A8PCExfLZ/CTvQrKLd/Q

Score

7^/10

persistence

Malware Config

Signatures

Modifies rc script 1 TTPs 12 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
/etc/rc3.d/S90ovskycrakk	/etc/rc3.d/S90ovskycrakk	Process not Found
/etc/rc4.d/S90ovskycrakk	/etc/rc4.d/S90ovskycrakk	Process not Found
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc1.d/S90ovskycrakk	/etc/rc1.d/S90ovskycrakk	Process not Found
/etc/rc2.d/S90ovskycrakk	/etc/rc2.d/S90ovskycrakk	Process not Found
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc3.d/	/etc/rc3.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc6.d/	/etc/rc6.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc5.d/S90ovskycrakk	/etc/rc5.d/S90ovskycrakk	Process not Found
/etc/rc0.d/	/etc/rc0.d/	update-rc.d

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228
Destination IP	103.25.9.228

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	systemctl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
/tmp/atrdadsrcc	/tmp/atrdadsrcc

/tmp/atrdadsrcc
/tmp/atrdadsrcc
1⤵
PID:603

/boot/ovskycrakk
/boot/ovskycrakk
1⤵
PID:606

/bin/chkconfig
chkconfig --add ovskycrakk
1⤵
PID:609

/sbin/chkconfig
chkconfig --add ovskycrakk
1⤵
PID:609

/usr/bin/chkconfig
chkconfig --add ovskycrakk
1⤵
PID:609

/usr/sbin/chkconfig
chkconfig --add ovskycrakk
1⤵
PID:609

/usr/local/bin/chkconfig
chkconfig --add ovskycrakk
1⤵
PID:609

/usr/local/sbin/chkconfig
chkconfig --add ovskycrakk
1⤵
PID:609

/usr/X11R6/bin/chkconfig
chkconfig --add ovskycrakk
1⤵
PID:609

/bin/update-rc.d
update-rc.d ovskycrakk defaults
1⤵
PID:611

/sbin/update-rc.d
update-rc.d ovskycrakk defaults
1⤵
PID:611

/usr/bin/update-rc.d
update-rc.d ovskycrakk defaults
1⤵
PID:611

/usr/sbin/update-rc.d
update-rc.d ovskycrakk defaults
1⤵
- Modifies rc script
- Write file to user bin folder
PID:611
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:614

/boot/glooedfoyb
/boot/glooedfoyb "netstat -antop" 607
1⤵
PID:634

/boot/glooedfoyb
/boot/glooedfoyb whoami 607
1⤵
PID:639

/boot/glooedfoyb
/boot/glooedfoyb uptime 607
1⤵
PID:642

/boot/glooedfoyb
/boot/glooedfoyb "netstat -an" 607
1⤵
PID:645

/boot/glooedfoyb
/boot/glooedfoyb "ifconfig eth0" 607
1⤵
PID:648

/boot/ibazqddbpa
/boot/ibazqddbpa ls 607
1⤵
PID:651

/boot/ibazqddbpa
/boot/ibazqddbpa bash 607
1⤵
PID:654

/boot/ibazqddbpa
/boot/ibazqddbpa "ifconfig eth0" 607
1⤵
PID:657

/boot/ibazqddbpa
/boot/ibazqddbpa "route -n" 607
1⤵
PID:660

/boot/ibazqddbpa
/boot/ibazqddbpa "ps -ef" 607
1⤵
PID:663

/boot/xeqpipqctr
/boot/xeqpipqctr "route -n" 607
1⤵
PID:666

/boot/xeqpipqctr
/boot/xeqpipqctr uptime 607
1⤵
PID:669

/boot/xeqpipqctr
/boot/xeqpipqctr sh 607
1⤵
PID:672

/boot/xeqpipqctr
/boot/xeqpipqctr "cd /etc" 607
1⤵
PID:675

/boot/xeqpipqctr
/boot/xeqpipqctr who 607
1⤵
PID:678

/boot/bjvbexobug
/boot/bjvbexobug ifconfig 607
1⤵
PID:681

/boot/bjvbexobug
/boot/bjvbexobug pwd 607
1⤵
PID:684

/boot/bjvbexobug
/boot/bjvbexobug pwd 607
1⤵
PID:687

/boot/bjvbexobug
/boot/bjvbexobug su 607
1⤵
PID:690

/boot/bjvbexobug
/boot/bjvbexobug "netstat -antop" 607
1⤵
PID:693

/boot/sflradijah
/boot/sflradijah "route -n" 607
1⤵
PID:696

/boot/sflradijah
/boot/sflradijah "route -n" 607
1⤵
PID:699

/boot/sflradijah
/boot/sflradijah "ls -la" 607
1⤵
PID:702

/boot/sflradijah
/boot/sflradijah sh 607
1⤵
PID:705

/boot/sflradijah
/boot/sflradijah uptime 607
1⤵
PID:708

/boot/kgmszwgrdr
/boot/kgmszwgrdr top 607
1⤵
PID:711

/boot/kgmszwgrdr
/boot/kgmszwgrdr whoami 607
1⤵
PID:714

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads