mrblack | 0e8b7406cefebfc76b5ca5b48c77e88bbaea2aaef89fbf947f164d017ff15743

Processes:

cpcpa7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfcpreceicpcpcp

description	ioc	process
File opened for modification	/usr/bin/dpkgd/ps	cp
File opened for modification	/usr/bin/lsof	cp
File opened for modification	/usr/bin/bsd-port/udevd.conf	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/usr/bin/dpkgd/lsof	cp
File opened for modification	/usr/bin/bsd-port/recei.conf	recei
File opened for modification	/usr/bin/oracle	cp
File opened for modification	/usr/bin/ps	cp
File opened for modification	/usr/bin/bsd-port/recei.conf	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/usr/bin/bsd-port/recei	cp

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

cpcp

description ioc process

File opened for modification /bin/lsof cp
File opened for modification /bin/ps cp

description	ioc	process
File opened for modification	/bin/lsof	cp
File opened for modification	/bin/ps	cp

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

receia7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

description	ioc	process
File opened for reading	/proc/cpuinfo	recei
File opened for reading	/proc/cpuinfo	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfrecei

description	ioc	process
File opened for reading	/proc/net/dev	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/net/route	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/net/arp	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/net/dev	recei

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

Processes:

a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elfcporaclecpmkdircpreceicpmkdirmkdircpcpmkdircpinsmodmkdirinsmodmkdirmkdircp

description	ioc	process
File opened for reading	/proc/sys/kernel/version	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/kernel/version	oracle
File opened for reading	/proc/stat	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/meminfo	recei
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	recei
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/meminfo	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/sys/kernel/version	recei
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/cmdline	insmod
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

Processes:

oraclea7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

description	ioc	process
File opened for modification	/tmp/appd.log	oracle
File opened for modification	/tmp/notify.file	oracle
File opened for modification	/tmp/Dest.cfg	oracle
File opened for modification	/tmp/appd.log	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/tmp/appd.conf	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/tmp/Dest.cfg	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/tmp/notify.file	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
File opened for modification	/tmp/conf.n	a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf

/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
/tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf
1⤵
- Modifies init.d
- Reads system routing table
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1525

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt"
2⤵
PID:1915

/usr/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc1.d/S97VsystemsshMmt
3⤵
PID:1916

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt"
2⤵
PID:1917

/usr/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc2.d/S97VsystemsshMmt
3⤵
PID:1918

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt"
2⤵
PID:1919

/usr/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc3.d/S97VsystemsshMmt
3⤵
PID:1920

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt"
2⤵
PID:1921

/usr/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc4.d/S97VsystemsshMmt
3⤵
PID:1922

/bin/sh
sh -c "ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt"
2⤵
PID:1923

/usr/bin/ln
ln -s /etc/init.d/VsystemsshMmt /etc/rc5.d/S97VsystemsshMmt
3⤵
PID:1924

/bin/sh
sh -c "mkdir -p /usr/bin/bsd-port"
2⤵
PID:1925

/usr/bin/mkdir
mkdir -p /usr/bin/bsd-port
3⤵
- Reads runtime system information
PID:1926

/bin/sh
sh -c "cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/bsd-port/recei"
2⤵
PID:1927

/usr/bin/cp
cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/bsd-port/recei
3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1928

/bin/sh
sh -c /usr/bin/bsd-port/recei
2⤵
PID:1930

/usr/bin/bsd-port/recei
/usr/bin/bsd-port/recei
3⤵
- Executes dropped EXE
- Modifies init.d
- Write file to user bin folder
- Checks CPU configuration
- Reads system network configuration
- Reads runtime system information
PID:1931

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux"
4⤵
PID:1975

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc1.d/S99selinux
5⤵
PID:1976

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux"
4⤵
PID:1977

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc2.d/S99selinux
5⤵
PID:1978

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux"
4⤵
PID:1979

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc3.d/S99selinux
5⤵
PID:1980

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux"
4⤵
PID:1981

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc4.d/S99selinux
5⤵
PID:1982

/bin/sh
sh -c "ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux"
4⤵
PID:1983

/usr/bin/ln
ln -s /etc/init.d/selinux /etc/rc5.d/S99selinux
5⤵
PID:1984

/bin/sh
sh -c "mkdir -p /usr/bin/dpkgd"
4⤵
PID:1985

/usr/bin/mkdir
mkdir -p /usr/bin/dpkgd
5⤵
- Reads runtime system information
PID:1986

/bin/sh
sh -c "cp -f /bin/lsof /usr/bin/dpkgd/lsof"
4⤵
PID:1987

/usr/bin/cp
cp -f /bin/lsof /usr/bin/dpkgd/lsof
5⤵
- Write file to user bin folder
- Reads runtime system information
PID:1988

/bin/sh
sh -c "mkdir -p /bin"
4⤵
PID:1989

/usr/bin/mkdir
mkdir -p /bin
5⤵
- Reads runtime system information
PID:1990

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/recei /bin/lsof"
4⤵
PID:1991

/usr/bin/cp
cp -f /usr/bin/bsd-port/recei /bin/lsof
5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:1992

/bin/sh
sh -c "chmod 0755 /bin/lsof"
4⤵
PID:1999

/usr/bin/chmod
chmod 0755 /bin/lsof
5⤵
PID:2000

/bin/sh
sh -c "cp -f /bin/ps /usr/bin/dpkgd/ps"
4⤵
PID:2001

/usr/bin/cp
cp -f /bin/ps /usr/bin/dpkgd/ps
5⤵
- Write file to user bin folder
- Reads runtime system information
PID:2002

/bin/sh
sh -c "mkdir -p /bin"
4⤵
PID:2005

/usr/bin/mkdir
mkdir -p /bin
5⤵
- Reads runtime system information
PID:2006

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/recei /bin/ps"
4⤵
PID:2008

/usr/bin/cp
cp -f /usr/bin/bsd-port/recei /bin/ps
5⤵
- Writes file to system bin folder
- Reads runtime system information
PID:2009

/bin/sh
sh -c "chmod 0755 /bin/ps"
4⤵
PID:2012

/usr/bin/chmod
chmod 0755 /bin/ps
5⤵
PID:2013

/bin/sh
sh -c "mkdir -p /usr/bin"
4⤵
PID:2014

/usr/bin/mkdir
mkdir -p /usr/bin
5⤵
- Reads runtime system information
PID:2015

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/lsof"
4⤵
PID:2016

/usr/bin/cp
cp -f /usr/bin/bsd-port/recei /usr/bin/lsof
5⤵
- Write file to user bin folder
- Reads runtime system information
PID:2017

/bin/sh
sh -c "chmod 0755 /usr/bin/lsof"
4⤵
PID:2019

/usr/bin/chmod
chmod 0755 /usr/bin/lsof
5⤵
PID:2020

/bin/sh
sh -c "mkdir -p /usr/bin"
4⤵
PID:2022

/usr/bin/mkdir
mkdir -p /usr/bin
5⤵
- Reads runtime system information
PID:2023

/bin/sh
sh -c "cp -f /usr/bin/bsd-port/recei /usr/bin/ps"
4⤵
PID:2024

/usr/bin/cp
cp -f /usr/bin/bsd-port/recei /usr/bin/ps
5⤵
- Write file to user bin folder
- Reads runtime system information
PID:2025

/bin/sh
sh -c "chmod 0755 /usr/bin/ps"
4⤵
PID:2026

/usr/bin/chmod
chmod 0755 /usr/bin/ps
5⤵
PID:2027

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
4⤵
PID:2028

/usr/sbin/insmod
insmod /usr/lib/xpacket.ko
5⤵
- Reads runtime system information
PID:2029

/bin/sh
sh -c "mkdir -p /usr/bin"
2⤵
PID:1933

/usr/bin/mkdir
mkdir -p /usr/bin
3⤵
- Reads runtime system information
PID:1934

/bin/sh
sh -c "cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/oracle"
2⤵
PID:1935

/usr/bin/cp
cp -f /tmp/a7d548bcb9a58a58b5dfb9f059b302131fc0107a094f1fbb53c7d525b9327b60.elf /usr/bin/oracle
3⤵
- Write file to user bin folder
- Reads runtime system information
PID:1936

/bin/sh
sh -c /usr/bin/oracle
2⤵
PID:1994

/usr/bin/oracle
/usr/bin/oracle
3⤵
- Executes dropped EXE
- Reads runtime system information
- Writes file to tmp directory
PID:1995

/bin/sh
sh -c "insmod /usr/lib/xpacket.ko"
2⤵
PID:1997

/usr/sbin/insmod
insmod /usr/lib/xpacket.ko
3⤵
- Reads runtime system information
PID:1998

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion