1b02eaa31c6d4993a1083ee69f8fc0c01566a8fdfc8cd67f303a23ca534a4ac5

Analysis

max time kernel
156s
max time network
154s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

157d4eea973b5dc24c15548891c76e78
Size

1.5MB
MD5

157d4eea973b5dc24c15548891c76e78
SHA1

420f0acc0505d392054ec911c2094bb6b9795a99
SHA256

1b02eaa31c6d4993a1083ee69f8fc0c01566a8fdfc8cd67f303a23ca534a4ac5
SHA512

207eacd658ef2cdd4207d74c7d66b9d33d7d68dab93703042e312e6915b87652c6314d61d73e9f04350e004d5edeee84f88b5a7358684572968372779c053aea
SSDEEP

24576:056JIc+TEZhT1gcyq0zQ8uo/Vt774Hph9IVLrRcBKD8snXq:SIVmcyy8uo/Vt7cHpHwG+a

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/dbuspm-session	1600	dbuspm-session

Enumerates running processes
Discovers information about currently running processes on the system

Modifies init.d 1 TTPs 1 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/rc.local	sh

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/dev

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1346/stat	killall
File opened for reading	/proc/169/stat	killall
File opened for reading	/proc/1197/stat	killall
File opened for reading	/proc/1326/stat	killall
File opened for reading	/proc/1078/stat	killall
File opened for reading	/proc/1162/stat	killall
File opened for reading	/proc/164/stat	killall
File opened for reading	/proc/180/stat	killall
File opened for reading	/proc/1297/cmdline	killall
File opened for reading	/proc/11/stat	killall
File opened for reading	/proc/19/stat	killall
File opened for reading	/proc/1310/stat	killall
File opened for reading	/proc/681/stat	killall
File opened for reading	/proc/957/cmdline	killall
File opened for reading	/proc/1076/stat	killall
File opened for reading	/proc/24/stat	killall
File opened for reading	/proc/35/stat	killall
File opened for reading	/proc/532/stat	killall
File opened for reading	/proc/332/stat	killall
File opened for reading	/proc/332/cmdline	killall
File opened for reading	/proc/174/stat	killall
File opened for reading	/proc/487/stat	killall
File opened for reading	/proc/115/cmdline	killall
File opened for reading	/proc/166/stat	killall
File opened for reading	/proc/447/stat	killall
File opened for reading	/proc/1570/stat	killall
File opened for reading	/proc/177/stat	killall
File opened for reading	/proc/651/cmdline	killall
File opened for reading	/proc/80/stat	killall
File opened for reading	/proc/131/stat	killall
File opened for reading	/proc/1140/stat	killall
File opened for reading	/proc/17/stat	killall
File opened for reading	/proc/79/cmdline	killall
File opened for reading	/proc/548/stat	killall
File opened for reading	/proc/1297/stat	killall
File opened for reading	/proc/1360/cmdline	killall
File opened for reading	/proc/89/stat	killall
File opened for reading	/proc/182/stat	killall
File opened for reading	/proc/1196/cmdline	killall
File opened for reading	/proc/1275/stat	killall
File opened for reading	/proc/1572/stat	killall
File opened for reading	/proc/81/stat	killall
File opened for reading	/proc/1067/cmdline	killall
File opened for reading	/proc/1095/stat	killall
File opened for reading	/proc/1122/stat	killall
File opened for reading	/proc/1136/cmdline	killall
File opened for reading	/proc/85/stat	killall
File opened for reading	/proc/336/stat	killall
File opened for reading	/proc/968/cmdline	killall
File opened for reading	/proc/1594/stat	killall
File opened for reading	/proc/36/cmdline	killall
File opened for reading	/proc/79/stat	killall
File opened for reading	/proc/639/stat	killall
File opened for reading	/proc/1573/stat	killall
File opened for reading	/proc/26/stat	killall
File opened for reading	/proc/30/stat	killall
File opened for reading	/proc/1148/cmdline	killall
File opened for reading	/proc/1304/stat	killall
File opened for reading	/proc/1246/cmdline	killall
File opened for reading	/proc/1363/stat	killall
File opened for reading	/proc/492/stat	killall
File opened for reading	/proc/712/stat	killall
File opened for reading	/proc/18/stat	killall
File opened for reading	/proc/486/stat	killall

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/dbuspm-session
File opened for modification	/tmp/Meminfo
File opened for modification	/tmp/NetSpeedInfo

/tmp/157d4eea973b5dc24c15548891c76e78
/tmp/157d4eea973b5dc24c15548891c76e78
1⤵
PID:1592

/bin/sh
sh -c "echo 'DDosClient &'>> /etc/init.d/rc.local;echo >> /etc/init.d/rc.local"
1⤵
- Modifies init.d
PID:1596

/bin/sh
sh -c "killall dbuspm-session"
1⤵
PID:1597
- /usr/bin/killall
  killall dbuspm-session
  2⤵
  - Reads runtime system information
  PID:1598

/bin/sh
sh -c "./dbuspm-session /tmp/157d4eea973b5dc24c15548891c76e78 RunByP1594 &"
1⤵
PID:1599

/tmp/dbuspm-session
./dbuspm-session /tmp/157d4eea973b5dc24c15548891c76e78 RunByP1594
1⤵
- Executes dropped EXE
PID:1600

/bin/sh
sh -c "cat /proc/meminfo|grep MemTotal>/tmp/Meminfo"
1⤵
PID:1605
- /bin/cat
  cat /proc/meminfo
  2⤵
  PID:1606
- /bin/grep
  grep MemTotal
  2⤵
  PID:1607

/bin/sh
sh -c "ethtool ens3|grep Speed >/tmp/NetSpeedInfo"
1⤵
PID:1608
- /bin/grep
  grep Speed
  2⤵
  PID:1610

/bin/sh
sh -c "rm /tmp/NetSpeedInfo /tmp/Meminfo"
1⤵
PID:1611
- /bin/rm
  rm /tmp/NetSpeedInfo /tmp/Meminfo
  2⤵
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/init.d/rc.local

Filesize
13B

MD5
6cce3b5b65c13566a616e48cac7e00a5

SHA1
1478d44a4a810ff844d53ec6bee2f56f28bd0b43

SHA256
19631ba62bf0299b5c2c5f45e4e57943a218f16b11ecfc6b19e88a9a0fde6ffe

SHA512
455a14fc759058ec3f8f57ea0b8c0065019e60d08f51c040cd37225de5852e9b8887e36db0a5151b9d60780edadf24deffeebe2623dc4f35cc118930450c5666

Download Submit
/etc/init.d/rc.local

Filesize
14B

MD5
6d93d6735a71a99f37e596da1e70c600

SHA1
0c70472ba94c95c3d72a061175db04902501174f

SHA256
f6a113354a18334c263fba3fdd91c796de35f7a1eb113a7d074d6c6ac39bf6c9

SHA512
33177b2a701b137d46bd13ae4346722a690c51ef649e8c272cd6252e9c810bbf6cb64b0ca85ab1cc3605f4616491a289ff46943fd2a933d2989c03590d5c048d

Download Submit
/tmp/Meminfo

Filesize
28B

MD5
8c66bf95966b7acc9f94dab790a65b8f

SHA1
0565c13889fee57d8fed112070ea5bb613548216

SHA256
d42f4a22a54fd5487a650dada99ff21155899d0e08b732b4a8e576a91ed233fc

SHA512
81f5e6e01d29e3adfd8efd0a0fc0672234c2de0be8b23325352ebe6916d325c75dded626681f4ab0d1fb2486c009664808d8ea637691f341bf53614269d526d1

Download Submit
/tmp/dbuspm-session

Filesize
6KB

MD5
7cf5d5e8ddf6e6e65169ae2a9edc92f3

SHA1
c92a6c1568d3c89120daf9193fa10d8bc1079ca7

SHA256
2710015c0c0fe485cf1740310e1b3c8eebe92dafc480425eed1cd29ad034fc90

SHA512
305864c460e00b73573313a7020a9cc8079211527f3cd005f06c7d360ca1a16767ed42f6052dfe91a4540cdd78e996c8b6b42e99138656466a9bea80d28fcf63

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads