Resubmissions

20-04-2023 08:22

230420-j9jsfaae7s 10

27-03-2023 09:38

230327-lmbvescg32 10

Analysis

  • max time kernel
    155s
  • max time network
    135s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221111-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    20-04-2023 08:22

General

  • Target

    SAY456

  • Size

    639KB

  • MD5

    467771cc496a8764e143c772d3585072

  • SHA1

    3233613081abf60ebd8bb04a97c9d9eeded025df

  • SHA256

    c453e0d47de8106884381fcc0db2bf7927f714fc480fe31356809fff629c8a33

  • SHA512

    c5cfad7c857a377850398df29190522bac911271bed4b2f6d17f91522173834f17daa38c53bdeb7c82796384aa21ea149abe18639425920003076095d69b7e0f

  • SSDEEP

    12288:8Y62/fARweXwB5QXgn19w1k1a7s+95qXtPMZCLZZgyOQPAe5UyojTucN44XML:VdAywwBMgV1ux9cPM6LZJIu8N44o

Score
8/10

Malware Config

Signatures

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Reads CPU attributes 1 TTPs 1 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/SAY456
    /tmp/SAY456
    1⤵
      PID:614
    • /bin/sh
      sh -c "./dbuspm-session /tmp/SAY456 RunByP617 &"
      1⤵
        PID:618
        • ./dbuspm-session
          ./dbuspm-session /tmp/SAY456 RunByP617
          2⤵
            PID:619
        • /bin/sh
          sh -c "echo `date` run ./dbuspm-session /tmp/SAY456 RunByP617 & >> /home/baicai/DDosClient-Linux/log"
          1⤵
            PID:620
          • /bin/sh
            sh -c "echo `date` recv 1 619>> /home/baicai/DDosClient-Linux/log"
            1⤵
              PID:621
              • /bin/date
                date
                2⤵
                  PID:624
              • /bin/date
                date
                1⤵
                  PID:623
                • /bin/sh
                  sh -c "cat /proc/meminfo|grep MemTotal>/tmp/Meminfo"
                  1⤵
                    PID:629
                    • /bin/cat
                      cat /proc/meminfo
                      2⤵
                      • Reads runtime system information
                      PID:630
                    • /bin/grep
                      grep MemTotal
                      2⤵
                        PID:631
                    • /bin/sh
                      sh -c "ethtool eth2|grep Speed >/tmp/NetSpeedInfo"
                      1⤵
                        PID:632
                        • /bin/grep
                          grep Speed
                          2⤵
                            PID:634
                        • /bin/sh
                          sh -c "rm /tmp/NetSpeedInfo /tmp/Meminfo"
                          1⤵
                            PID:635
                            • /bin/rm
                              rm /tmp/NetSpeedInfo /tmp/Meminfo
                              2⤵
                              • Writes file to tmp directory
                              PID:636

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads