ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730

Analysis

max time kernel
33s
max time network
139s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
10/04/2024, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
Size

829KB
MD5

c3eb3cfd10be2d0351ab73466c10e956
SHA1

cd587f71d861f501f5bca39aa17a0069b2488d1e
SHA256

ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
SHA512

0503ab3bb164d2df30552f327ac13d4a99a3cb3e818c2fbd3e776e4c6db60dea44ae2a27a045e0638fa003b01ce0e0a59bf9e345f12d25f32f4c09af337f5c9f
SSDEEP

12288:+dn9cS78n8E8vNLDoOe+haIpI9hzGiMTt2CJt/siQ529loXi3ZVNp1vH/MNSMGj:+dx8uNLsbyax9hzvCbsiQUyX4THr

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1478	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-3.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Modifies init.d 1 TTPs 21 IoCs

Adds/modifies system service, likely for persistence.

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/etc/init.d/udev	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/plymouth	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/hwclock.sh	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/cron	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/pulseaudio-enable-autospawn	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/keyboard-setup.sh	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/console-setup.sh	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/dbus	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/ufw	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/x11-common	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/spice-vdagent	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/alsa-utils	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/avahi-daemon	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/apparmor	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/pppd-dns	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/plymouth-log	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/openvpn	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/kmod	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/irqbalance	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/acpid	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
File opened for modification	/etc/init.d/selinux-autorelabel	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/bin/iptable6	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.wq4sMLArXw	ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730

/tmp/ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
/tmp/ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730
1⤵
- Deletes itself
- Modifies init.d
- Writes file to system bin folder
- Writes file to tmp directory
PID:1478

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/usr/bin/iptable6

Filesize
829KB

MD5
c3eb3cfd10be2d0351ab73466c10e956

SHA1
cd587f71d861f501f5bca39aa17a0069b2488d1e

SHA256
ec42e1562fab95d0fbc86b3980cc392e368b50a4a150a2258d4293e4de1bc730

SHA512
0503ab3bb164d2df30552f327ac13d4a99a3cb3e818c2fbd3e776e4c6db60dea44ae2a27a045e0638fa003b01ce0e0a59bf9e345f12d25f32f4c09af337f5c9f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads