Analysis Overview
SHA256
1204391f97b3ca1145b15689fe2185ac4b7aaee7c7108072f00b2efa42638174
Threat Level: Known bad
The file 3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.zip was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Sodinokibi/Revil Elf
Reads CPU attributes
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-03 14:49
Signatures
Sodinokibi family
Sodinokibi/Revil Elf
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-03 14:49
Reported
2023-05-03 14:49
Platform
ubuntu1804-amd64-20221111-en
Max time kernel
3s
Max time network
4s
Command Line
Signatures
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | pkill | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/78/cmdline | pkill | N/A |
| File opened for reading | /proc/4/cmdline | pkill | N/A |
| File opened for reading | /proc/19/cmdline | pkill | N/A |
| File opened for reading | /proc/26/status | pkill | N/A |
| File opened for reading | /proc/34/status | pkill | N/A |
| File opened for reading | /proc/36/cmdline | pkill | N/A |
| File opened for reading | /proc/28/status | pkill | N/A |
| File opened for reading | /proc/407/cmdline | pkill | N/A |
| File opened for reading | /proc/593/status | pkill | N/A |
| File opened for reading | /proc/1/status | pkill | N/A |
| File opened for reading | /proc/21/status | pkill | N/A |
| File opened for reading | /proc/169/status | pkill | N/A |
| File opened for reading | /proc/191/status | pkill | N/A |
| File opened for reading | /proc/362/status | pkill | N/A |
| File opened for reading | /proc/1/cmdline | pkill | N/A |
| File opened for reading | /proc/81/cmdline | pkill | N/A |
| File opened for reading | /proc/82/cmdline | pkill | N/A |
| File opened for reading | /proc/355/status | pkill | N/A |
| File opened for reading | /proc/583/status | pkill | N/A |
| File opened for reading | /proc/8/status | pkill | N/A |
| File opened for reading | /proc/25/cmdline | pkill | N/A |
| File opened for reading | /proc/115/status | pkill | N/A |
| File opened for reading | /proc/166/status | pkill | N/A |
| File opened for reading | /proc/368/cmdline | pkill | N/A |
| File opened for reading | /proc/344/status | pkill | N/A |
| File opened for reading | /proc/424/cmdline | pkill | N/A |
| File opened for reading | /proc/31/cmdline | pkill | N/A |
| File opened for reading | /proc/36/status | pkill | N/A |
| File opened for reading | /proc/80/cmdline | pkill | N/A |
| File opened for reading | /proc/155/cmdline | pkill | N/A |
| File opened for reading | /proc/164/status | pkill | N/A |
| File opened for reading | /proc/19/status | pkill | N/A |
| File opened for reading | /proc/30/cmdline | pkill | N/A |
| File opened for reading | /proc/154/cmdline | pkill | N/A |
| File opened for reading | /proc/344/cmdline | pkill | N/A |
| File opened for reading | /proc/362/cmdline | pkill | N/A |
| File opened for reading | /proc/428/status | pkill | N/A |
| File opened for reading | /proc/563/cmdline | pkill | N/A |
| File opened for reading | /proc/5/status | pkill | N/A |
| File opened for reading | /proc/7/cmdline | pkill | N/A |
| File opened for reading | /proc/79/status | pkill | N/A |
| File opened for reading | /proc/159/cmdline | pkill | N/A |
| File opened for reading | /proc/162/status | pkill | N/A |
| File opened for reading | /proc/16/status | pkill | N/A |
| File opened for reading | /proc/26/cmdline | pkill | N/A |
| File opened for reading | /proc/594/status | pkill | N/A |
| File opened for reading | /proc/2/cmdline | pkill | N/A |
| File opened for reading | /proc/32/cmdline | pkill | N/A |
| File opened for reading | /proc/161/cmdline | pkill | N/A |
| File opened for reading | /proc/167/cmdline | pkill | N/A |
| File opened for reading | /proc/191/cmdline | pkill | N/A |
| File opened for reading | /proc/428/cmdline | pkill | N/A |
| File opened for reading | /proc/582/cmdline | pkill | N/A |
| File opened for reading | /proc/586/cmdline | pkill | N/A |
| File opened for reading | /proc/22/cmdline | pkill | N/A |
| File opened for reading | /proc/24/status | pkill | N/A |
| File opened for reading | /proc/82/status | pkill | N/A |
| File opened for reading | /proc/347/cmdline | pkill | N/A |
| File opened for reading | /proc/427/cmdline | pkill | N/A |
| File opened for reading | /proc/85/cmdline | pkill | N/A |
| File opened for reading | /proc/160/status | pkill | N/A |
| File opened for reading | /proc/220/cmdline | pkill | N/A |
| File opened for reading | /proc/10/status | pkill | N/A |
| File opened for reading | /proc/18/cmdline | pkill | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.Test-unix/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/.ICE-unix/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timedated.service-IAjiNi/tmp/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A | N/A |
| File opened for modification | /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO/tmp/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timesyncd.service-EVlWiO/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/netplan_6lzywoh5/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/.XIM-unix/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-timedated.service-IAjiNi/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/.font-unix/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/.X11-unix/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
| File opened for modification | /tmp/systemd-private-05231fcaaee74d259d555d829d744ad3-systemd-resolved.service-zVdWPp/tmp/qoxaq-readme.txt | /tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf | N/A |
Processes
/tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf
[/tmp/3d375d0ead2b63168de86ca2649360d9dcff75b3e0ffa2cf1e50816ec92b3b7d.elf]
sh
[sh -c uname -a && echo " | " && hostname]
uname
[uname -a]
hostname
[hostname]
sh
[sh -c uname -a && echo " | " && hostname]
uname
[uname -a]
hostname
[hostname]
sh
[sh -c pkill -9 vmx-*]
pkill
[pkill -9 vmx-*]
sh
[sh -c esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk -F "\"*,\"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}']
awk
[awk -F "*,"* {system("esxcli vm process kill --type=force --world-id=" $1)}]
Network
Files
/tmp/.Test-unix/qoxaq-readme.txt
| MD5 | fa16f8fe9bfae53621cc729aad65b5dc |
| SHA1 | b12944c1673a9c7592a2420e6ba5f06721e0e380 |
| SHA256 | d71419b19aa480db5785d069335cbdeec49acfba1d18b9bf916f177315c10e97 |
| SHA512 | 7862096e561b352f80d26ce9694bf50a1756106660fda6528f09a343d56f3dc314726254cec7e78de2a62f76c63e57310aa2437615c0593b89e9d1caaa3d8677 |