Analysis

  • max time kernel
    126s
  • max time network
    37s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221111-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    13-05-2023 11:02

General

  • Target

    iuwtfnzxxw

  • Size

    611KB

  • MD5

    d6bc45adaed51fe171e6b9f46dbe28e6

  • SHA1

    17ef90985c369629150c79608167ee758180f2df

  • SHA256

    09cdd0b6cb6e82f205f3ad4a6c098b6c5e84667d061026d3011b58c45bff335a

  • SHA512

    fba9e72362fd1b0c799928d8d1eb43d9135eceb9c86f8e9c9632328c944dee5eb57eb1ae2fe6e4a429ab437355be0c0e2977af0652f88649e140b313ec6e5ada

  • SSDEEP

    12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrUT6yF8EEP4UlUuTh1AE:FBXmkN/+Fhu/Qo4h9L+zNNUBVEBl/91t

Score
9/10

Malware Config

Signatures

  • Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs

    Checks CPU information for indicators that the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 2 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Executes dropped EXE 26 IoCs
  • Modifies init.d 1 TTPs 1 IoCs

    Adds/modifies system service, likely for persistence.

  • Write file to user bin folder 1 TTPs 6 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 55 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/iuwtfnzxxw
    /tmp/iuwtfnzxxw
    1⤵
      PID:592
    • sh
      sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
      1⤵
      • Creates/modifies Cron job
      PID:598
      • sed
        sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
        2⤵
        • Reads runtime system information
        PID:599
    • chkconfig
      chkconfig --add iuwtfnzxxw
      1⤵
        PID:595
      • chkconfig
        chkconfig --add iuwtfnzxxw
        1⤵
          PID:595
        • chkconfig
          chkconfig --add iuwtfnzxxw
          1⤵
            PID:595
          • chkconfig
            chkconfig --add iuwtfnzxxw
            1⤵
              PID:595
            • chkconfig
              chkconfig --add iuwtfnzxxw
              1⤵
                PID:595
              • chkconfig
                chkconfig --add iuwtfnzxxw
                1⤵
                  PID:595
                • chkconfig
                  chkconfig --add iuwtfnzxxw
                  1⤵
                    PID:595
                  • update-rc.d
                    update-rc.d iuwtfnzxxw defaults
                    1⤵
                      PID:597
                    • update-rc.d
                      update-rc.d iuwtfnzxxw defaults
                      1⤵
                        PID:597
                      • update-rc.d
                        update-rc.d iuwtfnzxxw defaults
                        1⤵
                          PID:597
                        • update-rc.d
                          update-rc.d iuwtfnzxxw defaults
                          1⤵
                          • Executes dropped EXE
                          PID:597
                          • systemctl
                            systemctl daemon-reload
                            2⤵
                            • Reads runtime system information
                            PID:603
                        • /usr/bin/idrrfcpwyd
                          /usr/bin/idrrfcpwyd "route -n" 593
                          1⤵
                            PID:624
                          • /usr/bin/idrrfcpwyd
                            /usr/bin/idrrfcpwyd "ifconfig eth0" 593
                            1⤵
                            • Executes dropped EXE
                            PID:627
                          • /usr/bin/idrrfcpwyd
                            /usr/bin/idrrfcpwyd top 593
                            1⤵
                              PID:630
                            • /usr/bin/idrrfcpwyd
                              /usr/bin/idrrfcpwyd bash 593
                              1⤵
                                PID:633
                              • /usr/bin/idrrfcpwyd
                                /usr/bin/idrrfcpwyd ls 593
                                1⤵
                                • Executes dropped EXE
                                PID:636
                              • /usr/bin/nalmozqcux
                                /usr/bin/nalmozqcux "ifconfig eth0" 593
                                1⤵
                                  PID:640
                                • /usr/bin/nalmozqcux
                                  /usr/bin/nalmozqcux whoami 593
                                  1⤵
                                    PID:643
                                  • /usr/bin/nalmozqcux
                                    /usr/bin/nalmozqcux ifconfig 593
                                    1⤵
                                    • Executes dropped EXE
                                    PID:646
                                  • /usr/bin/nalmozqcux
                                    /usr/bin/nalmozqcux "ps -ef" 593
                                    1⤵
                                      PID:649
                                    • /usr/bin/nalmozqcux
                                      /usr/bin/nalmozqcux ls 593
                                      1⤵
                                        PID:652
                                      • /usr/bin/cqutjdmfgc
                                        /usr/bin/cqutjdmfgc id 593
                                        1⤵
                                        • Executes dropped EXE
                                        PID:656
                                      • /usr/bin/cqutjdmfgc
                                        /usr/bin/cqutjdmfgc "netstat -antop" 593
                                        1⤵
                                          PID:659
                                        • /usr/bin/cqutjdmfgc
                                          /usr/bin/cqutjdmfgc "route -n" 593
                                          1⤵
                                            PID:662
                                          • /usr/bin/cqutjdmfgc
                                            /usr/bin/cqutjdmfgc gnome-terminal 593
                                            1⤵
                                            • Executes dropped EXE
                                            PID:665
                                          • /usr/bin/cqutjdmfgc
                                            /usr/bin/cqutjdmfgc who 593
                                            1⤵
                                              PID:668
                                            • /usr/bin/korigdrujo
                                              /usr/bin/korigdrujo bash 593
                                              1⤵
                                                PID:671
                                              • /usr/bin/korigdrujo
                                                /usr/bin/korigdrujo "echo \"find\"" 593
                                                1⤵
                                                • Executes dropped EXE
                                                PID:674
                                              • /usr/bin/korigdrujo
                                                /usr/bin/korigdrujo id 593
                                                1⤵
                                                  PID:677
                                                • /usr/bin/korigdrujo
                                                  /usr/bin/korigdrujo uptime 593
                                                  1⤵
                                                    PID:680
                                                  • /usr/bin/korigdrujo
                                                    /usr/bin/korigdrujo "grep \"A\"" 593
                                                    1⤵
                                                    • Executes dropped EXE
                                                    PID:683
                                                  • /usr/bin/omzfvspzjx
                                                    /usr/bin/omzfvspzjx su 593
                                                    1⤵
                                                      PID:688
                                                    • /usr/bin/omzfvspzjx
                                                      /usr/bin/omzfvspzjx "echo \"find\"" 593
                                                      1⤵
                                                        PID:691
                                                      • /usr/bin/omzfvspzjx
                                                        /usr/bin/omzfvspzjx id 593
                                                        1⤵
                                                        • Executes dropped EXE
                                                        PID:693
                                                      • /usr/bin/omzfvspzjx
                                                        /usr/bin/omzfvspzjx "cd /etc" 593
                                                        1⤵
                                                          PID:696
                                                        • /usr/bin/omzfvspzjx
                                                          /usr/bin/omzfvspzjx "ifconfig eth0" 593
                                                          1⤵
                                                            PID:700
                                                          • /usr/bin/grfimuatxe
                                                            /usr/bin/grfimuatxe su 593
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:703

                                                          Network

                                                          MITRE ATT&CK Enterprise v6

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • /etc/cron.hourly/gcc.sh

                                                            Filesize

                                                            228B

                                                            MD5

                                                            3bab747cedc5f0ebe86aaa7f982470cd

                                                            SHA1

                                                            3c7d1c6931c2b3dae39d38346b780ea57c8e6142

                                                            SHA256

                                                            74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

                                                            SHA512

                                                            21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

                                                          • /etc/init.d/iuwtfnzxxw

                                                            Filesize

                                                            315B

                                                            MD5

                                                            56ec90f6f7e9a6677a0d120d434864c4

                                                            SHA1

                                                            ed7dd9c4b58e8d88a97c81c7c6891689d36e67b6

                                                            SHA256

                                                            71408615bd8d2c2071b58a227d95d390880ae3f642ad2fea0bf9e293857f8ff3

                                                            SHA512

                                                            f477968d81e82ac7f8f05554b4b9f3a6b73c780d497f485c425340ea354585333965132f79f4651f98cf17145083d4b52316f97eb9151c08c1dbb8c9c5046843

                                                          • /etc/sedp7RKt3

                                                            Filesize

                                                            722B

                                                            MD5

                                                            8f111d100ea459f68d333d63a8ef2205

                                                            SHA1

                                                            077ca9c46a964de67c0f7765745d5c6f9e2065c3

                                                            SHA256

                                                            0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

                                                            SHA512

                                                            d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb