Overview
overview
10Static
static
10server.exe
windows7-x64
8server.exe
windows10-2004-x64
8server.out
ubuntu-18.04-amd64
7socks32_tor.dll
windows7-x64
8socks32_tor.dll
windows10-2004-x64
8socks_tor.exe
windows7-x64
10socks_tor.exe
windows10-2004-x64
10www/system...ip2.js
windows7-x64
1www/system...ip2.js
windows10-2004-x64
1www/system...x.html
windows7-x64
1www/system...x.html
windows10-2004-x64
1www/system...ord.js
windows7-x64
1www/system...ord.js
windows10-2004-x64
1Analysis
-
max time kernel
154s -
max time network
102s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-05-2023 04:53
Behavioral task
behavioral1
Sample
server.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
server.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
server.out
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral4
Sample
socks32_tor.dll
Resource
win7-20230220-en
Behavioral task
behavioral5
Sample
socks32_tor.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral6
Sample
socks_tor.exe
Resource
win7-20230220-en
Behavioral task
behavioral7
Sample
socks_tor.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral8
Sample
www/systembc/geoip/geoip2.js
Resource
win7-20230220-en
Behavioral task
behavioral9
Sample
www/systembc/geoip/geoip2.js
Resource
win10v2004-20230221-en
Behavioral task
behavioral10
Sample
www/systembc/index.html
Resource
win7-20230220-en
Behavioral task
behavioral11
Sample
www/systembc/index.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
www/systembc/password.js
Resource
win7-20230220-en
Behavioral task
behavioral13
Sample
www/systembc/password.js
Resource
win10v2004-20230220-en
General
-
Target
server.out
-
Size
15KB
-
MD5
4e0a5548d669fb559fc9557c29d1300d
-
SHA1
20c475d06b77ea4078db08814acebc6c9d8a47ca
-
SHA256
b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4
-
SHA512
7f128a3110bea36b22a3f784b991f0a4b44f2c01a5df837ac0badb3742f8da742f0bd971fa492829db413c9f69b6dd8c64ec6934b33da4ef11d0025522878dbb
-
SSDEEP
192:GflaEbxJEYalA9qF9Aig5B7PNTa8EBiB6hygBCyftVm5cmF4tGEApxn:3UClA9kxg/FTyUM4gBCyftV2342px
Malware Config
Signatures
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.rPSzjx crontab -
Executes dropped EXE 1 IoCs
Processes:
socks5.shpid process 576 socks5.sh -
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes:
seddescription ioc process File opened for reading /proc/filesystems sed -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
server.outdescription ioc process File opened for modification /tmp/socks5.sh server.out
Processes
-
/tmp/server.out/tmp/server.out1⤵
- Writes file to tmp directory
PID:575 -
/tmp/socks5.sh/tmp/socks5.sh2⤵
- Executes dropped EXE
PID:576 -
crontabcrontab -3⤵
- Creates/modifies Cron job
PID:578 -
rmrm -rf /tmp/socks5.sh3⤵PID:580
-
catcat /dev/fd/63 /dev/fd/623⤵PID:577
-
sedsed /socks5_backconnect777/d /dev/fd/621⤵
- Reads runtime system information
PID:583
-
crontabcrontab -l1⤵PID:584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
200B
MD5c7633fc3d5c9fd11a808d417f3c20fe9
SHA1a3fca1a5cd8619e1eecc532b42dd5ec3a68ae2f7
SHA2566c4668b770274cf679f6a8781c11d9df3b766325ee19b03ba780192e3a313493
SHA512369c7be63ac24f3a94516671f1d8d4e61b1f2df4af59eee0c034d069c787d41c7e60321be0f31226a4fc047f606fcf22ce3ae8566b5918d75da36c7e1e1382c7
-
Filesize
253B
MD52ccb7c92315681d496385384c7f998c4
SHA15b2baff7c4a9fd8e7ee3857932ded50060e997e3
SHA256d36ef9d046aa46e8966784b7cb4ee7cf00778215de50a9830cca8c9375449912
SHA51227366cb20280d394a3837bfc54fd2c41f20883cdbb9080599b57283e4efe2210c61116440ff0b9a217adcf8ce8298dd1f47347449c826a8f2dbc483952a400cd