664fd170b1d07e372b3daa91aab78a8151d3f0b0361a2b3157b405314dd219a2 | Triage

Resubmissions

20-04-2023 08:22

230420-j9jsfaae7s 10

27-03-2023 09:38

230327-lmbvescg32 10

Analysis

max time kernel
80s
max time network
40s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-04-2023 08:22

Sharing

Report Analysis Logs

General

Target

a09
Size

611KB
MD5

d1b5b4b4b5a118e384c7ff487e14ac3f
SHA1

038b7e9406fe5cb0a0be8f95ac935923c6d83c28
SHA256

0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b
SHA512

20885f782beeca1712924d6dec7fa474fb2fa7f926d7cbdbdd5f7fa18f6a3ac2bcd5dbd771a80c13c3403cbad05f2cda86ffefdc8170d6cc0f0b4b01a5baec74
SSDEEP

12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiLx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhLfNiGQl/91h

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 4 IoCs

Hijack Execution Flow

description	ioc
/bin/qajarxjvzp	/bin/qajarxjvzp
/bin/atduvidcfo	/bin/atduvidcfo
/bin/udywhckwbr	/bin/udywhckwbr
/bin/volvurjkiq	/bin/volvurjkiq

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Scheduled Task

description	ioc	Process
/etc/crontab	/etc/crontab	sh
/etc/crontab	/etc/crontab	sed

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

Boot or Logon Autostart Execution

description	ioc
/etc/init.d/o��(o��o��(o��	/etc/init.d/o��(o��o��(o��

Modifies rc script 1 TTPs 17 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

Boot or Logon Autostart Execution

description	ioc	Process
/etc/rc2.d/S90o��(o��o��(o��	/etc/rc2.d/S90o��(o��o��(o��	Process not Found
/etc/rc3.d/S90o��(o��o��(o��	/etc/rc3.d/S90o��(o��o��(o��	Process not Found
/etc/rc4.d/S90o��(o��o��(o��	/etc/rc4.d/S90o��(o��o��(o��	Process not Found
/etc/rc4.d/S90a09	/etc/rc4.d/S90a09	Process not Found
/etc/rc5.d/S90a09	/etc/rc5.d/S90a09	Process not Found
/etc/rc4.d/	/etc/rc4.d/	update-rc.d
/etc/rc1.d/S90o��(o��o��(o��	/etc/rc1.d/S90o��(o��o��(o��	Process not Found
/etc/rc6.d/	/etc/rc6.d/	update-rc.d
/etc/rc5.d/S90o��(o��o��(o��	/etc/rc5.d/S90o��(o��o��(o��	Process not Found
/etc/rc1.d/S90a09	/etc/rc1.d/S90a09	Process not Found
/etc/rc3.d/S90a09	/etc/rc3.d/S90a09	Process not Found
/etc/rc5.d/	/etc/rc5.d/	update-rc.d
/etc/rc3.d/	/etc/rc3.d/	update-rc.d
/etc/rc2.d/	/etc/rc2.d/	update-rc.d
/etc/rc2.d/S90a09	/etc/rc2.d/S90a09	Process not Found
/etc/rc0.d/	/etc/rc0.d/	update-rc.d
/etc/rc1.d/	/etc/rc1.d/	update-rc.d

Write file to user bin folder 1 TTPs 6 IoCs

Hijack Execution Flow

description	ioc	Process
/usr/bin/atduvidcfo	/usr/bin/atduvidcfo	Process not Found
/usr/sbin/update-rc.d	/usr/sbin/update-rc.d	update-rc.d
/usr/bin/udywhckwbr	/usr/bin/udywhckwbr	Process not Found
/usr/bin/ocoeofccaq	/usr/bin/ocoeofccaq	Process not Found
/usr/bin/volvurjkiq	/usr/bin/volvurjkiq	Process not Found
/usr/bin/qajarxjvzp	/usr/bin/qajarxjvzp	Process not Found

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	systemctl
/proc/self/stat	/proc/self/stat	systemctl
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	systemctl
/proc/1/environ	/proc/1/environ	systemctl
/proc/1/sched	/proc/1/sched	systemctl
/proc/cmdline	/proc/cmdline	systemctl

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
/tmp/udywhckwbr	/tmp/udywhckwbr
/tmp/volvurjkiq	/tmp/volvurjkiq
/tmp/qajarxjvzp	/tmp/qajarxjvzp
/tmp/atduvidcfo	/tmp/atduvidcfo

/tmp/a09
/tmp/a09
1⤵
PID:601

/bin/chkconfig
chkconfig --add a09
1⤵
PID:604

/sbin/chkconfig
chkconfig --add a09
1⤵
PID:604

/usr/bin/chkconfig
chkconfig --add a09
1⤵
PID:604

/usr/sbin/chkconfig
chkconfig --add a09
1⤵
PID:604

/usr/local/bin/chkconfig
chkconfig --add a09
1⤵
PID:604

/usr/local/sbin/chkconfig
chkconfig --add a09
1⤵
PID:604

/usr/X11R6/bin/chkconfig
chkconfig --add a09
1⤵
PID:604

/bin/sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:607
- /bin/sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Creates/modifies Cron job
  - Reads runtime system information
  PID:608

/bin/update-rc.d
update-rc.d a09 defaults
1⤵
PID:606

/sbin/update-rc.d
update-rc.d a09 defaults
1⤵
PID:606

/usr/bin/update-rc.d
update-rc.d a09 defaults
1⤵
PID:606

/usr/sbin/update-rc.d
update-rc.d a09 defaults
1⤵
- Modifies rc script
- Write file to user bin folder
PID:606
- /bin/systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:610

/usr/bin/udywhckwbr
/usr/bin/udywhckwbr sh 602
1⤵
PID:633

/usr/bin/udywhckwbr
/usr/bin/udywhckwbr uptime 602
1⤵
PID:636

/usr/bin/udywhckwbr
/usr/bin/udywhckwbr "netstat -an" 602
1⤵
PID:639

/usr/bin/udywhckwbr
/usr/bin/udywhckwbr whoami 602
1⤵
PID:642

/usr/bin/udywhckwbr
/usr/bin/udywhckwbr su 602
1⤵
PID:645

/usr/bin/ocoeofccaq
/usr/bin/ocoeofccaq bash 602
1⤵
PID:648

/usr/bin/ocoeofccaq
/usr/bin/ocoeofccaq su 602
1⤵
PID:651

/usr/bin/ocoeofccaq
/usr/bin/ocoeofccaq whoami 602
1⤵
PID:654

/usr/bin/ocoeofccaq
/usr/bin/ocoeofccaq who 602
1⤵
PID:657

/usr/bin/ocoeofccaq
/usr/bin/ocoeofccaq ls 602
1⤵
PID:660

/usr/bin/volvurjkiq
/usr/bin/volvurjkiq "grep \"A\"" 602
1⤵
PID:663

/usr/bin/volvurjkiq
/usr/bin/volvurjkiq uptime 602
1⤵
PID:666

/usr/bin/volvurjkiq
/usr/bin/volvurjkiq uptime 602
1⤵
PID:669

/usr/bin/volvurjkiq
/usr/bin/volvurjkiq "ps -ef" 602
1⤵
PID:672

/usr/bin/qajarxjvzp
/usr/bin/qajarxjvzp uptime 602
1⤵
PID:678

/usr/bin/qajarxjvzp
/usr/bin/qajarxjvzp su 602
1⤵
PID:681

/usr/bin/qajarxjvzp
/usr/bin/qajarxjvzp "ps -ef" 602
1⤵
PID:684

/usr/bin/qajarxjvzp
/usr/bin/qajarxjvzp sh 602
1⤵
PID:687

/usr/bin/qajarxjvzp
/usr/bin/qajarxjvzp gnome-terminal 602
1⤵
PID:690

/usr/bin/atduvidcfo
/usr/bin/atduvidcfo ls 602
1⤵
PID:693

/usr/bin/atduvidcfo
/usr/bin/atduvidcfo id 602
1⤵
PID:696

/usr/bin/atduvidcfo
/usr/bin/atduvidcfo pwd 602
1⤵
PID:699

/usr/bin/atduvidcfo
/usr/bin/atduvidcfo id 602
1⤵
PID:702

/usr/bin/atduvidcfo
/usr/bin/atduvidcfo "netstat -an" 602
1⤵
PID:705

/usr/bin/ommvmlljsd
/usr/bin/ommvmlljsd "ls -la" 602
1⤵
PID:710

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Hijack Execution Flow

Scheduled Task

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads