Overview
overview
10Static
static
10.sshdd
ubuntu-18.04-amd64
7261664
ubuntu-18.04-amd64
832
ubuntu-18.04-amd64
136000.exe
windows7-x64
736000.exe
windows10-2004-x64
764
ubuntu-18.04-amd64
8GetPass.exe
windows7-x64
7GetPass.exe
windows10-2004-x64
7NetSyst81.dll
windows7-x64
1NetSyst81.dll
windows10-2004-x64
1POP
ubuntu-18.04-amd64
1SAY123
ubuntu-18.04-amd64
5SAY456
ubuntu-18.04-amd64
8TomDog_Result.html
windows7-x64
1TomDog_Result.html
windows10-2004-x64
1a06
ubuntu-18.04-amd64
9a07
ubuntu-18.04-amd64
9a08
ubuntu-18.04-amd64
9a09
ubuntu-18.04-amd64
9a10
ubuntu-18.04-amd64
9banner313.pl
ubuntu-18.04-amd64
banner313.pl
debian-9-armhf
banner313.pl
debian-9-mips
banner313.pl
debian-9-mipsel
f.sh
ubuntu-18.04-amd64
5f.sh
debian-9-armhf
5f.sh
debian-9-mips
5f.sh
debian-9-mipsel
5g3m.pl
ubuntu-18.04-amd64
g3m.pl
debian-9-armhf
g3m.pl
debian-9-mips
g3m.pl
debian-9-mipsel
Analysis
-
max time kernel
154s -
max time network
102s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
20-04-2023 08:22
Behavioral task
behavioral1
Sample
.sshdd
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral2
Sample
261664
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral3
Sample
32
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral4
Sample
36000.exe
Resource
win7-20230220-en
Behavioral task
behavioral5
Sample
36000.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
64
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral7
Sample
GetPass.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
GetPass.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
NetSyst81.dll
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
NetSyst81.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
POP
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral12
Sample
SAY123
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral13
Sample
SAY456
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral14
Sample
TomDog_Result.html
Resource
win7-20230220-en
Behavioral task
behavioral15
Sample
TomDog_Result.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral16
Sample
a06
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral17
Sample
a07
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral18
Sample
a08
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral19
Sample
a09
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral20
Sample
a10
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral21
Sample
banner313.pl
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral22
Sample
banner313.pl
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral23
Sample
banner313.pl
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral24
Sample
banner313.pl
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral25
Sample
f.sh
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral26
Sample
f.sh
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral27
Sample
f.sh
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral28
Sample
f.sh
Resource
debian9-mipsel-20221111-en
Behavioral task
behavioral29
Sample
g3m.pl
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral30
Sample
g3m.pl
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral31
Sample
g3m.pl
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral32
Sample
g3m.pl
Resource
debian9-mipsel-en-20211208
General
-
Target
SAY123
-
Size
551KB
-
MD5
a62bd401421253c27fc38aa8803f1451
-
SHA1
955d7153ae275b3b1cbef1f6d9fedf463de06e08
-
SHA256
977750a1f015f1ffa51edfeeae498a82e979b1644f70bec9170db96247c6e371
-
SHA512
9137448dde857b2f2b74fbd4488c6d00cc275da57d542d88a3b785d97257c232231fa13e792a124fef7cc5fcc36a18f7c82504944f3c3b324d3f3186ac09fe3b
-
SSDEEP
12288:/ocX0ds1H10GyzD9GCsQoD5umHxqKhHEwPTXdGFwMI:Qck61eGk9lzotuO1hHEwLHj
Malware Config
Signatures
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process /proc/115/cmdline /proc/115/cmdline killall /proc/163/stat /proc/163/stat killall /proc/176/stat /proc/176/stat killall /proc/262/stat /proc/262/stat killall /proc/593/stat /proc/593/stat killall /proc/1/stat /proc/1/stat killall /proc/9/stat /proc/9/stat killall /proc/10/stat /proc/10/stat killall /proc/331/stat /proc/331/stat killall /proc/3/stat /proc/3/stat killall /proc/115/stat /proc/115/stat killall /proc/177/stat /proc/177/stat killall /proc/598/stat /proc/598/stat killall /proc/19/stat /proc/19/stat killall /proc/23/stat /proc/23/stat killall /proc/250/cmdline /proc/250/cmdline killall /proc/261/stat /proc/261/stat killall /proc/350/stat /proc/350/stat killall /proc/382/stat /proc/382/stat killall /proc/173/stat /proc/173/stat killall /proc/331/cmdline /proc/331/cmdline killall /proc/16/stat /proc/16/stat killall /proc/22/stat /proc/22/stat killall /proc/26/stat /proc/26/stat killall /proc/98/stat /proc/98/stat killall /proc/203/stat /proc/203/stat killall /proc/meminfo /proc/meminfo cat /proc/333/cmdline /proc/333/cmdline killall /proc/358/cmdline /proc/358/cmdline killall /proc/36/cmdline /proc/36/cmdline killall /proc/172/stat /proc/172/stat killall /proc/174/stat /proc/174/stat killall /proc/78/stat /proc/78/stat killall /proc/6/stat /proc/6/stat killall /proc/358/stat /proc/358/stat killall /proc/2/stat /proc/2/stat killall /proc/17/stat /proc/17/stat killall /proc/80/stat /proc/80/stat killall /proc/597/stat /proc/597/stat killall /proc/4/stat /proc/4/stat killall /proc/170/stat /proc/170/stat killall /proc/424/stat /proc/424/stat killall /proc/15/cmdline /proc/15/cmdline killall /proc/79/cmdline /proc/79/cmdline killall /proc/333/stat /proc/333/stat killall /proc/594/stat /proc/594/stat killall /proc/8/stat /proc/8/stat killall /proc/180/stat /proc/180/stat killall /proc/28/stat /proc/28/stat killall /proc/366/stat /proc/366/stat killall /proc/164/stat /proc/164/stat killall /proc/171/stat /proc/171/stat killall /proc/30/stat /proc/30/stat killall /proc/31/stat /proc/31/stat killall /proc/32/stat /proc/32/stat killall /proc/355/stat /proc/355/stat killall /proc/18/stat /proc/18/stat killall /proc/34/stat /proc/34/stat killall /proc/167/stat /proc/167/stat killall /proc/350/cmdline /proc/350/cmdline killall /proc/422/stat /proc/422/stat killall /proc/592/cmdline /proc/592/cmdline killall /proc/12/stat /proc/12/stat killall /proc/15/stat /proc/15/stat killall -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process /tmp/NetSpeedInfo /tmp/NetSpeedInfo Process not Found /tmp/NetSpeedInfo /tmp/NetSpeedInfo rm /tmp/Meminfo /tmp/Meminfo rm /tmp/NetSpeedInfo /tmp/NetSpeedInfo rm /tmp/Meminfo /tmp/Meminfo rm /tmp/Meminfo /tmp/Meminfo Process not Found
Processes
-
/tmp/SAY123/tmp/SAY1231⤵PID:597
-
/bin/shsh -c "killall declient"2⤵PID:598
-
/usr/bin/killallkillall declient3⤵
- Reads runtime system information
PID:599
-
-
-
/bin/shsh -c "cat /proc/meminfo|grep MemTotal>/tmp/Meminfo"1⤵PID:603
-
/bin/catcat /proc/meminfo2⤵PID:604
-
-
/bin/grepgrep MemTotal2⤵PID:605
-
-
/bin/shsh -c "ethtool eth2|grep Speed >/tmp/NetSpeedInfo"1⤵PID:606
-
/bin/grepgrep Speed2⤵PID:608
-
-
/bin/shsh -c "rm /tmp/NetSpeedInfo /tmp/Meminfo"1⤵PID:609
-
/bin/rmrm /tmp/NetSpeedInfo /tmp/Meminfo2⤵
- Writes file to tmp directory
PID:610
-
-
/bin/shsh -c "cat /proc/meminfo|grep MemTotal>/tmp/Meminfo"1⤵PID:618
-
/bin/catcat /proc/meminfo2⤵
- Reads runtime system information
PID:619
-
-
/bin/grepgrep MemTotal2⤵PID:620
-
-
/bin/shsh -c "ethtool eth2|grep Speed >/tmp/NetSpeedInfo"1⤵PID:621
-
/bin/grepgrep Speed2⤵PID:623
-
-
/bin/shsh -c "rm /tmp/NetSpeedInfo /tmp/Meminfo"1⤵PID:624
-
/bin/rmrm /tmp/NetSpeedInfo /tmp/Meminfo2⤵
- Writes file to tmp directory
PID:625
-