Overview

overview

10

Static

static

10

server.exe

windows7-x64

8

server.exe

windows10-2004-x64

8

server.out

ubuntu-18.04-amd64

7

socks.out

ubuntu-18.04-amd64

7

www/system...ip2.js

windows7-x64

1

www/system...ip2.js

windows10-2004-x64

1

www/system...x.html

windows7-x64

1

www/system...x.html

windows10-2004-x64

1

www/system...ord.js

windows7-x64

1

www/system...ord.js

windows10-2004-x64

1

Analysis

  • max time kernel
    153s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221125-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    09-05-2023 04:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    server.out

  • Size

    15KB

  • MD5

    4e0a5548d669fb559fc9557c29d1300d

  • SHA1

    20c475d06b77ea4078db08814acebc6c9d8a47ca

  • SHA256

    b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4

  • SHA512

    7f128a3110bea36b22a3f784b991f0a4b44f2c01a5df837ac0badb3742f8da742f0bd971fa492829db413c9f69b6dd8c64ec6934b33da4ef11d0025522878dbb

  • SSDEEP

    192:GflaEbxJEYalA9qF9Aig5B7PNTa8EBiB6hygBCyftVm5cmF4tGEApxn:3UClA9kxg/FTyUM4gBCyftV2342px

Score
7/10
persistence

Malware Config

Signatures

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/server.out
    /tmp/server.out
    1⤵
    • Writes file to tmp directory
    PID:595
    • /tmp/socks5.sh
      /tmp/socks5.sh
      2⤵
      • Executes dropped EXE
      PID:596
      • crontab
        crontab -
        3⤵
        • Creates/modifies Cron job
        PID:598
      • rm
        rm -rf /tmp/socks5.sh
        3⤵
          PID:600
        • cat
          cat /dev/fd/63 /dev/fd/62
          3⤵
            PID:597
      • sed
        sed /socks5_backconnect777/d /dev/fd/62
        1⤵
        • Reads runtime system information
        PID:603
      • crontab
        crontab -l
        1⤵
          PID:604

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/socks5.sh
          Filesize

          200B

          MD5

          c7633fc3d5c9fd11a808d417f3c20fe9

          SHA1

          a3fca1a5cd8619e1eecc532b42dd5ec3a68ae2f7

          SHA256

          6c4668b770274cf679f6a8781c11d9df3b766325ee19b03ba780192e3a313493

          SHA512

          369c7be63ac24f3a94516671f1d8d4e61b1f2df4af59eee0c034d069c787d41c7e60321be0f31226a4fc047f606fcf22ce3ae8566b5918d75da36c7e1e1382c7

          Download Submit

        • /var/spool/cron/crontabs/tmp.6NMYo8
          Filesize

          253B

          MD5

          18bd7dcd396c365c84d3630d78db6325

          SHA1

          5444cee7cb1b6df34b58a63dddc2a6deee679606

          SHA256

          8ecc1e4f1484d9c58638c54d7ce7f5346f676ee1087998c0a380242f702c4aaf

          SHA512

          bcfc39430e1ee1ef148fe35b26fababdae1aa47e062a6068f79b096eb3ea3d160488b7f48e19d40198c81344932437c017831ccce1a3a4d0c080a9751b6cd1d1

          Download Submit