664fd170b1d07e372b3daa91aab78a8151d3f0b0361a2b3157b405314dd219a2

Resubmissions

20/04/2023, 08:22

230420-j9jsfaae7s 10

27/03/2023, 09:38

230327-lmbvescg32 10

Analysis

max time kernel
154s
max time network
102s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/04/2023, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SAY123
Size

551KB
MD5

a62bd401421253c27fc38aa8803f1451
SHA1

955d7153ae275b3b1cbef1f6d9fedf463de06e08
SHA256

977750a1f015f1ffa51edfeeae498a82e979b1644f70bec9170db96247c6e371
SHA512

9137448dde857b2f2b74fbd4488c6d00cc275da57d542d88a3b785d97257c232231fa13e792a124fef7cc5fcc36a18f7c82504944f3c3b324d3f3186ac09fe3b
SSDEEP

12288:/ocX0ds1H10GyzD9GCsQoD5umHxqKhHEwPTXdGFwMI:Qck61eGk9lzotuO1hHEwLHj

Score

5^/10

Malware Config

Signatures

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/115/cmdline	/proc/115/cmdline	killall
/proc/163/stat	/proc/163/stat	killall
/proc/176/stat	/proc/176/stat	killall
/proc/262/stat	/proc/262/stat	killall
/proc/593/stat	/proc/593/stat	killall
/proc/1/stat	/proc/1/stat	killall
/proc/9/stat	/proc/9/stat	killall
/proc/10/stat	/proc/10/stat	killall
/proc/331/stat	/proc/331/stat	killall
/proc/3/stat	/proc/3/stat	killall
/proc/115/stat	/proc/115/stat	killall
/proc/177/stat	/proc/177/stat	killall
/proc/598/stat	/proc/598/stat	killall
/proc/19/stat	/proc/19/stat	killall
/proc/23/stat	/proc/23/stat	killall
/proc/250/cmdline	/proc/250/cmdline	killall
/proc/261/stat	/proc/261/stat	killall
/proc/350/stat	/proc/350/stat	killall
/proc/382/stat	/proc/382/stat	killall
/proc/173/stat	/proc/173/stat	killall
/proc/331/cmdline	/proc/331/cmdline	killall
/proc/16/stat	/proc/16/stat	killall
/proc/22/stat	/proc/22/stat	killall
/proc/26/stat	/proc/26/stat	killall
/proc/98/stat	/proc/98/stat	killall
/proc/203/stat	/proc/203/stat	killall
/proc/meminfo	/proc/meminfo	cat
/proc/333/cmdline	/proc/333/cmdline	killall
/proc/358/cmdline	/proc/358/cmdline	killall
/proc/36/cmdline	/proc/36/cmdline	killall
/proc/172/stat	/proc/172/stat	killall
/proc/174/stat	/proc/174/stat	killall
/proc/78/stat	/proc/78/stat	killall
/proc/6/stat	/proc/6/stat	killall
/proc/358/stat	/proc/358/stat	killall
/proc/2/stat	/proc/2/stat	killall
/proc/17/stat	/proc/17/stat	killall
/proc/80/stat	/proc/80/stat	killall
/proc/597/stat	/proc/597/stat	killall
/proc/4/stat	/proc/4/stat	killall
/proc/170/stat	/proc/170/stat	killall
/proc/424/stat	/proc/424/stat	killall
/proc/15/cmdline	/proc/15/cmdline	killall
/proc/79/cmdline	/proc/79/cmdline	killall
/proc/333/stat	/proc/333/stat	killall
/proc/594/stat	/proc/594/stat	killall
/proc/8/stat	/proc/8/stat	killall
/proc/180/stat	/proc/180/stat	killall
/proc/28/stat	/proc/28/stat	killall
/proc/366/stat	/proc/366/stat	killall
/proc/164/stat	/proc/164/stat	killall
/proc/171/stat	/proc/171/stat	killall
/proc/30/stat	/proc/30/stat	killall
/proc/31/stat	/proc/31/stat	killall
/proc/32/stat	/proc/32/stat	killall
/proc/355/stat	/proc/355/stat	killall
/proc/18/stat	/proc/18/stat	killall
/proc/34/stat	/proc/34/stat	killall
/proc/167/stat	/proc/167/stat	killall
/proc/350/cmdline	/proc/350/cmdline	killall
/proc/422/stat	/proc/422/stat	killall
/proc/592/cmdline	/proc/592/cmdline	killall
/proc/12/stat	/proc/12/stat	killall
/proc/15/stat	/proc/15/stat	killall

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/NetSpeedInfo	/tmp/NetSpeedInfo	Process not Found
/tmp/NetSpeedInfo	/tmp/NetSpeedInfo	rm
/tmp/Meminfo	/tmp/Meminfo	rm
/tmp/NetSpeedInfo	/tmp/NetSpeedInfo	rm
/tmp/Meminfo	/tmp/Meminfo	rm
/tmp/Meminfo	/tmp/Meminfo	Process not Found

/tmp/SAY123
/tmp/SAY123
1⤵
PID:597
- /bin/sh
  sh -c "killall declient"
  2⤵
  PID:598
- - /usr/bin/killall
    killall declient
    3⤵
    - Reads runtime system information
    PID:599

/bin/sh
sh -c "cat /proc/meminfo|grep MemTotal>/tmp/Meminfo"
1⤵
PID:603
- /bin/cat
  cat /proc/meminfo
  2⤵
  PID:604
- /bin/grep
  grep MemTotal
  2⤵
  PID:605

/bin/sh
sh -c "ethtool eth2|grep Speed >/tmp/NetSpeedInfo"
1⤵
PID:606
- /bin/grep
  grep Speed
  2⤵
  PID:608

/bin/sh
sh -c "rm /tmp/NetSpeedInfo /tmp/Meminfo"
1⤵
PID:609
- /bin/rm
  rm /tmp/NetSpeedInfo /tmp/Meminfo
  2⤵
  - Writes file to tmp directory
  PID:610

/bin/sh
sh -c "cat /proc/meminfo|grep MemTotal>/tmp/Meminfo"
1⤵
PID:618
- /bin/cat
  cat /proc/meminfo
  2⤵
  - Reads runtime system information
  PID:619
- /bin/grep
  grep MemTotal
  2⤵
  PID:620

/bin/sh
sh -c "ethtool eth2|grep Speed >/tmp/NetSpeedInfo"
1⤵
PID:621
- /bin/grep
  grep Speed
  2⤵
  PID:623

/bin/sh
sh -c "rm /tmp/NetSpeedInfo /tmp/Meminfo"
1⤵
PID:624
- /bin/rm
  rm /tmp/NetSpeedInfo /tmp/Meminfo
  2⤵
  - Writes file to tmp directory
  PID:625

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads