Overview
overview
10Static
static
10server.exe
windows7-x64
8server.exe
windows10-2004-x64
8server.out
ubuntu-18.04-amd64
7socks.out
ubuntu-18.04-amd64
7www/system...ip2.js
windows7-x64
1www/system...ip2.js
windows10-2004-x64
1www/system...x.html
windows7-x64
1www/system...x.html
windows10-2004-x64
1www/system...ord.js
windows7-x64
1www/system...ord.js
windows10-2004-x64
1Analysis
-
max time kernel
6s -
max time network
8s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20221111-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
09-05-2023 04:53
Behavioral task
behavioral1
Sample
server.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
server.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
server.out
Resource
ubuntu1804-amd64-20221125-en
Behavioral task
behavioral4
Sample
socks.out
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral5
Sample
www/systembc/geoip/geoip2.js
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
www/systembc/geoip/geoip2.js
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
www/systembc/index.html
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
www/systembc/index.html
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
www/systembc/password.js
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
www/systembc/password.js
Resource
win10v2004-20230220-en
General
-
Target
socks.out
-
Size
6KB
-
MD5
345b602eef289ed62c556690a99038a2
-
SHA1
7dd9def613ae3aa30f66326cb9ad724431ac69de
-
SHA256
5da486c1d5024f144333032ffbeae9f8e6de951f6633791861055564952ee779
-
SHA512
1066d90edecea83f1773169a0d7d6a0635904ff284c83d0ca9fc04751b967795b2e68ffb636350dc7697e05298ce0e82af0dad23e27a05843af07a094491e0b9
-
SSDEEP
96:GRSSjU6eW+vxLCFCOE7JV4Gix/5UB/bEbZ4hrClAcrOX/YLHZHPst/8+CyA:G/+MMOEgGo/5GE99k
Malware Config
Signatures
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.lgbhNX crontab -
Executes dropped EXE 1 IoCs
Processes:
socks5.shpid process 600 socks5.sh -
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes:
seddescription ioc process File opened for reading /proc/filesystems sed -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
socks.outdescription ioc process File opened for modification /tmp/socks5.sh socks.out
Processes
-
/tmp/socks.out/tmp/socks.out1⤵
- Writes file to tmp directory
-
/tmp/socks5.sh/tmp/socks5.sh2⤵
- Executes dropped EXE
-
crontabcrontab -3⤵
- Creates/modifies Cron job
-
catcat /dev/fd/63 /dev/fd/623⤵
-
sedsed /socks5_backconnect666/d /dev/fd/621⤵
- Reads runtime system information
-
crontabcrontab -l1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/socks5.shFilesize
175B
MD5c713e566e25fce6da2854e042f47f6e8
SHA18b90244d2bbd5ad452b47439b9f13ba2c2a8cd7d
SHA2565a1fb39fd13d1af10900fe08459b64dd621d84a4797eb3c8b8949f90b947b9de
SHA51292375b0a8afec222a2959fb3960a6acb733d08bba0a4524559610717627538768eba9ac55c98563033f74e350269c905ca447f58cdec5e33116548af9548b00f
-
/var/spool/cron/crontabs/tmp.lgbhNXFilesize
252B
MD51bff4e80305059644468b6bac3e17f15
SHA1b69797c171273625f49dc6bf80cb461a901e3997
SHA256a4be96d8853e7e873d38c6e2ac7af59ab4d1af5148e4211cbe0737c310cb81d4
SHA5129b17ee9c177a0abcaf60c7db09b975554e0a8abbbb97e7da66eeb741f71a2a959f5f0da336c7b107a2be2039aefad446bf665599398dd2bbc32561f2174212c4