Analysis
-
max time kernel
3s -
max time network
4s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20221111-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
03-05-2023 14:49
Behavioral task
behavioral1
Sample
3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf
Resource
ubuntu1804-amd64-20221111-en
General
-
Target
3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf
-
Size
102KB
-
MD5
96a157e4c0bef22e0cea1299f88d4745
-
SHA1
446771415864f4916df33aad1aa7e42fa104adee
-
SHA256
3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d
-
SHA512
697071bac6f86ea1b0421306dbc87e926973f061b8eff4608f9a98ada622fe2bdcd45a180591792dd14de54a0b87301ae02f0a3a222e93eb412b340ccc990377
-
SSDEEP
3072:Gb+XoBHJ3RYjgggwgggwgggwgggwgggZQuYoL/:GDaoL
Malware Config
Extracted
/tmp/.Test-unix/qoxaq-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/604D4AF1604D4AF1
http://decoder.re/604D4AF1604D4AF1
Signatures
-
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
pkilldescription ioc process File opened for reading /sys/devices/system/cpu/online pkill -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
Processes:
pkilldescription ioc process File opened for reading /proc/78/cmdline pkill File opened for reading /proc/4/cmdline pkill File opened for reading /proc/19/cmdline pkill File opened for reading /proc/26/status pkill File opened for reading /proc/34/status pkill File opened for reading /proc/36/cmdline pkill File opened for reading /proc/28/status pkill File opened for reading /proc/407/cmdline pkill File opened for reading /proc/593/status pkill File opened for reading /proc/1/status pkill File opened for reading /proc/21/status pkill File opened for reading /proc/169/status pkill File opened for reading /proc/191/status pkill File opened for reading /proc/362/status pkill File opened for reading /proc/1/cmdline pkill File opened for reading /proc/81/cmdline pkill File opened for reading /proc/82/cmdline pkill File opened for reading /proc/355/status pkill File opened for reading /proc/583/status pkill File opened for reading /proc/8/status pkill File opened for reading /proc/25/cmdline pkill File opened for reading /proc/115/status pkill File opened for reading /proc/166/status pkill File opened for reading /proc/368/cmdline pkill File opened for reading /proc/344/status pkill File opened for reading /proc/424/cmdline pkill File opened for reading /proc/31/cmdline pkill File opened for reading /proc/36/status pkill File opened for reading /proc/80/cmdline pkill File opened for reading /proc/155/cmdline pkill File opened for reading /proc/164/status pkill File opened for reading /proc/19/status pkill File opened for reading /proc/30/cmdline pkill File opened for reading /proc/154/cmdline pkill File opened for reading /proc/344/cmdline pkill File opened for reading /proc/362/cmdline pkill File opened for reading /proc/428/status pkill File opened for reading /proc/563/cmdline pkill File opened for reading /proc/5/status pkill File opened for reading /proc/7/cmdline pkill File opened for reading /proc/79/status pkill File opened for reading /proc/159/cmdline pkill File opened for reading /proc/162/status pkill File opened for reading /proc/16/status pkill File opened for reading /proc/26/cmdline pkill File opened for reading /proc/594/status pkill File opened for reading /proc/2/cmdline pkill File opened for reading /proc/32/cmdline pkill File opened for reading /proc/161/cmdline pkill File opened for reading /proc/167/cmdline pkill File opened for reading /proc/191/cmdline pkill File opened for reading /proc/428/cmdline pkill File opened for reading /proc/582/cmdline pkill File opened for reading /proc/586/cmdline pkill File opened for reading /proc/22/cmdline pkill File opened for reading /proc/24/status pkill File opened for reading /proc/82/status pkill File opened for reading /proc/347/cmdline pkill File opened for reading /proc/427/cmdline pkill File opened for reading /proc/85/cmdline pkill File opened for reading /proc/160/status pkill File opened for reading /proc/220/cmdline pkill File opened for reading /proc/10/status pkill File opened for reading /proc/18/cmdline pkill -
Writes file to tmp directory 14 IoCs
Malware often drops required files in the /tmp directory.
Processes:
3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elfdescription ioc process File opened for modification /tmp/.Test-unix/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/.ICE-unix/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timedated.service-IAjiNi/tmp/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO/tmp/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/netplan_6lzywoh5/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/.XIM-unix/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timedated.service-IAjiNi/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/.font-unix/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/.X11-unix/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf File opened for modification /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp/tmp/qoxaq-readme.txt 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf
Processes
-
/tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf/tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf1⤵
- Writes file to tmp directory
PID:586 -
shsh -c "uname -a && echo \" | \" && hostname"2⤵PID:587
-
unameuname -a3⤵PID:588
-
hostnamehostname3⤵PID:589
-
shsh -c "uname -a && echo \" | \" && hostname"2⤵PID:590
-
unameuname -a3⤵PID:591
-
hostnamehostname3⤵PID:592
-
shsh -c "pkill -9 vmx-*"2⤵PID:593
-
pkillpkill -9 "vmx-*"3⤵
- Reads CPU attributes
- Reads runtime system information
PID:594 -
shsh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}'"2⤵PID:595
-
awkawk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}"3⤵PID:597
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5fa16f8fe9bfae53621cc729aad65b5dc
SHA1b12944c1673a9c7592a2420e6ba5f06721e0e380
SHA256d71419b19aa480db5785d069335cbdeec49acfba1d18b9bf916f177315c10e97
SHA5127862096e561b352f80d26ce9694bf50a1756106660fda6528f09a343d56f3dc314726254cec7e78de2a62f76c63e57310aa2437615c0593b89e9d1caaa3d8677