09cdd0b6cb6e82f205f3ad4a6c098b6c5e84667d061026d3011b58c45bff335a

Analysis

max time kernel
126s
max time network
37s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221111-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
13/05/2023, 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iuwtfnzxxw
Size

611KB
MD5

d6bc45adaed51fe171e6b9f46dbe28e6
SHA1

17ef90985c369629150c79608167ee758180f2df
SHA256

09cdd0b6cb6e82f205f3ad4a6c098b6c5e84667d061026d3011b58c45bff335a
SHA512

fba9e72362fd1b0c799928d8d1eb43d9135eceb9c86f8e9c9632328c944dee5eb57eb1ae2fe6e4a429ab437355be0c0e2977af0652f88649e140b313ec6e5ada
SSDEEP

12288:FBXOvdwV1/n/dQFhWlH/c1dHo4h9L+zNZrrUT6yF8EEP4UlUuTh1AE:FBXmkN/+Fhu/Qo4h9L+zNNUBVEBl/91t

Score

9^/10

antivm persistence

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs

Checks CPU information for indicators that the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task

T1053

description	ioc	Process
File opened for modification	/etc/cron.hourly/gcc.sh	Process not Found
File opened for modification	/etc/crontab	sh

Enumerates active TCP sockets 1 TTPs 1 IoCs

Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery

T1049

description	ioc
File opened for reading	/proc/net/tcp

Executes dropped EXE 26 IoCs

pid	Process
624	update-rc.d
627	idrrfcpwyd
630	idrrfcpwyd
633	nalmozqcux
636	cqutjdmfgc
640	cqutjdmfgc
643	korigdrujo
646	korigdrujo
649	omzfvspzjx
652	grfimuatxe
656	Process not Found
659	Process not Found
662	Process not Found
665	Process not Found
668	Process not Found
671	Process not Found
674	Process not Found
677	Process not Found
680	Process not Found
683	Process not Found
688	Process not Found
691	Process not Found
693	Process not Found
696	Process not Found
700	Process not Found
703	Process not Found

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc
File opened for modification	/etc/init.d/iuwtfnzxxw

Write file to user bin folder 1 TTPs 6 IoCs

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/usr/bin/omzfvspzjx
File opened for modification	/usr/bin/grfimuatxe
File opened for modification	/usr/bin/idrrfcpwyd
File opened for modification	/usr/bin/nalmozqcux
File opened for modification	/usr/bin/cqutjdmfgc
File opened for modification	/usr/bin/korigdrujo

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/tcp

Reads runtime system information 55 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/meminfo	Process not Found
File opened for reading	/proc/626/fd	Process not Found
File opened for reading	/proc/679/fd	Process not Found
File opened for reading	/proc/294/fd	Process not Found
File opened for reading	/proc/295/fd	Process not Found
File opened for reading	/proc/335/fd	Process not Found
File opened for reading	/proc/667/fd	Process not Found
File opened for reading	/proc/697/fd	Process not Found
File opened for reading	/proc/333/fd	Process not Found
File opened for reading	/proc/658/fd	Process not Found
File opened for reading	/proc/rs_dev	Process not Found
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/587/fd	Process not Found
File opened for reading	/proc/684/fd	Process not Found
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/635/fd	Process not Found
File opened for reading	/proc/673/fd	Process not Found
File opened for reading	/proc/664/fd	Process not Found
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/364/fd	Process not Found
File opened for reading	/proc/427/fd	Process not Found
File opened for reading	/proc/454/fd	Process not Found
File opened for reading	/proc/661/fd	Process not Found
File opened for reading	/proc/340/fd	Process not Found
File opened for reading	/proc/694/fd	Process not Found
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/233/fd	Process not Found
File opened for reading	/proc/253/fd	Process not Found
File opened for reading	/proc/357/fd	Process not Found
File opened for reading	/proc/699/fd	Process not Found
File opened for reading	/proc/690/fd	Process not Found
File opened for reading	/proc/648/fd	Process not Found
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/348/fd	Process not Found
File opened for reading	/proc/629/fd	Process not Found
File opened for reading	/proc/604/fd	Process not Found
File opened for reading	/proc/682/fd	Process not Found
File opened for reading	/proc/642/fd	Process not Found
File opened for reading	/proc/701/fd	Process not Found
File opened for reading	/proc/341/fd	Process not Found
File opened for reading	/proc/669/fd	Process not Found
File opened for reading	/proc/653/fd	Process not Found
File opened for reading	/proc/676/fd	Process not Found
File opened for reading	/proc/1/fd	Process not Found
File opened for reading	/proc/371/fd	Process not Found
File opened for reading	/proc/428/fd	Process not Found
File opened for reading	/proc/632/fd	Process not Found
File opened for reading	/proc/651/fd	Process not Found
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/349/fd	Process not Found
File opened for reading	/proc/453/fd	Process not Found
File opened for reading	/proc/566/fd	Process not Found
File opened for reading	/proc/637/fd	Process not Found

/tmp/iuwtfnzxxw
/tmp/iuwtfnzxxw
1⤵
PID:592

sh
sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
1⤵
- Creates/modifies Cron job
PID:598
- sed
  sed -i "/\\/etc\\/cron.hourly\\/gcc.sh/d" /etc/crontab
  2⤵
  - Reads runtime system information
  PID:599

chkconfig
chkconfig --add iuwtfnzxxw
1⤵
PID:595

chkconfig
chkconfig --add iuwtfnzxxw
1⤵
PID:595

chkconfig
chkconfig --add iuwtfnzxxw
1⤵
PID:595

chkconfig
chkconfig --add iuwtfnzxxw
1⤵
PID:595

chkconfig
chkconfig --add iuwtfnzxxw
1⤵
PID:595

chkconfig
chkconfig --add iuwtfnzxxw
1⤵
PID:595

chkconfig
chkconfig --add iuwtfnzxxw
1⤵
PID:595

update-rc.d
update-rc.d iuwtfnzxxw defaults
1⤵
PID:597

update-rc.d
update-rc.d iuwtfnzxxw defaults
1⤵
PID:597

update-rc.d
update-rc.d iuwtfnzxxw defaults
1⤵
PID:597

update-rc.d
update-rc.d iuwtfnzxxw defaults
1⤵
- Executes dropped EXE
PID:597
- systemctl
  systemctl daemon-reload
  2⤵
  - Reads runtime system information
  PID:603

/usr/bin/idrrfcpwyd
/usr/bin/idrrfcpwyd "route -n" 593
1⤵
PID:624

/usr/bin/idrrfcpwyd
/usr/bin/idrrfcpwyd "ifconfig eth0" 593
1⤵
- Executes dropped EXE
PID:627

/usr/bin/idrrfcpwyd
/usr/bin/idrrfcpwyd top 593
1⤵
PID:630

/usr/bin/idrrfcpwyd
/usr/bin/idrrfcpwyd bash 593
1⤵
PID:633

/usr/bin/idrrfcpwyd
/usr/bin/idrrfcpwyd ls 593
1⤵
- Executes dropped EXE
PID:636

/usr/bin/nalmozqcux
/usr/bin/nalmozqcux "ifconfig eth0" 593
1⤵
PID:640

/usr/bin/nalmozqcux
/usr/bin/nalmozqcux whoami 593
1⤵
PID:643

/usr/bin/nalmozqcux
/usr/bin/nalmozqcux ifconfig 593
1⤵
- Executes dropped EXE
PID:646

/usr/bin/nalmozqcux
/usr/bin/nalmozqcux "ps -ef" 593
1⤵
PID:649

/usr/bin/nalmozqcux
/usr/bin/nalmozqcux ls 593
1⤵
PID:652

/usr/bin/cqutjdmfgc
/usr/bin/cqutjdmfgc id 593
1⤵
- Executes dropped EXE
PID:656

/usr/bin/cqutjdmfgc
/usr/bin/cqutjdmfgc "netstat -antop" 593
1⤵
PID:659

/usr/bin/cqutjdmfgc
/usr/bin/cqutjdmfgc "route -n" 593
1⤵
PID:662

/usr/bin/cqutjdmfgc
/usr/bin/cqutjdmfgc gnome-terminal 593
1⤵
- Executes dropped EXE
PID:665

/usr/bin/cqutjdmfgc
/usr/bin/cqutjdmfgc who 593
1⤵
PID:668

/usr/bin/korigdrujo
/usr/bin/korigdrujo bash 593
1⤵
PID:671

/usr/bin/korigdrujo
/usr/bin/korigdrujo "echo \"find\"" 593
1⤵
- Executes dropped EXE
PID:674

/usr/bin/korigdrujo
/usr/bin/korigdrujo id 593
1⤵
PID:677

/usr/bin/korigdrujo
/usr/bin/korigdrujo uptime 593
1⤵
PID:680

/usr/bin/korigdrujo
/usr/bin/korigdrujo "grep \"A\"" 593
1⤵
- Executes dropped EXE
PID:683

/usr/bin/omzfvspzjx
/usr/bin/omzfvspzjx su 593
1⤵
PID:688

/usr/bin/omzfvspzjx
/usr/bin/omzfvspzjx "echo \"find\"" 593
1⤵
PID:691

/usr/bin/omzfvspzjx
/usr/bin/omzfvspzjx id 593
1⤵
- Executes dropped EXE
PID:693

/usr/bin/omzfvspzjx
/usr/bin/omzfvspzjx "cd /etc" 593
1⤵
PID:696

/usr/bin/omzfvspzjx
/usr/bin/omzfvspzjx "ifconfig eth0" 593
1⤵
PID:700

/usr/bin/grfimuatxe
/usr/bin/grfimuatxe su 593
1⤵
- Executes dropped EXE
PID:703

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Scheduled Task

T1053

Defense Evasion

Hijack Execution Flow

T1574

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/cron.hourly/gcc.sh

Filesize
228B

MD5
3bab747cedc5f0ebe86aaa7f982470cd

SHA1
3c7d1c6931c2b3dae39d38346b780ea57c8e6142

SHA256
74d31cac40d98ee64df2a0c29ceb229d12ac5fa699c2ee512fc69360f0cf68c5

SHA512
21e8a6d9ca8531d37def83d8903e5b0fa11ecf33d85d05edab1e0feb4acac65ae2cf5222650fb9f533f459ccc51bb2903276ff6f827b847cc5e6dac7d45a0a42

Download Submit
/etc/init.d/iuwtfnzxxw

Filesize
315B

MD5
56ec90f6f7e9a6677a0d120d434864c4

SHA1
ed7dd9c4b58e8d88a97c81c7c6891689d36e67b6

SHA256
71408615bd8d2c2071b58a227d95d390880ae3f642ad2fea0bf9e293857f8ff3

SHA512
f477968d81e82ac7f8f05554b4b9f3a6b73c780d497f485c425340ea354585333965132f79f4651f98cf17145083d4b52316f97eb9151c08c1dbb8c9c5046843

Download Submit
/etc/sedp7RKt3

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads