664fd170b1d07e372b3daa91aab78a8151d3f0b0361a2b3157b405314dd219a2

Resubmissions

20-04-2023 08:22

230420-j9jsfaae7s 10

27-03-2023 09:38

230327-lmbvescg32 10

Analysis

max time kernel
155s
max time network
157s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-04-2023 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.sshdd
Size

647KB
MD5

33229183c1a701376ef15a0af4f9dc5b
SHA1

b6a981f7d1e3141bc99e448ca5ea88e4f973463c
SHA256

4e6eb417b5598ed171d383e6d6e3f1dc861438a52cfd869bbfaebabb8905f622
SHA512

af69aabf1cb1463cf425d23fdab57d43eca545c86211c4dd7d2a14d27803f461aebebbf2108df8033b16f208e26026f5c3ae3cc578d7d893ba5487e992fbe419
SSDEEP

12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonnp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mn6wvnDWXMN

Score

7^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task
T1053

Processes:

sedsh

description ioc process

/etc/crontab /etc/crontab sed
/etc/crontab /etc/crontab sh

description	ioc	process
/etc/crontab	/etc/crontab	sed
/etc/crontab	/etc/crontab	sh

Modifies rc script 1 TTPs 12 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

update-rc.d

description	ioc	process
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc6.d/	/etc/rc6.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d
/etc/rc2.d/S90zjohittxxv	/etc/rc2.d/S90zjohittxxv
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc4.d/S90zjohittxxv	/etc/rc4.d/S90zjohittxxv
/etc/rc5.d/S90zjohittxxv	/etc/rc5.d/S90zjohittxxv
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc3.d/	/etc/rc3.d/	update-rc.d
/etc/rc1.d/S90zjohittxxv	/etc/rc1.d/S90zjohittxxv
/etc/rc3.d/S90zjohittxxv	/etc/rc3.d/S90zjohittxxv

Unexpected DNS network traffic destination 37 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

update-rc.d

description ioc process

/usr/sbin/update-rc.d /usr/sbin/update-rc.d update-rc.d

description	ioc	process
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctlsed

description	ioc	process
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

/tmp/.sshdd /tmp/.sshdd

description	ioc
/tmp/.sshdd	/tmp/.sshdd

/tmp/.sshdd
/tmp/.sshdd
1⤵
PID:599

/boot/zjohittxxv
/boot/zjohittxxv
1⤵
PID:602

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:608

/bin/sed
sed -i "/\\/etc\\/cron.hourly\\/cron.sh/d" /etc/crontab
2⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:609

/bin/chkconfig
chkconfig --add zjohittxxv
1⤵
PID:605

/sbin/chkconfig
chkconfig --add zjohittxxv
1⤵
PID:605

/usr/bin/chkconfig
chkconfig --add zjohittxxv
1⤵
PID:605

/usr/sbin/chkconfig
chkconfig --add zjohittxxv
1⤵
PID:605

/usr/local/bin/chkconfig
chkconfig --add zjohittxxv
1⤵
PID:605

/usr/local/sbin/chkconfig
chkconfig --add zjohittxxv
1⤵
PID:605

/usr/X11R6/bin/chkconfig
chkconfig --add zjohittxxv
1⤵
PID:605

/bin/update-rc.d
update-rc.d zjohittxxv defaults
1⤵
PID:607

/sbin/update-rc.d
update-rc.d zjohittxxv defaults
1⤵
PID:607

/usr/bin/update-rc.d
update-rc.d zjohittxxv defaults
1⤵
PID:607

/usr/sbin/update-rc.d
update-rc.d zjohittxxv defaults
1⤵
- Modifies rc script
- Write file to user bin folder
PID:607

/bin/systemctl
systemctl daemon-reload
2⤵
- Reads runtime system information
PID:615

/boot/tucfhtvqwt
/boot/tucfhtvqwt gnome-terminal 603
1⤵
PID:626

/boot/svezpahmcq
/boot/svezpahmcq "ifconfig eth0" 603
1⤵
PID:651

/boot/labkmtrozp
/boot/labkmtrozp "echo \"find\"" 603
1⤵
PID:654

/boot/readmfdjud
/boot/readmfdjud whoami 603
1⤵
PID:657

/boot/ycbqarpxaq
/boot/ycbqarpxaq "ps -ef" 603
1⤵
PID:660

/boot/ukddkrdohn
/boot/ukddkrdohn "netstat -an" 603
1⤵
PID:665

/boot/eadonxumqw
/boot/eadonxumqw "cd /etc" 603
1⤵
PID:668

/boot/akunmpmtya
/boot/akunmpmtya pwd 603
1⤵
PID:671

/boot/gibsvulbxf
/boot/gibsvulbxf ifconfig 603
1⤵
PID:674

/boot/svvnwseveg
/boot/svvnwseveg gnome-terminal 603
1⤵
PID:677

/boot/gwkvzxalne
/boot/gwkvzxalne "echo \"find\"" 603
1⤵
PID:680

/boot/mwersinkjz
/boot/mwersinkjz ls 603
1⤵
PID:683

/boot/rauostaels
/boot/rauostaels "ls -la" 603
1⤵
PID:686

/boot/wljosuhgwa
/boot/wljosuhgwa "cd /etc" 603
1⤵
PID:689

/boot/ijynxualur
/boot/ijynxualur "netstat -an" 603
1⤵
PID:692

/boot/reasemoxfd
/boot/reasemoxfd id 603
1⤵
PID:695

/boot/frdgqvhndj
/boot/frdgqvhndj "netstat -antop" 603
1⤵
PID:698

/boot/uzpsvmvqxh
/boot/uzpsvmvqxh "ls -la" 603
1⤵
PID:701

/boot/twhdfprjcs
/boot/twhdfprjcs top 603
1⤵
PID:704

/boot/tkwmsjcjgi
/boot/tkwmsjcjgi id 603
1⤵
PID:707

/boot/gtsejatfuf
/boot/gtsejatfuf "grep \"A\"" 603
1⤵
PID:710

/boot/pqjhwfwdks
/boot/pqjhwfwdks ifconfig 603
1⤵
PID:713

/boot/kbyokonpiv
/boot/kbyokonpiv pwd 603
1⤵
PID:716

/boot/exblzrotun
/boot/exblzrotun pwd 603
1⤵
PID:719

/boot/uxpkxbbbgx
/boot/uxpkxbbbgx "cat resolv.conf" 603
1⤵
PID:725

/boot/ukoqwtbdii
/boot/ukoqwtbdii gnome-terminal 603
1⤵
PID:728

/boot/ftdncfvech
/boot/ftdncfvech "sleep 1" 603
1⤵
PID:731

/boot/fgyxsvfvrl
/boot/fgyxsvfvrl uptime 603
1⤵
PID:734

/boot/rimhqhixux
/boot/rimhqhixux whoami 603
1⤵
PID:737

/boot/gsorgdvdhc
/boot/gsorgdvdhc id 603
1⤵
PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads