c9bd6d01eb7258fef88ec5c9276431c1db45f063b316f83943e45b6a40a76783

Resubmissions

20-04-2023 08:22

230420-j9pnpaae8s 10

20-04-2023 08:22

15-03-2023 12:40

15-03-2023 12:39

13-03-2023 14:43

24-08-2021 03:35

Analysis

max time kernel
47s
max time network
137s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-04-2023 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nyynvefzjerks
Size

546KB
MD5

2a91a3170a5fd4fb3e30f3d63b9120de
SHA1

1a7a226833f43fdaee71cb6f84914f9a1e87de81
SHA256

c9bd6d01eb7258fef88ec5c9276431c1db45f063b316f83943e45b6a40a76783
SHA512

2d396f7fd0e661a2f15a1f0dc51341b89d9b28f6742a4bdfb7fe9115c5c7b44d9b8ac6e1c5e492f5971c2f9595f17c4154d979f7183df23d8f52ab0e24834d3f
SSDEEP

12288:D3P1A0+Kvdnd4Asvhc27/ao+PzENGtkZg0/CedRlZRqR6ysen:Dfm0+KlZsJc27io2zYGtk20/LdF0+8

Score

9^/10

persistence

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 37 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
/bin/lpjgcedmq	/bin/lpjgcedmq
/bin/hzlcjgnmnwl	/bin/hzlcjgnmnwl
/bin/vzoveozo	/bin/vzoveozo
/bin/zcakipyylllxp	/bin/zcakipyylllxp
/bin/iqzlndwcusx	/bin/iqzlndwcusx
/bin/skxlnnyfw	/bin/skxlnnyfw
/bin/fzbrcjfnne	/bin/fzbrcjfnne
/bin/olcuekq	/bin/olcuekq
/bin/xxmrrgtfb	/bin/xxmrrgtfb
/bin/qoblyqdsldiij	/bin/qoblyqdsldiij
/bin/yslauxkkvix	/bin/yslauxkkvix
/bin/legfslnau	/bin/legfslnau
/bin/enbatd	/bin/enbatd
/bin/msexubuflrpk	/bin/msexubuflrpk
/bin/tuowmsgtf	/bin/tuowmsgtf
/bin/biimlesvuva	/bin/biimlesvuva
/bin/xkncukndqu	/bin/xkncukndqu
/bin/ydbxcln	/bin/ydbxcln
/bin/owcwvugshwhibe	/bin/owcwvugshwhibe
/bin/kgzfbh	/bin/kgzfbh
/bin/blgtldrhx	/bin/blgtldrhx
/bin/zxfxtp	/bin/zxfxtp
/bin/vddoojhxizzjpk	/bin/vddoojhxizzjpk
/bin/cfjvbujtjb	/bin/cfjvbujtjb
/bin/pbiwddpvkxurcg	/bin/pbiwddpvkxurcg
/bin/hckvtikwqjzvyu	/bin/hckvtikwqjzvyu
/bin/rmxdbcbew	/bin/rmxdbcbew
/bin/edixjiehgyvd	/bin/edixjiehgyvd
/bin/icaeydpiramjxj	/bin/icaeydpiramjxj
/bin/scluoxrxdpjsr	/bin/scluoxrxdpjsr
/bin/txxlpnm	/bin/txxlpnm
/bin/jjqmqf	/bin/jjqmqf
/bin/cujhjuadyc	/bin/cujhjuadyc
/bin/zwgyaftu	/bin/zwgyaftu
/bin/czqixqnskbgn	/bin/czqixqnskbgn
/bin/toezbhzqpq	/bin/toezbhzqpq
/bin/xxywsy	/bin/xxywsy

Modifies rc script 1 TTPs 5 IoCs

Adding/modifying system rc scripts is a common persistence mechanism.

persistence

Boot or Logon Autostart Execution

T1547

Processes:

description	ioc
/etc/rc3.d/S90skrejzfevnyyn	/etc/rc3.d/S90skrejzfevnyyn
/etc/rc4.d/S90skrejzfevnyyn	/etc/rc4.d/S90skrejzfevnyyn
/etc/rc5.d/S90skrejzfevnyyn	/etc/rc5.d/S90skrejzfevnyyn
/etc/rc1.d/S90skrejzfevnyyn	/etc/rc1.d/S90skrejzfevnyyn
/etc/rc2.d/S90skrejzfevnyyn	/etc/rc2.d/S90skrejzfevnyyn

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

description	ioc
/dev/shm/sem.qU1uqP	/dev/shm/sem.qU1uqP

/tmp/nyynvefzjerks
/tmp/nyynvefzjerks
1⤵
PID:604

/bin/jjqmqf
/bin/jjqmqf -d 605
1⤵
PID:609

/bin/enbatd
/bin/enbatd -d 605
1⤵
PID:616

/bin/lpjgcedmq
/bin/lpjgcedmq -d 605
1⤵
PID:619

/bin/pbiwddpvkxurcg
/bin/pbiwddpvkxurcg -d 605
1⤵
PID:622

/bin/skxlnnyfw
/bin/skxlnnyfw -d 605
1⤵
PID:625

/bin/hckvtikwqjzvyu
/bin/hckvtikwqjzvyu -d 605
1⤵
PID:628

/bin/owcwvugshwhibe
/bin/owcwvugshwhibe -d 605
1⤵
PID:631

/bin/kgzfbh
/bin/kgzfbh -d 605
1⤵
PID:634

/bin/xxywsy
/bin/xxywsy -d 605
1⤵
PID:637

/bin/zwgyaftu
/bin/zwgyaftu -d 605
1⤵
PID:640

/bin/blgtldrhx
/bin/blgtldrhx -d 605
1⤵
PID:643

/bin/czqixqnskbgn
/bin/czqixqnskbgn -d 605
1⤵
PID:646

/bin/zxfxtp
/bin/zxfxtp -d 605
1⤵
PID:649

/bin/vddoojhxizzjpk
/bin/vddoojhxizzjpk -d 605
1⤵
PID:652

/bin/fzbrcjfnne
/bin/fzbrcjfnne -d 605
1⤵
PID:655

/bin/ydbxcln
/bin/ydbxcln -d 605
1⤵
PID:658

/bin/tuowmsgtf
/bin/tuowmsgtf -d 605
1⤵
PID:661

/bin/toezbhzqpq
/bin/toezbhzqpq -d 605
1⤵
PID:664

/bin/iqzlndwcusx
/bin/iqzlndwcusx -d 605
1⤵
PID:667

/bin/olcuekq
/bin/olcuekq -d 605
1⤵
PID:670

/bin/rmxdbcbew
/bin/rmxdbcbew -d 605
1⤵
PID:673

/bin/biimlesvuva
/bin/biimlesvuva -d 605
1⤵
PID:676

/bin/edixjiehgyvd
/bin/edixjiehgyvd -d 605
1⤵
PID:679

/bin/icaeydpiramjxj
/bin/icaeydpiramjxj -d 605
1⤵
PID:682

/bin/xkncukndqu
/bin/xkncukndqu -d 605
1⤵
PID:685

/bin/scluoxrxdpjsr
/bin/scluoxrxdpjsr -d 605
1⤵
PID:688

/bin/cfjvbujtjb
/bin/cfjvbujtjb -d 605
1⤵
PID:691

/bin/xxmrrgtfb
/bin/xxmrrgtfb -d 605
1⤵
PID:694

/bin/cujhjuadyc
/bin/cujhjuadyc -d 605
1⤵
PID:697

/bin/hzlcjgnmnwl
/bin/hzlcjgnmnwl -d 605
1⤵
PID:700

/bin/vzoveozo
/bin/vzoveozo -d 605
1⤵
PID:705

/bin/zcakipyylllxp
/bin/zcakipyylllxp -d 605
1⤵
PID:708

/bin/qoblyqdsldiij
/bin/qoblyqdsldiij -d 605
1⤵
PID:711

/bin/yslauxkkvix
/bin/yslauxkkvix -d 605
1⤵
PID:714

/bin/txxlpnm
/bin/txxlpnm -d 605
1⤵
PID:717

/bin/legfslnau
/bin/legfslnau -d 605
1⤵
PID:720

/bin/msexubuflrpk
/bin/msexubuflrpk -d 605
1⤵
PID:723

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads