88e6f06aff59e4d7d860d32d781e1c182531acf0c89a2afe4cd6a420055a2bd1

Analysis

max time kernel
149s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21/05/2024, 06:05

Target

bin/xCloudClient
Size

3.8MB
MD5

d777ee74a30bd904d88e81d9c0dd0de2
SHA1

bb85b0279ac70965f1368c5fa4c5851f114f8a48
SHA256

df905c53c705bcc1515eca4e1feff4655a0ce9df893b0722ac4c6fad68cf6f7b
SHA512

026326f399d9ef7c8b6e0fd34f17fcb4d001c1a11f534679c7f8c3c1b1c7854daccb49c944f06521c0a364d624fce377bd4ff34cbd0d9b000c4768dd85238905
SSDEEP

49152:bZ07A73j4VABBSa4N0pl3AAFBAUZLYJMZGaXYQKuH5AVECI2222zzpLJnwkX5CZV:bZ0mJBE+jBAUZL/9LZ9c1UI

Score

6^/10

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com
5	icanhazip.com

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/bin/.version	xCloudClient
File opened for modification	/tmp/etc/xCloud.db-journal	xCloudClient
File opened for modification	/tmp/bin/.xCloudClientRunOne.pid	xCloudClient
File opened for modification	/tmp/etc/xCloud.db	xCloudClient
File opened for modification	/tmp/log/Log.txt	xCloudClient

/tmp/bin/xCloudClient
/tmp/bin/xCloudClient
1⤵
- Writes file to tmp directory
PID:1478
- /bin/sh
  sh -c "uname -a"
  2⤵
  PID:1480
- - /bin/uname
    uname -a
    3⤵
    PID:1481
- /bin/sh
  sh -c "route | grep default | grep -v grep"
  2⤵
  PID:1482
- - /bin/grep
    grep -v grep
    3⤵
    PID:1485
- - /bin/grep
    grep default
    3⤵
    PID:1484
- /bin/sh
  sh -c "curl icanhazip.com"
  2⤵
  PID:1500
- - /usr/bin/curl
    curl icanhazip.com
    3⤵
    PID:1504

/tmp/bin/.version

Filesize
3B

MD5
1068c6e4c8051cfd4e9ea8072e3189e2

SHA1
329dc1daf9fb9d5e75d687dd9e0740e1c72796c3

SHA256
612111a352a571cbed3927ec6f74948849bcc9fe8489bf4f0d6235afdc0a4ad7

SHA512
aeddf5ddab07c52b83aad7d5cbc980a0cec3e7235456b5d0537170fd397aaffd873c167d41d2e6af30cdd251032468a5d2b62752335b00dcc1c33b7d5cebb73d

Download Submit
/tmp/bin/.xCloudClientRunOne.pid

Filesize
5B

MD5
cf045724c6a0576ec11993807423cf2f

SHA1
581bffe71bd1489fd7479a5ca0c764b0bd8db1d6

SHA256
2f4113b3557b879fad4b645f6db6b9ed0934b5a7d72bc89c70d7b874db81ce75

SHA512
2a07f833a4c6fecf3c05a877d0170aa0f88c9be42ba9581e6e0e60e567f08cd747e575bb8e738ca8708d1fde9c1c7892df6c529a54692ab591a1c7d5b934dfc6

Download Submit