Resubmissions

15-03-2024 16:07

240315-tkykeacf7z 1

25-02-2024 14:29

240225-rtjrhaee9z 10

General

  • Target

    script_malware.zip

  • Size

    4.4MB

  • Sample

    240225-rtjrhaee9z

  • MD5

    cabc07f288cc71b7447d6098ce3bb245

  • SHA1

    2ff090c33470e3c8c2c10888ba0de5539c5126d1

  • SHA256

    78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107

  • SHA512

    7aef8936dd1f734d20a9ab251ab46c22bcaa4c2a012387b7e9fce48e9d870926981c22cf3fac87c2b3bd0ae6f6efe084aaefd15fe229cd1bf085a55e0322dd80

  • SSDEEP

    98304:OUCcwlITgiAybrbTWITgJbyvVqUCcwlITgiAybrbTWITgJbyvVvM:pCcCEgiAsTHsyPCcCEgiAsTHsyhM

Malware Config

Extracted

Family

xorddos

C2

www.imagetw0.com:889

www.myserv012.com:889

http://qq.com/lib.asp

http://aa.hostasa.org/config.rar

www.enoan2107.com:443

www.gzcfr5axf6.com:443

Attributes
  • crc_polynomial

    CDB88320

xor.plain
xor.plain

Targets

    • Target

      script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh

    • Size

      11KB

    • MD5

      07b7746b922cf7d7fa821123a226ed36

    • SHA1

      bf2df8f2813ef4e2cf61ea193e091b808aa854c7

    • SHA256

      063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1

    • SHA512

      ad29993a88c996f96fdc5c01fda89400b1e27228c58445d181dc6af974a171ee36e014d90aa8e09de6d83e4bfd12d167eb361bd52b6d194af6f249a6812019cb

    • SSDEEP

      192:Xws08k5tkd5DFPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esP:XQwL4/e867USbRXA8kWT4yCtvUgDjdWi

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Reads CPU attributes

    • Target

      script_malware/1.sh

    • Size

      35KB

    • MD5

      2550990d2d52581b213e7c9305c392d3

    • SHA1

      f7f069915c9b97550dc1fb6cf631f6222416dcf5

    • SHA256

      8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

    • SHA512

      a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50

    • SSDEEP

      768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

    • Target

      script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh

    • Size

      3KB

    • MD5

      d0d36f169f1458806053aae482af5010

    • SHA1

      e603944aceb5c0885a8627de12f36b159bbf2f05

    • SHA256

      10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459

    • SHA512

      982abe39731d8cc852c25650740ff73975c10d19027eccf610401260e2f508334f1de656f8dd332fa698dccc9f7d3bda610c8b9e84d276036a6e9408d826229a

    Score
    7/10
    • Deletes Audit logs

      Deletes logs related to the Linux Audit framework.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads network interface configuration

      Fetches information about one or more active network interfaces.

    • Target

      script_malware/164f8295_linux.elf

    • Size

      5.1MB

    • MD5

      c850f6816459e3364b2a54239642101b

    • SHA1

      30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624

    • SHA256

      21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da

    • SHA512

      be7eaec0e4847a422ab7b52af7f0493e2390973077500f4faab38cb0dafd9d651346aee13bb9e5a4fb936e3cc3f83c7db598121df37be9ff6cda2dadf59ccb2f

    • SSDEEP

      98304:nxygRxtJ8tcZe32l/+jMSXYTU4BcoPfa8/X:Stc0kbSXWJ

    Score
    1/10
    • Target

      script_malware/21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da.elf

    • Size

      5.1MB

    • MD5

      c850f6816459e3364b2a54239642101b

    • SHA1

      30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624

    • SHA256

      21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da

    • SHA512

      be7eaec0e4847a422ab7b52af7f0493e2390973077500f4faab38cb0dafd9d651346aee13bb9e5a4fb936e3cc3f83c7db598121df37be9ff6cda2dadf59ccb2f

    • SSDEEP

      98304:nxygRxtJ8tcZe32l/+jMSXYTU4BcoPfa8/X:Stc0kbSXWJ

    Score
    1/10
    • Target

      script_malware/23.sh

    • Size

      287B

    • MD5

      aa0772cff70daa00d44a201b28ef6b08

    • SHA1

      d129e51acd50ed4ff87672dca4975ed313ae9ad9

    • SHA256

      a55e9eb1cb4dc2cb8d1a697d329b3a76e18b949308e16ef50aafca1e08123939

    • SHA512

      9d2654a7c7634909117d65b0d60bee51e2b9f2de320c2dfc7a30b36f182e2a44b21be91c3dd73fabd4d0cbff7fbc6c18a712cfd41fdcf51cf06ef4a39fe846b1

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Deletes itself

    • Executes dropped EXE

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Write file to user bin folder

    • Target

      script_malware/404

    • Size

      26KB

    • MD5

      e53cf00cf16d5e645103a266959ce5b7

    • SHA1

      d145edc39d2b5ab2392a989734ef28af77f74f7e

    • SHA256

      0fb9eb96a08f9ad3400f89749d32f3e44362346ec7fca9bd5e9ba85022e5ebc1

    • SHA512

      30b31e6b89f8f1eb92de62a2ba90ab299e060e11a91ef069927f045506dc73d0a276adf3966b4525164488bc8779b4a1a48f005513d9ba9f92916d04ec26f50a

    • SSDEEP

      192:phe97oGORlRQ4CR1ydi5DAomxCdsjnbP19+9Uc3gHNgWW1kSNPWW0wnENfICSo4M:iWBLZCRwdkzzsjT1TtE1dIfICSoTx9k2

    Score
    1/10
    • Target

      script_malware/864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b.py

    • Size

      38KB

    • MD5

      02e98c71545c8345d28920fbc4f99c28

    • SHA1

      a09e2b273c4cb323d4ea424ae456d9dbc9fc43f0

    • SHA256

      864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b

    • SHA512

      62ca71f1028be36e9afa5d26c8f11471d6679658b8b3db7b2db696f093a2a9d5e616a7b3c336a18c143c5c73908259eb4ca2f4af66d3ee56a5dc4ee358d2f530

    • SSDEEP

      768:Jkcso0KfNBqjxvcG4DRINIUBqKENI1gJkOpvUBL6GYJ5jHQES8Z80foQy2aCrhX:ueNB40xbUBqKEix2vLzwES8Z80foQ9X

    Score
    1/10
    • Target

      script_malware/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh

    • Size

      35KB

    • MD5

      2550990d2d52581b213e7c9305c392d3

    • SHA1

      f7f069915c9b97550dc1fb6cf631f6222416dcf5

    • SHA256

      8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

    • SHA512

      a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50

    • SSDEEP

      768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

    • Kinsing

      Kinsing is a loader written in Golang.

    • Kinsing payload

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Changes its process name

    • Deletes system logs

      Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Disables AppArmor

      Disables AppArmor security module.

    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

    • Target

      script_malware/SnOoPy.sh

    • Size

      2KB

    • MD5

      f0664749e65d26335de79a90c7074d00

    • SHA1

      0deb03914ba232314b5214803dd97b94c1c9d9e5

    • SHA256

      57ad07730428c1412ba43f4470c2074f4f0ef4e6eb5fcd24c9e19e49028e455a

    • SHA512

      b605e84c23dad423a5e585c49957b0ade5f8764681f010fc1d192c81f677e4a849872db8afedd262e740f648aca18649a89420a54a02f1f1bd594c2125c2b6ff

    Score
    1/10
    • Target

      script_malware/a423a2a11c1904e42dc8630064e252ac4568220417a9ae072a557131e9386617.sh

    • Size

      677B

    • MD5

      0d60923ea49eff0f3624cd2fa2eb4b47

    • SHA1

      96c5fb1d27bc80c19e3d5804fa32ec4879280f4d

    • SHA256

      a423a2a11c1904e42dc8630064e252ac4568220417a9ae072a557131e9386617

    • SHA512

      3426d42801fedec6c2a2da166098079006fc2b527d9c93c053aa29d635231e246203039de27d7cb7cd0450518ecb40ab9c6b6506295cd096075fab9021055eb3

    Score
    1/10
    • Target

      script_malware/a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh

    • Size

      11KB

    • MD5

      22a189e0266e0ad722b7e58923eafab5

    • SHA1

      04d01163b1a8ce62aabbc8636aeeb201a3ff28cc

    • SHA256

      a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0

    • SHA512

      12c98beec2d8d7449b79bd42c61f8a8c1c2bffb786ba0c0badeca69df46b10b535491ea6d9f938d7f47476a79a9021d0852ffefd31fcbfa8346e3c794ff55518

    • SSDEEP

      192:Xws08k5tkQPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esH:XQl4/e867USbRXA8kWT4yCtvUgDjdWO7

    • Modifies the dynamic linker configuration file

      Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

    • Executes dropped EXE

    • Flushes firewall rules

      Flushes/ disables firewall rules inside the Linux kernel.

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies systemd

      Adds/ modifies systemd service files. Likely to achieve persistence.

    • Reads CPU attributes

    • Target

      script_malware/aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58.sh

    • Size

      4KB

    • MD5

      34de9725e232ba82275bb0dcf9282e16

    • SHA1

      b17403e7dcb992ba8d2b56dd843406264d3910e5

    • SHA256

      aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58

    • SHA512

      1e63fe08153e6b3c1b3593fcc070d297a1d0e67ffc3b7f3fc58b71b4b39487f1fe738b863ea5e23c21159b248bc2149a69009ee5372ff17d386effc4f2111fd7

    Score
    7/10
    • Deletes Audit logs

      Deletes logs related to the Linux Audit framework.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads network interface configuration

      Fetches information about one or more active network interfaces.

    • Target

      script_malware/ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28.sh

    • Size

      3KB

    • MD5

      cf5762eea336cf74a0323d715f72b8b9

    • SHA1

      b40e39adadc5ae4d98fd3900837414797562b1bc

    • SHA256

      ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28

    • SHA512

      35822aafe30d8a14a1ac48d25f6a5eff90c55e18c44df6432bcec962370b6ff1fe06559510090691abb5e4b50594b7067b48f3e582944b07af1c3669fe739c77

    Score
    7/10
    • Deletes Audit logs

      Deletes logs related to the Linux Audit framework.

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads network interface configuration

      Fetches information about one or more active network interfaces.

    • Target

      script_malware/redtail.sh

    • Size

      551B

    • MD5

      9ec39c70dc24d8b1052ea5bf288cbb08

    • SHA1

      4ba674f003cb45986a88df222db6ad42e5102313

    • SHA256

      ef0195a0befc456ced03bdba95223c27dd106fcc2c5bc5617c31512f4b65eaff

    • SHA512

      b736e7740b3e3b533c97c275b47c1022efd1a281ee17ece61e515b2d3a4ed13ab3480e4378484b0abbbb2aa542d99436ea25aef6f2917af185e7989b9f7ff93b

    Score
    N/A
    • Target

      script_malware/rs.sh

    • Size

      4KB

    • MD5

      1b3a715d9ee7524d75010c628255b7e5

    • SHA1

      e8fcd0dda56bf98f345974089a96f6391964a972

    • SHA256

      edc64c943e577f7a80cd893d045d0b8984ebd3ef5df59d6ef4c497adb877fa9b

    • SHA512

      351213285db6d1d0f12bd82755f521bc57882b69e1af81baa51dc366c94aaac3a180c2a230d582e052a53560f82e0ea0489efb1fd8bbb8476312fa418a425e1c

    • SSDEEP

      96:mhiSGbe3mp35gBzIX0bd0NNFGcrcBc3gjXuc2k:mhiSmeWpJgi0bONNFGzJus

    Score
    6/10
    • Disables SELinux

      Disables SELinux security module.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Target

      script_malware/setup.sh

    • Size

      1KB

    • MD5

      37d7c910159cf1d62dbcf5b7bff399ea

    • SHA1

      90a783bc89f7fbfb52da193849d5d849b9a3a1e6

    • SHA256

      29acfdc8b457d7b56d5eb443fe6d22f8169db3786605e37be0bdac9bfb1503fb

    • SHA512

      dc78fbcfd58d8383842de7eb18b3f9f72b7255db8f670e93230916e98b8f6dbf77f8ba28cd93f9d3f740243adec500e9f245e4ebbb440aa882eff7907e9fe0c0

    Score
    7/10
    • Executes dropped EXE

    • Target

      script_malware/shell.elf

    • Size

      207B

    • MD5

      8427bcae96bac624c94ebf3e2f605984

    • SHA1

      45ac1af64f2118702f92b27cb62a2ada4277a16e

    • SHA256

      8841199eadcc4529587ddce865c3ee84de7495ed59b90ec64acfdbb4568562b9

    • SHA512

      6fddb09394661f542eab2566aedabdcf1432d414303fef7af24799f47a6bca8b6a930fa68a4c2d374483f083ab351c484581df66f91a187c34b01951a065307a

    Score
    1/10
    • Target

      script_malware/ta.sh

    • Size

      9KB

    • MD5

      83821e27601305f76432759042d2c2a2

    • SHA1

      ad255cce6b52d77b8791d2539667ebcefb5113d1

    • SHA256

      03f1490eb936b54330934b4e677a12b11c3acf2b0e4ca97c6c21ee3dc5a381fb

    • SHA512

      0570993f37ce4a0405f837e7e732f428e783e732c97a8c565bc73475542375bc30c6e2b7791d77566de104b426994571c5e1ae9818655e656aa4ebc62cc61864

    • SSDEEP

      192:R9FFa1GIJz8c104etI1Dd7mf85tunuFc8kIvTKxP4CUqQv2a44rKmmcDK9K7omhA:RjEAem4TNruwrCUqQua44rnm+2v47vGT

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Executes dropped EXE

    • Reads EFI boot settings

      Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

MITRE ATT&CK Enterprise v15

Tasks