8d154492a6a8953d6983dff03a31536691562a69d9e892e54869bd624e36766f | Triage

Resubmissions

23-03-2023 00:36

230323-aybg9aec9t 9

21-03-2023 12:50

230321-p24erscc9z 9

21-03-2023 11:47

230321-nyb1nscb2v 1

31-01-2023 21:51

230131-1qtlzaaf25 9

Sharing

General

Target

12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Size

138KB
Sample

230321-p24erscc9z
MD5

269685865f8200b497f27617a4ba0b83
SHA1

d3b95c0abe6800662c9be3b255b6eedd990cf049
SHA256

8d154492a6a8953d6983dff03a31536691562a69d9e892e54869bd624e36766f
SHA512

5400ae939db2c39367a0ce0ea53a05daecadbfdd6909b3113339bd7286a65e95fec1b54291db6b01932ae1ebef6a2d01dcfbe001a909278ab225ee8ddc9f0dff
SSDEEP

3072:8sGHBg7pBcQx4JjCRFh0oF5pOnLECFVDBqVCNC7V92kYV6A7fXfJhVQfah:8xgPcQWpGFh085UL1VDBubM6aPJhVQyh

Score

9^/10

discovery persistence

Malware Config

Targets

- Target
  
  12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
- Size
  
  138KB
- MD5
  
  269685865f8200b497f27617a4ba0b83
- SHA1
  
  d3b95c0abe6800662c9be3b255b6eedd990cf049
- SHA256
  
  8d154492a6a8953d6983dff03a31536691562a69d9e892e54869bd624e36766f
- SHA512
  
  5400ae939db2c39367a0ce0ea53a05daecadbfdd6909b3113339bd7286a65e95fec1b54291db6b01932ae1ebef6a2d01dcfbe001a909278ab225ee8ddc9f0dff
- SSDEEP
  
  3072:8sGHBg7pBcQx4JjCRFh0oF5pOnLECFVDBqVCNC7V92kYV6A7fXfJhVQfah:8xgPcQWpGFh085UL1VDBubM6aPJhVQyh
Score

1^/10
behavioral1 behavioral2
- Target
  
  12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
- Size
  
  300KB
- MD5
  
  eec5c6c219535fba3a0492ea8118b397
- SHA1
  
  292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
- SHA256
  
  12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
- SHA512
  
  3482c8324a18302f0f37b6e23ed85f24fff9f50bb568d8fd7461bf57f077a7c592f7a88bb2e1c398699958946d87bb93ab744d13a0003f9b879c15e6471f7400
- SSDEEP
  
  6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOJ:T2s/bW+UmJqBxAuaPRhVabEDSDP99zBT
Score

9^/10

discovery persistence
- Contacts a large (24594) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Modifies the Watchdog daemon
  Malware like Mirai modify the Watchdog to prevent it restarting an infected system.
- Writes file to system bin folder
- Modifies hosts file
  Adds to hosts file used for mapping hosts to IP addresses.
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Enumerates active TCP sockets
  Gets active TCP sockets from /proc virtual filesystem.
- Modifies init.d
  Adds/modifies system service, likely for persistence.
  persistence
- Reads system routing table
  Gets active network interfaces from /proc virtual filesystem.
- Reads system network configuration
  Uses contents of /proc filesystem to enumerate network settings.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

Boot or Logon Autostart Execution

Privilege Escalation

Hijack Execution Flow

Boot or Logon Autostart Execution

Defense Evasion

Impair Defenses

Hijack Execution Flow

Credential Access

Discovery

Network Service Scanning

System Network Connections Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

discoverypersistence