Overview

overview

10

Static

static

10

55845e687d...e56567

ubuntu-18.04-amd64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16201498086.zip

  • Size

    2.0MB

  • Sample

    240325-qdebeagf98

  • MD5

    d3c2a035b041881a26d237c4b20868e0

  • SHA1

    53227eb9d885d2a7362710c9b6570fa3522dbc4a

  • SHA256

    a7c9f67a881aabc9f37b62bb44887abb5f1b27bb9345005de606885ef38b5a12

  • SHA512

    6a65c9e766476825d1f4f72f126e27d960d663f6c3ee283bd7f93a3e507805ba16df9a0657a725bbe52cd35e26c008b883847ffd7ceb4f12eb86f0f55a14f2da

  • SSDEEP

    49152:zwbcp0bIDHxLk5uu6VseK1KWB2u/UU3iAxI+ePrfjalEJ:8A0IDHC5zMseGxUU3p0reCJ

Score
10/10
ech0raixevasionlinuxpersistenceransomware

Malware Config

Targets

    • Target

      55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567

    • Size

      4.7MB

    • MD5

      c20200ae3c8acb3aa23a9097b6099739

    • SHA1

      df920c349a310f6a1532ed05f524f400e85603b3

    • SHA256

      55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567

    • SHA512

      340e157afe4f7b0800009bb220be56dcaffb0b41409935a4730fcfe6f4775960b1aaa0d804d0a0fbcfb47d451cf8c1b2c17cc2211c88046bc38295721c0c5b16

    • SSDEEP

      49152:MRos/AVhzmQymwq+6r0BCU0hVba2j2O7LIyaXn6k6VjfbtvDGG0U:LIuGq+6r0BL0TM37

    Score
    9/10
    evasionpersistenceransomware

    • Renames multiple (43000) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes journal logs

      Deletes systemd journal logs. Likely to evade detection.

      evasion

    • Modifies Polkit authorization policy

      Modifies rule/ action files in Polkit, possibly to grant additional privileges.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Deletes log files

      Deletes log files on the system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads CPU attributes

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

    • Reads network interface configuration

      Fetches information about one or more active network interfaces.

    • Write file to user bin folder

    • Writes file to system bin folder

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Hijack Execution Flow

2
T1574

Privilege Escalation

Scheduled Task/Job

1
T1053

Hijack Execution Flow

2
T1574

Defense Evasion

Indicator Removal

2
T1070

Hijack Execution Flow

2
T1574

Credential Access

Discovery

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks