Malware Analysis Report

2024-10-16 05:25

Sample ID 240904-yrzs9svglp
Target The-MALWARE-Repo-master.zip
SHA256 b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
Tags
antivm defense_evasion discovery persistence privilege_escalation danabot banker botnet trojan dridex macro upx aspackv2 macro_on_action geforce host stealer guest mydoom darkcomet njrat modiloader remcos revengerat wipelock
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Threat Level: Known bad

The file The-MALWARE-Repo-master.zip was found to be: Known bad.

Malicious Activity Summary

antivm defense_evasion discovery persistence privilege_escalation danabot banker botnet trojan dridex macro upx aspackv2 macro_on_action geforce host stealer guest mydoom darkcomet njrat modiloader remcos revengerat wipelock

Darkcomet family

ModiLoader First Stage

Revengerat family

Wipelock Android payload

Modiloader family

Dridex

Detects MyDoom family

Wipelock family

Njrat family

Remcos family

Process spawned unexpected child process

RevengeRat Executable

Danabot

Danabot x86 payload

Mydoom family

Adds new SSH keys

Office macro that triggers on suspicious action

Blocklisted process makes network request

Suspicious Office macro

ASPack v2.12-2.42

Deletes itself

Loads dropped DLL

UPX packed file

Declares broadcast receivers with permission to handle system events

Enumerates connected drives

Requests dangerous framework permissions

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Deletes log files

Enumerates running processes

Adds Run key to start application

Network Share Discovery

Declares services with permission to bind to the system

AutoIT Executable

Drops file in System32 directory

Checks CPU configuration

Reads CPU attributes

Reads runtime system information

System Location Discovery: System Language Discovery

Enumerates kernel/hardware configuration

Event Triggered Execution: Accessibility Features

Program crash

Unsigned PE

Writes file to tmp directory

NSIS installer

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Modifies registry class

Discovers systems in the same network

Enumerates system info in registry

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-04 20:03

Signatures

Darkcomet family

darkcomet

Detects MyDoom family

Description Indicator Process Target
N/A N/A N/A N/A

ModiLoader First Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Mydoom family

mydoom

Njrat family

njrat

Remcos family

remcos

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Wipelock family

wipelock

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

142s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/206/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1115/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/634/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/12/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/413/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/114/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1158/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/210/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/22/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/102/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1255/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/194/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/196/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1054/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/411/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/202/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1164/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/263/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/530/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/531/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/92/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/589/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/82/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1161/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/590/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/611/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/599/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1210/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/20/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1224/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1083/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/23/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/1394/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/86/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/98/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1144/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1160/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1190/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/972/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/25/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/192/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/98/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/760/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1061/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1124/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A
File opened for reading /proc/1186/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 117.88.86.212:22 tcp
US 18.54.145.64:22 tcp
US 67.160.171.83:2222 tcp
DE 53.106.51.222:22 tcp
IR 5.112.155.75:22 tcp
US 35.133.118.184:22 tcp
PL 90.156.7.163:2222 tcp
US 199.78.121.135:2222 tcp
US 100.217.20.8:22 tcp
US 17.33.132.88:2222 tcp
KE 196.109.132.226:22 tcp
EG 102.59.145.178:22 tcp
US 199.78.121.135:22 tcp
US 70.207.29.194:2222 tcp
IT 82.215.147.31:2222 tcp
JP 219.192.219.19:22 tcp
GB 103.189.29.196:2222 tcp
US 48.168.78.28:2222 tcp
CN 125.119.6.9:2222 tcp
JP 121.81.7.31:2222 tcp
IE 57.141.251.6:22 tcp
MX 201.135.108.197:2222 tcp
US 70.207.29.194:22 tcp
N/A 251.10.153.112:2222 tcp
RU 5.172.29.122:2222 tcp
FR 161.22.79.231:22 tcp
US 172.226.187.226:22 tcp
CA 209.29.23.99:2222 tcp
US 169.44.232.236:22 tcp
IE 57.141.251.6:2222 tcp
AU 203.38.100.96:22 tcp
US 97.76.33.239:22 tcp
US 16.13.2.181:22 tcp
US 144.93.77.213:22 tcp
RU 5.172.29.122:22 tcp
US 98.115.214.110:22 tcp
CA 99.235.224.1:2222 tcp
US 149.168.223.208:2222 tcp
CA 134.117.214.87:2222 tcp
IT 82.215.147.31:22 tcp
MX 201.135.108.197:22 tcp
CA 144.217.68.1:2222 tcp
JP 121.81.7.31:22 tcp
US 156.145.76.125:22 tcp
US 35.133.118.184:2222 tcp
US 65.142.145.86:22 tcp
CN 125.119.6.9:22 tcp
US 65.142.145.86:2222 tcp
US 71.69.208.60:22 tcp
TH 45.144.167.96:22 tcp
IN 45.125.141.196:2222 tcp
AU 138.194.200.117:2222 tcp
CA 142.8.220.158:22 tcp
JP 219.192.219.19:2222 tcp
CN 113.122.90.130:22 tcp
IN 220.226.173.29:22 tcp
GB 94.10.204.187:2222 tcp
AU 203.38.100.96:2222 tcp
US 18.126.6.96:22 tcp
N/A 249.250.8.158:22 tcp
US 55.239.196.179:22 tcp
IN 45.125.141.196:22 tcp
US 170.109.230.54:2222 tcp
TH 45.144.167.96:2222 tcp
UY 190.64.230.10:2222 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 682ac123d740321e6ba04d82e8cc4ed8
SHA1 088a8c8c2b7f9db92ec0ae39e1dc77c8707d3895
SHA256 453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619
SHA512 26ddc0a1b91337de2314465f82f3a02ec478f32708fa91b7cdf75fc235eda7b3cf7c495616145dc29fc081ac4398cab5aac0d42978ea694fa183518533fcf4ad

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win7-20240903-en

Max time kernel

119s

Max time network

125s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"

Signatures

Danabot

trojan banker danabot

Danabot x86 payload

botnet
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.exe@4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 460

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll,f0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 51.178.195.151:443 tcp
CA 51.222.39.81:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 149.255.35.125:443 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 38.68.50.179:443 tcp
FR 51.77.7.204:443 tcp

Files

memory/4272-1-0x00000000027E0000-0x0000000002A65000-memory.dmp

memory/4272-2-0x0000000002A70000-0x0000000002CFD000-memory.dmp

memory/4272-3-0x0000000000400000-0x000000000069A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll

MD5 7e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1 fc500153dba682e53776bef53123086f00c0e041
SHA256 abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA512 0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

memory/5072-8-0x0000000002450000-0x00000000026BB000-memory.dmp

memory/5072-9-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/4272-11-0x0000000000400000-0x0000000000AAD000-memory.dmp

memory/4272-13-0x0000000000400000-0x000000000069A000-memory.dmp

memory/4272-12-0x0000000002A70000-0x0000000002CFD000-memory.dmp

memory/4864-14-0x0000000000400000-0x000000000066B000-memory.dmp

memory/4864-16-0x0000000000400000-0x000000000066B000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"

Signatures

Dridex

botnet dridex

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
JP 60.124.4.241:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/4168-0-0x0000000000F00000-0x0000000000F06000-memory.dmp

memory/4168-1-0x0000000000210000-0x0000000000234000-memory.dmp

memory/2124-4-0x0000000076692000-0x0000000076693000-memory.dmp

memory/2124-2-0x0000000002480000-0x0000000002481000-memory.dmp

memory/4168-5-0x0000000000210000-0x0000000000234000-memory.dmp

memory/2124-9-0x00000000025D0000-0x00000000025F4000-memory.dmp

memory/2124-10-0x00000000025D0000-0x00000000025F4000-memory.dmp

memory/2124-8-0x00000000025D0000-0x00000000025F4000-memory.dmp

memory/2124-7-0x00000000025D0000-0x00000000025F4000-memory.dmp

memory/2124-6-0x00000000025D0000-0x00000000025F4000-memory.dmp

memory/2124-16-0x0000000076640000-0x0000000076730000-memory.dmp

memory/2124-11-0x00000000025D0000-0x00000000025F4000-memory.dmp

memory/2124-24-0x0000000076640000-0x0000000076730000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 192.48.88.22:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/1828-0-0x0000000000210000-0x0000000000246000-memory.dmp

memory/1828-1-0x0000000001180000-0x0000000001186000-memory.dmp

memory/1772-3-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/1772-2-0x0000000076912000-0x0000000076913000-memory.dmp

memory/1828-5-0x0000000000210000-0x0000000000246000-memory.dmp

memory/1772-7-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1772-9-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1772-8-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1772-16-0x00000000768C0000-0x00000000769B0000-memory.dmp

memory/1772-11-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1772-10-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1772-6-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1772-24-0x00000000768C0000-0x00000000769B0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win7-20240708-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 erpoweredent.at udp

Files

memory/1064-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1064-1-0x000000007217D000-0x0000000072188000-memory.dmp

memory/1064-2-0x000000007217D000-0x0000000072188000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\B: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\H: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\N: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\Q: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\U: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\V: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\W: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\Z: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\E: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\L: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\O: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\A: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\J: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\T: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\M: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\P: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\R: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\S: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\Y: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\G: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\I: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
File opened (read-only) \??\K: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 1704 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\rundll32.exe
PID 1820 wrote to memory of 1704 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\rundll32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm"

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 erpoweredent.at udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1820-1-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp

memory/1820-0-0x00007FFC2930D000-0x00007FFC2930E000-memory.dmp

memory/1820-3-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp

memory/1820-2-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp

memory/1820-4-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp

memory/1820-5-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp

memory/1820-6-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-7-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-8-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-10-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-11-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-12-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-9-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-13-0x00007FFBE69F0000-0x00007FFBE6A00000-memory.dmp

memory/1820-14-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-15-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-16-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-17-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-19-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-18-0x00007FFBE69F0000-0x00007FFBE6A00000-memory.dmp

memory/1820-23-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-22-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-21-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-20-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-33-0x00007FFC2930D000-0x00007FFC2930E000-memory.dmp

memory/1820-34-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-35-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

memory/1820-36-0x00007FFC29270000-0x00007FFC29465000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 06af2cee6bd761b25777e228372add1b
SHA1 8c4684d5d3f532b8aa1dc077d82edb13319ad78f
SHA256 aab41c2f639a632dcc5534407d2300b756ea588dcbb6c7bed1738488e359c5c4
SHA512 2d90db706dbb4ec9b355b9ce99121e3cb8cca833a919e6f75e0c6cdb3d6f1fd1886a52ebeddfd6ff961181b12cdb38e1bd684edc90effb8f1f256d5d996426d9

Analysis: behavioral21

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2404-amd64-20240729-en

Max time kernel

149s

Max time network

152s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/510/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1947/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/194/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/50/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/2/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/38/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/13/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1865/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/2189/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/274/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/867/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1941/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/797/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/13/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/432/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/48/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1691/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/55/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/8/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1095/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1886/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/2039/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/36/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/457/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1862/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/2495/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1886/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/48/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/63/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/69/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/2480/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/50/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/1914/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/37/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1416/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1704/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/15/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/511/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1887/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/587/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/56/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/275/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/30/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1050/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/192/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/53/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/2202/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/390/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1060/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/2121/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/30/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/12/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1778/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/200/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/26/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A
File opened for reading /proc/1268/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
RU 94.180.26.200:22 tcp
US 3.141.92.202:2222 tcp
US 167.89.181.31:22 tcp
US 68.188.220.208:2222 tcp
GB 93.177.74.172:2222 tcp
US 96.72.248.64:2222 tcp
CA 70.83.141.238:2222 tcp
US 73.30.103.77:22 tcp
US 72.197.89.217:2222 tcp
US 28.229.236.149:2222 tcp
IN 103.60.177.93:2222 tcp
US 29.118.66.109:22 tcp
JP 160.240.226.218:2222 tcp
US 21.90.146.204:2222 tcp
TR 178.244.82.63:22 tcp
US 68.188.220.208:22 tcp
IN 103.60.177.93:22 tcp
KR 223.50.55.34:22 tcp
JP 54.240.188.22:2222 tcp
NL 145.186.39.35:22 tcp
IE 20.223.63.3:22 tcp
CA 142.238.202.103:2222 tcp
US 22.96.142.202:2222 tcp
FR 82.234.165.150:22 tcp
MX 187.204.198.112:2222 tcp
US 22.96.142.202:22 tcp
FR 82.234.165.150:2222 tcp
JP 219.103.63.119:22 tcp
ID 39.242.73.136:2222 tcp
DE 52.29.158.120:2222 tcp
DE 84.190.50.223:2222 tcp
NL 145.186.39.35:2222 tcp
KR 218.50.99.233:2222 tcp
ID 39.242.73.136:22 tcp
US 73.251.246.223:22 tcp
DE 129.70.48.162:22 tcp
DE 53.122.36.223:2222 tcp
DE 53.82.23.113:2222 tcp
DE 37.138.162.78:22 tcp
FR 92.204.227.14:22 tcp
GR 2.85.161.131:2222 tcp
US 136.120.47.143:22 tcp
IR 2.144.125.232:2222 tcp
US 136.120.47.143:2222 tcp
IN 115.96.130.130:22 tcp
BR 177.39.140.144:2222 tcp
US 29.118.66.109:2222 tcp
JP 153.212.182.186:22 tcp
US 22.217.186.31:22 tcp
GR 150.140.43.129:2222 tcp
DE 52.29.158.120:22 tcp
US 96.72.248.64:22 tcp
US 73.251.246.223:2222 tcp
GB 25.66.4.68:22 tcp
US 207.222.246.174:2222 tcp
US 174.234.205.100:2222 tcp
BR 177.39.140.144:22 tcp
UZ 82.215.89.207:2222 tcp
TR 178.244.82.63:2222 tcp
DE 37.138.162.78:2222 tcp
CN 112.131.136.161:2222 tcp
US 9.170.111.138:22 tcp
GB 93.177.74.172:22 tcp
TH 171.102.23.241:2222 tcp
AE 5.31.218.224:22 tcp
US 167.89.181.31:2222 tcp
N/A 242.64.39.174:22 tcp
CA 142.238.202.103:22 tcp
N/A 246.253.59.47:22 tcp
KE 105.54.230.6:22 tcp
GR 150.140.43.129:22 tcp
JP 54.240.188.22:22 tcp
US 54.191.52.121:2222 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 799c965e0a5a132ec2263d5fea0b0e1c
SHA1 a15c5a706122fabdef1989c893c72c6530fedcb4
SHA256 001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
SHA512 6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8

Analysis: behavioral12

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
BG 91.92.136.107:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4912-0-0x00000000007F0000-0x00000000007F6000-memory.dmp

memory/4912-1-0x0000000000760000-0x0000000000782000-memory.dmp

memory/2672-2-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/2672-4-0x0000000075912000-0x0000000075913000-memory.dmp

memory/4912-5-0x0000000000760000-0x0000000000782000-memory.dmp

memory/2672-12-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2672-8-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2672-7-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2672-6-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2672-18-0x00000000758C0000-0x00000000759B0000-memory.dmp

memory/2672-13-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2672-11-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2672-10-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2672-9-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2672-26-0x00000000758C0000-0x00000000759B0000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win7-20240708-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

Signatures

Dridex

botnet dridex

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 2860 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 2860 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 2860 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 2860 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 1744 wrote to memory of 2848 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1744 wrote to memory of 2848 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1744 wrote to memory of 2848 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1744 wrote to memory of 2848 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1744 wrote to memory of 2864 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 1744 wrote to memory of 2864 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 1744 wrote to memory of 2864 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 1744 wrote to memory of 2864 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
FR 37.187.54.76:443 tcp
FR 37.187.54.76:443 tcp

Files

memory/2860-0-0x0000000002560000-0x000000000258F000-memory.dmp

memory/2860-1-0x0000000000140000-0x0000000000146000-memory.dmp

memory/1744-2-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1744-3-0x0000000075899000-0x000000007589A000-memory.dmp

memory/2860-5-0x0000000002560000-0x000000000258F000-memory.dmp

memory/1744-6-0x0000000003000000-0x000000000302F000-memory.dmp

memory/1744-12-0x0000000003000000-0x000000000302F000-memory.dmp

memory/1744-11-0x0000000003000000-0x000000000302F000-memory.dmp

memory/1744-10-0x0000000003000000-0x000000000302F000-memory.dmp

memory/1744-9-0x0000000003000000-0x000000000302F000-memory.dmp

memory/1744-8-0x0000000003000000-0x000000000302F000-memory.dmp

memory/1744-7-0x0000000003000000-0x000000000302F000-memory.dmp

memory/1744-17-0x0000000075810000-0x0000000075920000-memory.dmp

memory/1744-26-0x0000000075810000-0x0000000075920000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfaxdafbicozcso = "\"C:\\Users\\Admin\\AppData\\Roaming\\3TtfmAT\\RecoveryDrive.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Iyx1\wbengine.exe C:\Windows\System32\cmd.exe N/A
File created C:\Windows\system32\Iyx1\wbengine.exe C:\Windows\System32\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\OrMao4j.cmd" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command\DelegateExecute N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command N/A N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 4764 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3436 wrote to memory of 4764 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3436 wrote to memory of 1112 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 1112 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 3408 N/A N/A C:\Windows\system32\wbengine.exe
PID 3436 wrote to memory of 3408 N/A N/A C:\Windows\system32\wbengine.exe
PID 3436 wrote to memory of 4700 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 4700 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 2296 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3436 wrote to memory of 2296 N/A N/A C:\Windows\System32\fodhelper.exe
PID 2296 wrote to memory of 4920 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 2296 wrote to memory of 4920 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4920 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 656 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 656 N/A N/A C:\Windows\System32\cmd.exe
PID 656 wrote to memory of 1476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 656 wrote to memory of 1476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 4692 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 4692 N/A N/A C:\Windows\System32\cmd.exe
PID 4692 wrote to memory of 4132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4692 wrote to memory of 4132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 2728 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 2728 N/A N/A C:\Windows\System32\cmd.exe
PID 2728 wrote to memory of 540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2728 wrote to memory of 540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 740 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 740 N/A N/A C:\Windows\System32\cmd.exe
PID 740 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 740 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 4628 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 4628 N/A N/A C:\Windows\System32\cmd.exe
PID 4628 wrote to memory of 4836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4628 wrote to memory of 4836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 4964 N/A N/A C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 4964 N/A N/A C:\Windows\System32\cmd.exe
PID 4964 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4964 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Mczz4p.cmd

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\h7uFo2.cmd

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\OrMao4j.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Qdvojli" /TR C:\Windows\system32\Iyx1\wbengine.exe /SC minute /MO 60 /RL highest

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Qdvojli"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Qdvojli"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Qdvojli"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Qdvojli"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Qdvojli"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Qdvojli"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4184-0-0x00007FFE66420000-0x00007FFE664BD000-memory.dmp

memory/4184-2-0x00000210E82F0000-0x00000210E82F7000-memory.dmp

memory/3436-3-0x00007FFE7399A000-0x00007FFE7399B000-memory.dmp

memory/3436-4-0x0000000002C00000-0x0000000002C01000-memory.dmp

memory/4184-6-0x00007FFE66420000-0x00007FFE664BD000-memory.dmp

memory/3436-12-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-20-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-22-0x00007FFE75000000-0x00007FFE75010000-memory.dmp

memory/3436-21-0x0000000001240000-0x0000000001247000-memory.dmp

memory/3436-14-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-13-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-11-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-10-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-33-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-31-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-9-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-8-0x0000000140000000-0x000000014009D000-memory.dmp

memory/3436-7-0x0000000140000000-0x000000014009D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mczz4p.cmd

MD5 a27a2a0effc1711a81c28371d74fa60b
SHA1 ab074ec19eac2c5a0b44df05ea92dd003c621155
SHA256 8be40d27ff168c9a0cd6927285139262e713778568e7e341c1a7556819d2bb89
SHA512 4d04bb6428f0b0e1614b96af2123a77ea1748f89cf388f18b2fe957539a1ef27c5c163b6706c868706bd4573fe8a2817a8ac93bf936bbf6357950aa0798f2825

C:\Users\Admin\AppData\Local\Temp\j952.tmp

MD5 639a8a082e6284fbc68dfdc77ea44427
SHA1 98aee8f25c24c16639dab573d9d3411e579c257e
SHA256 9c6bd4fd6cb4fb3958fd55434ad6fc93f16220fa934a424b8d4646bcb3ed72e0
SHA512 603a3ce9386d0e2d64c7b62bce6a980d21898ec915543f9444b69bcaf3ee1fc95b1fb24817dab99a3c5db916493dc06781e7f48ef1a2ccad080c473087c27178

C:\Users\Admin\AppData\Roaming\3TtfmAT\RecoveryDrive.exe

MD5 b9b3dc6f2eb89e41ff27400952602c74
SHA1 24ae07e0db3ace0809d08bbd039db3a9d533e81b
SHA256 630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4
SHA512 7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

C:\Users\Admin\AppData\Local\Temp\h7uFo2.cmd

MD5 054700d42bbf1d1442986c38395e647e
SHA1 ad21a5350b20e54bf45971ed3f8db7c65859cbf6
SHA256 b0fc161ff520232624b2b6200302edf179ba6fdf1c21a25aa8da594b91c5ad15
SHA512 7183c226784fdcd74034b33d9139a644fcd079f6bbfda10aa21a1a691b5d9c01110da64f297665b4f44b62dd43c4b6a0b5d8200bc4eff3f29373ff3304dbb0f9

C:\Users\Admin\AppData\Local\Temp\E31CA.tmp

MD5 45c99a94f559f9e4a93b6096043890bb
SHA1 f3e02bebfb0cdf6aac2a6782acce6931b4c6287c
SHA256 3efce7e77209052b0159588f3e94b41fd34d9199fceff08a0c88dc2d3e2e17e9
SHA512 94fad758b4ea970ba1e8b54e2d0748832009d0d9cff20516883a37e90927787f64b4970c4997a3266e9a820479bc004f19c0d6b696a706791f5ef371a02425e9

C:\Users\Admin\AppData\Local\Temp\OrMao4j.cmd

MD5 6b80f661b41e8d91f465957eda7c0531
SHA1 9656d53bbb9ba2cadf3b573ef0b2e19e7a4a3230
SHA256 0a19c109cab4c5739512a668b7c613ec0d0ab8c40326653bbdec33dbc9bdb612
SHA512 90b8a22f33a22b26350399bf2f8e39eb1586ed857cc4632afbbeb33c0ccb0d19d575697b4359701096bc1228aef45d5c261fdb863a78213b9012ee7b2be35ab3

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vfaxdafbicozcso.lnk

MD5 64f66e448f32bd08d6b7a307d13fcfea
SHA1 f532d318d4685258843f1cb303d54ab77d508821
SHA256 19829b251eb4d007f60442a1e40a4ec53425476eee35ebfaea814445fa643a8d
SHA512 c575d459759fa95cbcf5b0a9eed7bb0f65a6bab12910c24867f40d6371f1733330bd253112c9dd6aeab2da57e21d343fa4d41985fca3148fad6009260f1eb978

Analysis: behavioral5

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win7-20240903-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"

Signatures

Dridex

botnet dridex

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe C:\Windows\SysWOW64\svchost.exe
PID 2900 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe C:\Windows\SysWOW64\svchost.exe
PID 2900 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe C:\Windows\SysWOW64\svchost.exe
PID 2900 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe C:\Windows\SysWOW64\svchost.exe
PID 2900 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe C:\Windows\SysWOW64\svchost.exe
PID 2836 wrote to memory of 2084 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 2836 wrote to memory of 2084 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 2836 wrote to memory of 2084 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 2836 wrote to memory of 2084 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 2836 wrote to memory of 2232 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 2836 wrote to memory of 2232 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 2836 wrote to memory of 2232 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 2836 wrote to memory of 2232 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
FR 46.105.131.88:443 tcp
FR 46.105.131.88:443 tcp

Files

memory/2900-0-0x0000000000B20000-0x0000000000B46000-memory.dmp

memory/2900-1-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2836-2-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2836-4-0x0000000076CE9000-0x0000000076CEA000-memory.dmp

memory/2900-5-0x0000000000B20000-0x0000000000B46000-memory.dmp

memory/2836-6-0x00000000001C0000-0x00000000001E6000-memory.dmp

memory/2836-13-0x00000000001C0000-0x00000000001E6000-memory.dmp

memory/2836-12-0x00000000001C0000-0x00000000001E6000-memory.dmp

memory/2836-11-0x00000000001C0000-0x00000000001E6000-memory.dmp

memory/2836-10-0x00000000001C0000-0x00000000001E6000-memory.dmp

memory/2836-9-0x00000000001C0000-0x00000000001E6000-memory.dmp

memory/2836-8-0x00000000001C0000-0x00000000001E6000-memory.dmp

memory/2836-7-0x00000000001C0000-0x00000000001E6000-memory.dmp

memory/2836-18-0x0000000076C60000-0x0000000076D70000-memory.dmp

memory/2836-27-0x0000000076C60000-0x0000000076D70000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win7-20240903-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe C:\Windows\SysWOW64\svchost.exe
PID 2692 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe C:\Windows\SysWOW64\svchost.exe
PID 2692 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe C:\Windows\SysWOW64\svchost.exe
PID 2692 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe C:\Windows\SysWOW64\svchost.exe
PID 2692 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe C:\Windows\SysWOW64\svchost.exe
PID 1272 wrote to memory of 2920 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1272 wrote to memory of 2920 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1272 wrote to memory of 2920 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1272 wrote to memory of 2920 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1272 wrote to memory of 2824 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 1272 wrote to memory of 2824 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 1272 wrote to memory of 2824 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 1272 wrote to memory of 2824 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
US 192.48.88.22:443 tcp
US 192.48.88.22:443 tcp

Files

memory/2692-1-0x0000000000070000-0x0000000000076000-memory.dmp

memory/2692-0-0x0000000000FD0000-0x0000000001006000-memory.dmp

memory/1272-2-0x0000000000180000-0x0000000000181000-memory.dmp

memory/1272-4-0x00000000752A9000-0x00000000752AA000-memory.dmp

memory/2692-5-0x0000000000FD0000-0x0000000001006000-memory.dmp

memory/1272-6-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/1272-9-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/1272-8-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/1272-7-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/1272-11-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/1272-10-0x0000000000190000-0x00000000001C6000-memory.dmp

memory/1272-16-0x0000000075220000-0x0000000075330000-memory.dmp

memory/1272-25-0x0000000075220000-0x0000000075330000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win7-20240903-en

Max time kernel

150s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zoekctxdbskyzr = "\"C:\\Users\\Admin\\AppData\\Roaming\\qAf0yl\\perfmon.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\4QmF\Magnify.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\4QmF\Magnify.exe C:\Windows\System32\cmd.exe N/A

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\4QFxKr.cmd" N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open\command N/A N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 1976 N/A N/A C:\Windows\system32\perfmon.exe
PID 1244 wrote to memory of 1976 N/A N/A C:\Windows\system32\perfmon.exe
PID 1244 wrote to memory of 1976 N/A N/A C:\Windows\system32\perfmon.exe
PID 1244 wrote to memory of 3024 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 3024 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 3024 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2276 N/A N/A C:\Windows\system32\Magnify.exe
PID 1244 wrote to memory of 2276 N/A N/A C:\Windows\system32\Magnify.exe
PID 1244 wrote to memory of 2276 N/A N/A C:\Windows\system32\Magnify.exe
PID 1244 wrote to memory of 2252 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2252 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2252 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2260 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1244 wrote to memory of 2260 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1244 wrote to memory of 2260 N/A N/A C:\Windows\System32\eventvwr.exe
PID 2260 wrote to memory of 2184 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 2184 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 2184 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2184 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2184 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2532 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2532 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2532 N/A N/A C:\Windows\System32\cmd.exe
PID 2532 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2532 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2532 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 580 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 580 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 580 N/A N/A C:\Windows\System32\cmd.exe
PID 580 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 580 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 580 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2352 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2352 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2352 N/A N/A C:\Windows\System32\cmd.exe
PID 2352 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2352 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2352 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 944 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 944 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 944 N/A N/A C:\Windows\System32\cmd.exe
PID 944 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 944 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 944 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2536 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2536 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2536 N/A N/A C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2536 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2536 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 328 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 328 N/A N/A C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 328 N/A N/A C:\Windows\System32\cmd.exe
PID 328 wrote to memory of 1056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 328 wrote to memory of 1056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 328 wrote to memory of 1056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\l5hL.cmd

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1ab5MJK.cmd

C:\Windows\System32\eventvwr.exe

"C:\Windows\System32\eventvwr.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\4QFxKr.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Gugio" /TR C:\Windows\system32\4QmF\Magnify.exe /SC minute /MO 60 /RL highest

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Gugio"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Gugio"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Gugio"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Gugio"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Gugio"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"

C:\Windows\system32\schtasks.exe

schtasks.exe /Query /TN "Gugio"

Network

N/A

Files

memory/2712-0-0x000007FEF7E80000-0x000007FEF7F1D000-memory.dmp

memory/2712-2-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1244-3-0x0000000077996000-0x0000000077997000-memory.dmp

memory/1244-4-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2712-6-0x000007FEF7E80000-0x000007FEF7F1D000-memory.dmp

memory/1244-10-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-9-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-8-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-7-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-20-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-21-0x00000000025C0000-0x00000000025C7000-memory.dmp

memory/1244-14-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-13-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-12-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-11-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-23-0x0000000077C00000-0x0000000077C02000-memory.dmp

memory/1244-22-0x0000000077AA1000-0x0000000077AA2000-memory.dmp

memory/1244-32-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-37-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-33-0x0000000140000000-0x000000014009D000-memory.dmp

memory/1244-43-0x0000000077996000-0x0000000077997000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l5hL.cmd

MD5 346eaac10f27ee818583dab257c085f0
SHA1 2170d98a0c11859288af7ab61c93ef9e88996160
SHA256 2100d0a70eefe559dc0e1ae7a1b0b86ffa32ffbade1054c8c9d1bf5bd8ed197e
SHA512 b53839d68f8a6d02cb9ffccef84cf10482795d30790f9b01d9f0b1106592484d4259c29a29f1b7537d39c7e7a17b0c8d2609c54b8062bd0e36bb77df3069f308

C:\Users\Admin\AppData\Local\Temp\m48047.tmp

MD5 87301407b8c71c9c44acb0440fbffad5
SHA1 d8c52cadd229765f4c86e06185c813c34bbfcf8d
SHA256 4cad76f0400499a3c4d0d7ecdb6e3006e33501f490059751b46ca6e06383e685
SHA512 e5b83565267fa32081f2de632d68c9a1baab6af82107bded737d6e7bdd7e245a645e7e83a5e419afd80d8041bffc2b1f2222c0fcd43e757707e4df274279d51d

\Users\Admin\AppData\Roaming\qAf0yl\perfmon.exe

MD5 3eb98cff1c242167df5fdbc6441ce3c5
SHA1 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA256 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512 f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

C:\Users\Admin\AppData\Local\Temp\1ab5MJK.cmd

MD5 9818458013aa957cfae58ec744e8fb5a
SHA1 d68981dc9b8ffb7acd27e40214057bbd95000d53
SHA256 cb6ef21e54cde404e4d88f1f36262e133fae6da2d0eb8c0d515edd53c5c6603b
SHA512 b0a4215d76cb93a7d3ea5b2a58ff8cc7772eb791ee3d391bc282eb352a270bc57b40f735f85835341d3d60ec5e36c41c455ed214483b9273b04aaaf88f70598a

C:\Users\Admin\AppData\Local\Temp\lvA7E4.tmp

MD5 e5a83a5c4fd6b3742cb1bdd4504e115d
SHA1 d538fddf3227eb990bb713ea251661d6c9b75938
SHA256 b90abdce3910b2be736a67db788444b0131e6116e8894258b52d0102cac65b18
SHA512 e24ab7578dd045451ff68400405e6361d28fb1a12175bd0c3afe2ffb3520559be3879cbafb955ed6916939b6023aed167d75a775567cfa152d2d64563543515a

C:\Users\Admin\AppData\Local\Temp\4QFxKr.cmd

MD5 819e3a2901d6e1c85bd5dad94758ce17
SHA1 31a02a71fcd19400b0c75bc04d4dcebf3a9148ec
SHA256 40bdf3586e0b23cf8654ffff3f74f6c4be324ea90d594a8a4768c30c09098cdf
SHA512 d310ec18878c1c6f4260cb107b0832c95ccf237e4c87f5858a80cb48a2e570032b62dd6443ab777ff034e2a5a2fece8259f24448605c2a27765871409f14d85c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zoekctxdbskyzr.lnk

MD5 686acba2c190cd0f636b355d21bf2745
SHA1 7a49dfe621466ec1dba5f023da8d7be2448581de
SHA256 d6bdeab505a66b9c5b11ceffab89a986287979571effd59846734a475358a8d4
SHA512 41e01b7cffa9c089d90df9b6e86b45f25925736f694ca39064830595eeca030b9010c1b429dbc8cf4062b73d6cf3bd182a1dc1e115928e2958005279c5b62bea

Analysis: behavioral18

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

156s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Emotet.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Emotet.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

Signatures

Dridex

botnet dridex

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FR 37.187.54.76:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/4520-0-0x0000000002630000-0x000000000265F000-memory.dmp

memory/4520-1-0x0000000000960000-0x0000000000966000-memory.dmp

memory/4956-2-0x0000000077AB2000-0x0000000077AB3000-memory.dmp

memory/4956-3-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/4520-5-0x0000000002630000-0x000000000265F000-memory.dmp

memory/4956-10-0x0000000003050000-0x000000000307F000-memory.dmp

memory/4956-12-0x0000000003050000-0x000000000307F000-memory.dmp

memory/4956-17-0x0000000077A60000-0x0000000077B50000-memory.dmp

memory/4956-11-0x0000000003050000-0x000000000307F000-memory.dmp

memory/4956-9-0x0000000003050000-0x000000000307F000-memory.dmp

memory/4956-8-0x0000000003050000-0x000000000307F000-memory.dmp

memory/4956-7-0x0000000003050000-0x000000000307F000-memory.dmp

memory/4956-6-0x0000000003050000-0x000000000307F000-memory.dmp

memory/4956-25-0x0000000077A60000-0x0000000077B50000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

149s

Max time network

146s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/275/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/46/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/588/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1756/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/9/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1821/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/11/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/10/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1123/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/26/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/18/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/65/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/80/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/7/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/14/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1899/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/46/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1764/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/54/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/442/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/2459/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/20/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/2456/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/2090/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/196/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/2170/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/34/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1957/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1843/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/193/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/35/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/47/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1930/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1046/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1888/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/40/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1644/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/21/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/22/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/2456/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1900/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/2048/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/27/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/51/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/193/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1915/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1954/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/sys/kernel/cap_last_cap /usr/bin/journalctl N/A
File opened for reading /proc/1092/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/2154/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1397/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/29/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/4/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/191/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/2079/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/2177/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/35/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/386/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A
File opened for reading /proc/1744/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
AU 66.186.206.164:2222 tcp
HK 202.85.198.79:22 tcp
US 44.185.105.109:2222 tcp
N/A 248.41.152.30:22 tcp
US 159.53.73.106:22 tcp
DK 85.80.36.48:22 tcp
N/A 248.41.152.30:2222 tcp
N/A 251.59.112.102:22 tcp
DE 185.41.105.174:22 tcp
US 7.241.116.10:22 tcp
US 24.219.177.245:22 tcp
FR 78.249.170.20:22 tcp
US 162.50.154.91:22 tcp
US 26.241.222.75:2222 tcp
US 72.41.34.16:2222 tcp
JP 221.253.10.68:22 tcp
IT 51.118.180.67:22 tcp
N/A 242.73.61.123:22 tcp
MX 201.115.182.10:2222 tcp
US 17.204.237.154:22 tcp
FR 90.93.158.82:2222 tcp
N/A 252.161.49.174:22 tcp
CN 27.201.73.195:22 tcp
KE 154.154.48.250:2222 tcp
GB 31.205.176.28:22 tcp
JO 80.10.10.40:22 tcp
JP 220.19.226.22:2222 tcp
GB 31.205.176.28:2222 tcp
KG 212.112.118.196:22 tcp
HK 160.121.26.99:22 tcp
US 7.100.195.187:22 tcp
JP 219.63.108.227:22 tcp
US 63.37.153.11:2222 tcp
US 68.242.102.178:2222 tcp
N/A 242.73.61.123:2222 tcp
GB 25.153.207.239:22 tcp
N/A 252.239.168.131:22 tcp
JP 150.77.10.43:2222 tcp
ID 36.72.189.9:22 tcp
SG 43.46.121.114:2222 tcp
DE 93.227.2.150:22 tcp
IT 51.118.180.67:2222 tcp
DK 85.80.36.48:2222 tcp
US 24.219.177.245:2222 tcp
PH 112.204.232.248:22 tcp
JP 146.99.160.52:22 tcp
TR 178.244.204.44:2222 tcp
IT 94.88.116.237:2222 tcp
US 215.69.19.32:22 tcp
US 44.185.105.109:22 tcp
CN 39.79.206.65:2222 tcp
US 68.242.102.178:22 tcp
JP 219.63.108.227:2222 tcp
US 50.197.152.73:22 tcp
US 16.92.184.168:22 tcp
US 135.47.115.11:22 tcp
N/A 244.93.137.45:2222 tcp
DE 84.163.69.100:22 tcp
BR 187.3.250.9:22 tcp
N/A 251.59.112.102:2222 tcp
JP 116.94.191.237:22 tcp
FR 78.249.170.20:2222 tcp
SG 43.46.121.114:22 tcp
US 72.41.34.16:22 tcp
US 147.224.245.47:22 tcp
JP 220.19.226.22:22 tcp
US 70.22.253.225:22 tcp
KR 211.247.60.87:2222 tcp
MX 187.144.77.1:22 tcp
US 155.119.41.74:2222 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 819b0fdb2b9c8a440b734a7b72522f12
SHA1 f3aff7e1c44d21508eb60797211570c84a53597a
SHA256 30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01
SHA512 fee2c0dbbc91e2486e409e8b6a877c6ec500e6c7c0491d4c44d37006c30de79b95dd4640c7c8c8efcc920abccbdb659a590fde1e2526126279b7486778d08b5a

Analysis: behavioral29

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

150s

Max time network

148s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/991/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/591/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/112/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1075/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/1177/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1469/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1197/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/781/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1286/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/737/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1254/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/97/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/373/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/9/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/80/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/424/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/22/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/748/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/118/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/94/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/95/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1431/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/775/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/412/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1185/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/96/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/585/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1098/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/748/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/25/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/757/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/775/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/112/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1158/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/583/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1085/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1192/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/27/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/607/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/76/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/1254/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1621/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1158/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/632/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/79/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1162/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1294/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1317/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1040/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/118/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A
File opened for reading /proc/1409/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 117.115.184.13:22 tcp
US 63.237.234.161:2222 tcp
CN 175.102.147.118:2222 tcp
US 137.32.31.189:2222 tcp
HK 202.83.4.78:2222 tcp
DE 194.9.206.219:2222 tcp
CN 183.206.153.237:2222 tcp
US 12.242.187.166:2222 tcp
GB 141.241.157.52:2222 tcp
CA 154.5.161.18:22 tcp
US 66.176.75.91:2222 tcp
US 6.2.42.248:22 tcp
US 8.80.249.1:2222 tcp
CN 117.115.184.13:2222 tcp
US 33.219.178.233:2222 tcp
US 55.153.154.69:2222 tcp
US 207.48.114.206:2222 tcp
BR 191.130.207.136:22 tcp
SG 154.208.1.123:2222 tcp
AE 92.98.190.150:2222 tcp
AU 137.157.103.29:2222 tcp
AE 92.98.190.150:22 tcp
IT 151.5.203.96:22 tcp
US 15.7.70.140:2222 tcp
CN 175.102.147.118:22 tcp
GB 141.241.157.52:22 tcp
US 29.18.144.187:2222 tcp
US 63.237.234.161:22 tcp
SG 154.208.1.123:22 tcp
RU 62.109.191.109:2222 tcp
US 56.235.49.29:2222 tcp
DK 176.23.8.248:2222 tcp
MX 187.209.123.170:22 tcp
US 137.32.31.189:22 tcp
US 198.101.147.157:22 tcp
JP 119.240.32.104:22 tcp
RU 62.109.191.109:22 tcp
IN 35.154.120.75:22 tcp
JP 60.97.40.129:2222 tcp
JP 60.118.123.19:22 tcp
CN 222.185.216.64:22 tcp
US 17.42.229.205:2222 tcp
JP 49.156.203.11:2222 tcp
CN 114.113.65.135:22 tcp
ES 37.12.192.188:2222 tcp
IT 95.250.113.209:2222 tcp
CN 114.113.65.135:2222 tcp
GB 31.70.19.123:2222 tcp
US 70.125.64.63:22 tcp
JP 60.97.40.129:22 tcp
US 215.173.153.89:2222 tcp
US 34.213.198.54:22 tcp
GB 206.245.236.16:2222 tcp
US 29.18.144.187:22 tcp
DK 176.23.8.248:22 tcp
BR 191.130.207.136:2222 tcp
US 33.219.178.233:22 tcp
MX 187.140.26.132:2222 tcp
US 30.33.97.142:22 tcp
JP 49.156.203.11:22 tcp
US 6.2.42.248:2222 tcp
CA 154.5.161.18:2222 tcp
DE 88.75.169.45:2222 tcp
EG 196.136.59.42:22 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 97cfb3c26a12e13792f7d1741309d767
SHA1 a010f85cdda9f83cbc738eb1b41cd621f3d6018e
SHA256 5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
SHA512 162028b9e93bb4718427304a96767880da7094c99ae6145e61a562f09dae0ce6726b2dfac95782990f50fa9bfc9f82b1aacb9e7b12442094137872fa8a3f3379

Analysis: behavioral31

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2204-amd64-20240522.1-en

Max time kernel

149s

Max time network

141s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1184/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/414/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/733/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1169/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1203/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/427/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/452/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/90/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/592/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1204/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/17/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/3/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1343/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/94/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/983/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/222/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/24/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1163/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1271/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/74/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/840/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1058/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1565/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/616/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1588/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/608/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/514/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/587/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1148/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1371/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1565/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/956/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1200/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/558/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/92/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/159/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/223/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/filesystems /usr/bin/journalctl N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/200/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/1/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/220/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/226/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1166/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1374/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/92/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/99/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1566/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/1074/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A
File opened for reading /proc/11/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 145.116.187.108:2222 tcp
N/A 247.172.71.158:22 tcp
CN 123.158.74.165:22 tcp
N/A 240.87.205.218:22 tcp
CN 47.98.23.248:2222 tcp
PK 203.223.169.52:2222 tcp
US 130.76.145.5:2222 tcp
US 63.94.52.250:2222 tcp
US 158.246.65.214:2222 tcp
US 16.20.127.240:22 tcp
BR 201.86.81.193:2222 tcp
BG 93.123.49.231:2222 tcp
US 174.22.32.82:2222 tcp
IN 123.238.201.139:22 tcp
IR 5.202.180.8:2222 tcp
US 216.178.191.241:2222 tcp
MX 200.92.243.240:22 tcp
MX 200.92.243.240:2222 tcp
CN 211.158.14.212:2222 tcp
PH 180.193.18.153:22 tcp
MA 105.128.63.18:2222 tcp
CO 181.131.83.10:2222 tcp
JP 106.190.155.208:2222 tcp
JP 106.190.155.208:22 tcp
TR 78.185.155.44:2222 tcp
N/A 250.194.145.234:2222 tcp
N/A 241.76.90.139:2222 tcp
CZ 77.48.243.190:2222 tcp
MA 105.66.166.100:22 tcp
NL 84.241.206.33:22 tcp
US 206.94.46.207:22 tcp
NL 84.241.206.33:2222 tcp
CO 181.131.83.10:22 tcp
CN 123.158.74.165:2222 tcp
SG 20.24.139.110:2222 tcp
US 69.18.168.126:22 tcp
N/A 247.172.71.158:2222 tcp
PK 203.223.169.52:22 tcp
US 157.187.170.44:2222 tcp
US 63.94.52.250:22 tcp
TR 86.108.248.58:22 tcp
TR 86.108.248.58:2222 tcp
BR 201.86.81.193:22 tcp
US 157.202.178.101:22 tcp
US 68.62.115.69:2222 tcp
US 143.43.252.119:2222 tcp
IN 103.143.168.228:22 tcp
US 16.20.127.240:2222 tcp
BG 93.123.49.231:22 tcp
PH 180.193.18.153:2222 tcp
CA 135.19.108.71:2222 tcp
N/A 250.194.145.234:22 tcp
IN 103.143.168.228:2222 tcp
CA 142.201.15.198:22 tcp
IN 123.238.201.139:2222 tcp
US 11.251.69.51:2222 tcp
VN 42.115.64.130:22 tcp
N/A 249.194.28.83:2222 tcp
US 15.26.144.139:2222 tcp
US 164.119.220.127:2222 tcp
IR 5.202.180.8:22 tcp
US 130.76.145.5:22 tcp
US 165.104.116.109:2222 tcp
US 157.202.178.101:2222 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 d4e533f9c11b5cc9e755d94c1315553a
SHA1 9e15020cd2688b537bae18e5f291ee8cbe9a85e7
SHA256 7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6
SHA512 149226355b2e5c3fac403289b5e66bd4164a7aee76d8dc8f1d698c509db7a081bad9d4172cc950bb0e6e6909e0073d551dcde82cbeaaf61a9c1b02c9ba48fb38

Analysis: behavioral7

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win7-20240903-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"

Signatures

Dridex

botnet dridex

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe C:\Windows\SysWOW64\svchost.exe
PID 2344 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe C:\Windows\SysWOW64\svchost.exe
PID 2344 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe C:\Windows\SysWOW64\svchost.exe
PID 2344 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe C:\Windows\SysWOW64\svchost.exe
PID 2344 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe C:\Windows\SysWOW64\svchost.exe
PID 1908 wrote to memory of 2892 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1908 wrote to memory of 2892 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1908 wrote to memory of 2892 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1908 wrote to memory of 2892 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 1908 wrote to memory of 2776 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 1908 wrote to memory of 2776 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 1908 wrote to memory of 2776 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 1908 wrote to memory of 2776 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
JP 60.124.4.241:443 tcp
JP 60.124.4.241:443 tcp

Files

memory/2344-1-0x00000000000A0000-0x00000000000A6000-memory.dmp

memory/2344-0-0x0000000000850000-0x0000000000874000-memory.dmp

memory/1908-2-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1908-3-0x00000000765D9000-0x00000000765DA000-memory.dmp

memory/2344-5-0x0000000000850000-0x0000000000874000-memory.dmp

memory/1908-7-0x0000000000180000-0x00000000001A4000-memory.dmp

memory/1908-11-0x0000000000180000-0x00000000001A4000-memory.dmp

memory/1908-10-0x0000000000180000-0x00000000001A4000-memory.dmp

memory/1908-9-0x0000000000180000-0x00000000001A4000-memory.dmp

memory/1908-8-0x0000000000180000-0x00000000001A4000-memory.dmp

memory/1908-6-0x0000000000180000-0x00000000001A4000-memory.dmp

memory/1908-16-0x0000000076550000-0x0000000076660000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

149s

Max time network

161s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A /usr/bin/which N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo /usr/bin/ps N/A
File opened for reading /proc/cpuinfo N/A N/A
File opened for reading /proc/cpuinfo N/A N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/ps N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/pkill N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A
File opened for reading /sys/devices/system/cpu/possible N/A N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node /usr/bin/pkill N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node /usr/bin/ps N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A
File opened for reading /sys/devices/system/node N/A N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/2370/cgroup N/A N/A
File opened for reading /proc/63/cgroup N/A N/A
File opened for reading /proc/2300/cmdline N/A N/A
File opened for reading /proc/2367/cmdline /usr/bin/pkill N/A
File opened for reading /proc/37/stat /usr/bin/killall N/A
File opened for reading /proc/2529/stat /usr/bin/pkill N/A
File opened for reading /proc/2867/ctty N/A N/A
File opened for reading /proc/2878/status N/A N/A
File opened for reading /proc/2346/status N/A N/A
File opened for reading /proc/12/stat N/A N/A
File opened for reading /proc/7/status /usr/bin/pkill N/A
File opened for reading /proc/2628 /usr/bin/killall N/A
File opened for reading /proc/2284/cmdline /usr/bin/ps N/A
File opened for reading /proc/sys/kernel/seccomp/actions_avail /usr/bin/sudo N/A
File opened for reading /proc/2877/cmdline /usr/bin/ps N/A
File opened for reading /proc/728/cgroup N/A N/A
File opened for reading /proc/2368/environ N/A N/A
File opened for reading /proc/194/stat /usr/bin/pidof N/A
File opened for reading /proc/2189/environ /usr/bin/ps N/A
File opened for reading /proc/24/cmdline /usr/bin/pkill N/A
File opened for reading /proc/56/stat N/A N/A
File opened for reading /proc/2300/status /usr/bin/ps N/A
File opened for reading /proc/731/stat N/A N/A
File opened for reading /proc/2651/ctty N/A N/A
File opened for reading /proc/2074 /usr/bin/killall N/A
File opened for reading /proc/56/cmdline N/A N/A
File opened for reading /proc/13/stat N/A N/A
File opened for reading /proc/1112/ctty /usr/bin/ps N/A
File opened for reading /proc/2189 /usr/bin/killall N/A
File opened for reading /proc/1400/cmdline /usr/bin/pkill N/A
File opened for reading /proc/31/environ /usr/bin/ps N/A
File opened for reading /proc/52/ctty /usr/bin/pkill N/A
File opened for reading /proc/1067/cgroup N/A N/A
File opened for reading /proc/25/cmdline N/A N/A
File opened for reading /proc/2191/status N/A N/A
File opened for reading /proc/2 /usr/bin/killall N/A
File opened for reading /proc/33/environ /usr/bin/ps N/A
File opened for reading /proc/3545 /usr/bin/killall N/A
File opened for reading /proc/2345/cmdline N/A N/A
File opened for reading /proc/2300/cgroup N/A N/A
File opened for reading /proc/2523 /usr/bin/killall N/A
File opened for reading /proc/1085/stat /usr/bin/pkill N/A
File opened for reading /proc/2621/environ /usr/bin/ps N/A
File opened for reading /proc/2867/cgroup N/A N/A
File opened for reading /proc/2352/status /usr/bin/ps N/A
File opened for reading /proc/199/status /usr/bin/pkill N/A
File opened for reading /proc/357/ctty N/A N/A
File opened for reading /proc/2300/stat N/A N/A
File opened for reading /proc/8 N/A N/A
File opened for reading /proc/51 N/A N/A
File opened for reading /proc/2610/cmdline N/A N/A
File opened for reading /proc/21/ctty /usr/bin/pkill N/A
File opened for reading /proc/2639/cmdline /usr/bin/pkill N/A
File opened for reading /proc/457/stat N/A N/A
File opened for reading /proc/2539/cmdline /usr/bin/ps N/A
File opened for reading /proc/49/status N/A N/A
File opened for reading /proc/2870/cmdline /usr/bin/ps N/A
File opened for reading /proc/2161/cmdline /usr/bin/pkill N/A
File opened for reading /proc/2682/stat /usr/bin/ps N/A
File opened for reading /proc/2370/stat /usr/bin/ps N/A
File opened for reading /proc/2807/ctty N/A N/A
File opened for reading /proc/2373/environ N/A N/A
File opened for reading /proc/2468 N/A N/A
File opened for reading /proc/793/environ N/A N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_2149 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20765 N/A N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_10129 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_19923 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_29275 N/A N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_21234 N/A N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_28289 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_4503 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_24732 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20634 N/A N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_30673 N/A N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9137 N/A N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9481 N/A N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_15039 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9750 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_7509 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_31374 N/A N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20654 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_24420 /usr/bin/touch N/A
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_22887 N/A N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/bin/bash

[/bin/bash -]

/usr/bin/which

[which sudo]

/usr/bin/wc

[wc -l]

/usr/bin/sudo

[sudo -S touch .local_20654]

/usr/bin/touch

[touch .local_20654]

/usr/bin/grep

[grep -c root]

/usr/bin/ls

[ls -l .local_20654]

/usr/bin/sudo

[sudo rm .local_20654]

/usr/bin/rm

[rm .local_20654]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep stratum]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep \[\]]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/bin/bash

[/bin/bash -]

/usr/bin/which

[which sudo]

/usr/bin/wc

[wc -l]

/usr/bin/sudo

[sudo -S touch .local_28289]

/usr/bin/touch

[touch .local_28289]

/usr/bin/grep

[grep -c root]

/usr/bin/ls

[ls -l .local_28289]

/usr/bin/sudo

[sudo rm .local_28289]

/usr/bin/rm

[rm .local_28289]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep stratum]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep \[\]]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/bin/bash

[/bin/bash -]

/usr/bin/which

[which sudo]

/usr/bin/wc

[wc -l]

/usr/bin/sudo

[sudo -S touch .local_2149]

/usr/bin/touch

[touch .local_2149]

/usr/bin/ls

[ls -l .local_2149]

/usr/bin/grep

[grep -c root]

/usr/bin/sudo

[sudo rm .local_2149]

/usr/bin/rm

[rm .local_2149]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep stratum]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep -v grep]

/usr/bin/grep

[grep \[\]]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/bin/bash

[/bin/bash -]

/usr/bin/which

[which sudo]

/usr/bin/wc

[wc -l]

/usr/bin/sudo

[sudo -S touch .local_4503]

/usr/bin/touch

[touch .local_4503]

/usr/bin/ls

[ls -l .local_4503]

/usr/bin/grep

[grep -c root]

/usr/bin/sudo

[sudo rm .local_4503]

/usr/bin/rm

[rm .local_4503]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/grep

[grep -v grep]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep stratum]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep \[\]]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/bin/bash

[/bin/bash -]

/usr/bin/which

[which sudo]

/usr/bin/wc

[wc -l]

/usr/bin/sudo

[sudo -S touch .local_24732]

/usr/bin/touch

[touch .local_24732]

/usr/bin/ls

[ls -l .local_24732]

/usr/bin/grep

[grep -c root]

/usr/bin/sudo

[sudo rm .local_24732]

/usr/bin/rm

[rm .local_24732]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep stratum]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep \[\]]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/bin/bash

[/bin/bash -]

/usr/bin/which

[which sudo]

/usr/bin/wc

[wc -l]

/usr/bin/sudo

[sudo -S touch .local_15039]

/usr/bin/touch

[touch .local_15039]

/usr/bin/ls

[ls -l .local_15039]

/usr/bin/grep

[grep -c root]

/usr/bin/sudo

[sudo rm .local_15039]

/usr/bin/rm

[rm .local_15039]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep stratum]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep \[\]]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/bin/bash

[/bin/bash -]

/usr/bin/which

[which sudo]

/usr/bin/wc

[wc -l]

/usr/bin/sudo

[sudo -S touch .local_9750]

/usr/bin/touch

[touch .local_9750]

/usr/bin/ls

[ls -l .local_9750]

/usr/bin/grep

[grep -c root]

/usr/bin/sudo

[sudo rm .local_9750]

/usr/bin/rm

[rm .local_9750]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/grep

[grep stratum]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep \[\]]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/bin/bash

[/bin/bash -]

/usr/bin/wc

[wc -l]

/usr/bin/which

[which sudo]

/usr/bin/sudo

[sudo -S touch .local_7509]

/usr/bin/touch

[touch .local_7509]

/usr/bin/ls

[ls -l .local_7509]

/usr/bin/grep

[grep -c root]

/usr/bin/sudo

[sudo rm .local_7509]

/usr/bin/rm

[rm .local_7509]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep stratum]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep \[\]]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/bin/bash

[/bin/bash -]

/usr/bin/which

[which sudo]

/usr/bin/wc

[wc -l]

/usr/bin/sudo

[sudo -S touch .local_24420]

/usr/bin/touch

[touch .local_24420]

/usr/bin/ls

[ls -l .local_24420]

/usr/bin/grep

[grep -c root]

/usr/bin/sudo

[sudo rm .local_24420]

/usr/bin/rm

[rm .local_24420]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep stratum]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep \[\]]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/bin/bash

[/bin/bash -]

/usr/bin/wc

[wc -l]

/usr/bin/which

[which sudo]

/usr/bin/sudo

[sudo -S touch .local_10129]

/usr/bin/touch

[touch .local_10129]

/usr/bin/ls

[ls -l .local_10129]

/usr/bin/grep

[grep -c root]

/usr/bin/sudo

[sudo rm .local_10129]

/usr/bin/rm

[rm .local_10129]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

/usr/bin/rm

[rm -rf /tmp/.iolanda]

/usr/bin/sudo

[sudo pkill test.mod]

/usr/bin/pkill

[pkill test.mod]

/usr/bin/sudo

[sudo pkill daemon.i686.mod]

/usr/bin/pkill

[pkill daemon.i686.mod]

/usr/bin/sudo

[sudo pkill daemon.armv4l.mod]

/usr/bin/pkill

[pkill daemon.armv4l.mod]

/usr/bin/sudo

[sudo pkill daemon.mips.mod]

/usr/bin/pkill

[pkill daemon.mips.mod]

/usr/bin/sudo

[sudo pkill daemon.mipsel.mod]

/usr/bin/pkill

[pkill daemon.mipsel.mod]

/usr/bin/sudo

[sudo rm -rf /tmp/.xs]

/usr/bin/rm

[rm -rf /tmp/.xs]

/usr/bin/sudo

[sudo pkill ld-linux-x86-64]

/usr/bin/pkill

[pkill ld-linux-x86-64]

/usr/bin/rm

[rm -rf /var/tmp/. *]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xmr]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep cryptonight]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep stratum]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/grep

[grep -v grep]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep dbus-daemon--system]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep \[\]]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/grep

[grep -v grep]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo ps auxf]

/usr/bin/grep

[grep xm64]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxf]

/usr/bin/sudo

[sudo killall -9 [atd]]

/usr/bin/killall

[killall -9 [atd]]

/usr/bin/sudo

[sudo rm -rf /tmp/.jk]

/usr/bin/rm

[rm -rf /tmp/.jk]

/usr/bin/sudo

[sudo killall -9 [ntpd]]

/usr/bin/killall

[killall -9 [ntpd]]

/usr/bin/sudo

[sudo killall -9 [rpciod]]

/usr/bin/killall

[killall -9 [rpciod]]

/usr/bin/sudo

[sudo killall -9 [ext4-dio-unwrit]]

/usr/bin/killall

[killall -9 [ext4-dio-unwrit]]

/usr/bin/sudo

[sudo rm -rf /tmp/.xm*]

/usr/bin/rm

[rm -rf /tmp/.xm*]

/usr/bin/pidof

[pidof libexec]

/bin/bash

[/bin/bash -]

/usr/bin/which

[which sudo]

/usr/bin/wc

[wc -l]

/usr/bin/sudo

[sudo -S touch .local_19923]

/usr/bin/touch

[touch .local_19923]

/usr/bin/ls

[ls -l .local_19923]

/usr/bin/grep

[grep -c root]

/usr/bin/sudo

[sudo rm .local_19923]

/usr/bin/rm

[rm .local_19923]

/usr/bin/sudo

[sudo ps auxff]

/usr/bin/grep

[grep ./crond -t=all]

/usr/bin/grep

[grep -v grep]

/usr/bin/awk

[awk { print $2 }]

/usr/bin/ps

[ps auxff]

/usr/bin/sudo

[sudo killall -9 bssh]

/usr/bin/killall

[killall -9 bssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.an]

/usr/bin/rm

[rm -rf /tmp/.an]

/usr/bin/sudo

[sudo killall -9 xm64]

/usr/bin/killall

[killall -9 xm64]

/usr/bin/sudo

[sudo killall -9 rpc.idmapd]

/usr/bin/killall

[killall -9 rpc.idmapd]

/usr/bin/sudo

[sudo rm -rf /tmp/.m2]

/usr/bin/rm

[rm -rf /tmp/.m2]

/usr/bin/sudo

[sudo killall -9 xorgg]

/usr/bin/killall

[killall -9 xorgg]

/usr/bin/sudo

[sudo rm -rf /tmp/seconfig]

/usr/bin/rm

[rm -rf /tmp/seconfig]

/usr/bin/sudo

[sudo killall -9 crond64]

/usr/bin/killall

[killall -9 crond64]

/usr/bin/sudo

[sudo killall -9 tsm]

/usr/bin/killall

[killall -9 tsm]

/usr/bin/sudo

[sudo rm -rf /tmp/.ssh]

/usr/bin/rm

[rm -rf /tmp/.ssh]

/usr/bin/sudo

[sudo rm -rf /tmp/.java]

/usr/bin/rm

[rm -rf /tmp/.java]

/usr/bin/sudo

[sudo rm -rf /tmp/.iolanda]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 240.129.24.200:2222 tcp
US 209.221.4.50:22 tcp
KR 124.55.195.23:2222 tcp
MX 177.234.120.167:22 tcp
US 97.213.147.238:22 tcp
SE 95.199.156.191:22 tcp
CN 183.226.105.62:2222 tcp
CN 211.142.141.133:2222 tcp
IN 157.49.155.212:2222 tcp
SE 95.199.156.191:2222 tcp
US 140.190.106.67:22 tcp
SK 151.236.228.186:22 tcp
FI 65.21.69.160:22 tcp
US 139.32.243.198:2222 tcp
US 68.84.121.108:2222 tcp
PL 91.235.219.121:22 tcp
KR 211.198.212.97:22 tcp
IL 89.138.84.53:22 tcp
US 68.85.8.193:22 tcp
N/A 242.136.96.130:2222 tcp
CN 27.207.153.71:2222 tcp
IQ 169.224.76.4:22 tcp
US 72.117.161.115:2222 tcp
US 32.100.137.46:2222 tcp
US 172.180.138.168:2222 tcp
US 32.126.82.246:2222 tcp
MX 177.234.120.167:2222 tcp
IN 157.49.155.212:22 tcp
KR 27.126.63.51:2222 tcp
RU 92.248.200.67:2222 tcp
US 12.8.6.75:2222 tcp
US 208.249.206.190:22 tcp
ES 88.3.199.56:22 tcp
NL 146.50.215.13:22 tcp
CA 209.115.241.202:22 tcp
US 65.53.8.29:22 tcp
US 63.239.176.167:2222 tcp
US 63.239.176.167:22 tcp
SE 213.102.67.148:2222 tcp
US 74.204.223.123:2222 tcp
BW 129.205.193.89:22 tcp
US 199.104.253.194:2222 tcp
US 167.1.51.19:2222 tcp
US 135.100.15.172:2222 tcp
US 149.95.173.163:22 tcp
US 130.99.103.219:22 tcp
US 167.1.51.19:22 tcp
NZ 161.29.225.242:22 tcp
CH 128.179.137.253:22 tcp
CN 36.102.4.134:2222 tcp
US 172.43.97.37:2222 tcp
US 74.204.223.123:22 tcp
DE 164.59.160.46:22 tcp
MA 102.72.132.252:2222 tcp
US 67.149.101.6:22 tcp
KR 163.239.47.197:22 tcp
DE 139.19.112.76:2222 tcp
US 76.94.141.83:22 tcp
IQ 169.224.76.4:2222 tcp
US 204.193.30.70:2222 tcp
US 55.58.187.38:22 tcp
JP 115.179.13.197:22 tcp
US 65.53.8.29:2222 tcp
CN 183.249.93.103:2222 tcp
US 215.239.106.236:22 tcp
US 208.76.97.208:2222 tcp
US 18.224.180.50:2222 tcp
NZ 161.29.225.242:2222 tcp
KR 163.239.47.197:2222 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 ae747bc7fff9bc23f06635ef60ea0e8d
SHA1 64315e834f67905ed4e47f36155362a78ac23462
SHA256 103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
SHA512 e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2

Analysis: behavioral32

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2404-amd64-20240729-en

Max time kernel

149s

Max time network

149s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/2217/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/33/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/386/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2015/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/10/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1052/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/123/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/10/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2315/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/44/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/69/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1946/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/418/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/45/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2516/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/194/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/26/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1088/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/53/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2578/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/512/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1988/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2260/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1818/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2015/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/432/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1048/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/198/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1345/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/385/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/438/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1921/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2212/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/44/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2446/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/40/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2002/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/860/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2517/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2128/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/23/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/593/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/5/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2169/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/13/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/25/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2518/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/338/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1921/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/25/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/191/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/30/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1998/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1128/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/1827/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2517/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/54/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/2315/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/787/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A
File opened for reading /proc/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 243.88.197.184:2222 tcp
US 199.178.19.195:2222 tcp
N/A 243.88.197.184:22 tcp
HK 202.181.247.251:22 tcp
HK 202.181.247.251:2222 tcp
US 70.219.48.173:2222 tcp
US 198.229.154.249:2222 tcp
GB 161.76.202.154:2222 tcp
US 167.159.196.229:2222 tcp
US 143.165.15.104:22 tcp
CN 175.71.211.153:22 tcp
TW 61.219.248.142:2222 tcp
TW 61.219.248.142:22 tcp
US 44.221.188.73:2222 tcp
US 40.150.113.23:22 tcp
TR 178.241.35.194:22 tcp
US 24.229.67.20:2222 tcp
US 143.165.15.104:2222 tcp
KR 118.46.169.211:22 tcp
GB 161.76.202.154:22 tcp
CN 182.106.219.181:2222 tcp
US 19.161.93.191:2222 tcp
US 164.245.65.178:2222 tcp
CN 59.221.14.92:2222 tcp
US 107.106.43.97:22 tcp
GB 87.82.130.122:22 tcp
US 207.232.194.92:22 tcp
US 15.92.28.226:22 tcp
US 26.104.64.100:22 tcp
US 192.174.127.200:22 tcp
CN 116.24.56.123:22 tcp
US 151.194.11.80:2222 tcp
US 151.194.11.80:22 tcp
AU 120.21.167.96:22 tcp
GB 87.82.130.122:2222 tcp
CN 58.117.1.32:22 tcp
US 141.163.231.137:2222 tcp
SG 20.247.205.208:22 tcp
US 16.188.18.17:2222 tcp
US 167.159.196.229:22 tcp
US 71.144.101.7:2222 tcp
US 192.174.127.200:2222 tcp
RU 37.208.72.47:2222 tcp
CA 132.210.209.69:22 tcp
AU 120.21.167.96:2222 tcp
VN 14.247.159.177:22 tcp
MX 216.171.78.112:2222 tcp
KZ 2.79.252.46:22 tcp
US 170.208.221.206:2222 tcp
US 24.229.67.20:22 tcp
US 26.101.222.46:2222 tcp
US 198.229.154.249:22 tcp
VN 14.247.159.177:2222 tcp
CN 175.71.211.153:2222 tcp
US 70.219.48.173:22 tcp
CN 180.102.187.161:22 tcp
N/A 245.227.191.132:22 tcp
US 50.35.189.224:22 tcp
DE 62.4.95.141:2222 tcp
AR 200.70.141.212:22 tcp
CN 101.246.86.19:22 tcp
SA 188.51.151.74:2222 tcp
US 68.118.228.214:22 tcp
MX 216.171.78.112:22 tcp
BE 141.134.3.249:2222 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 b2e0eede7b18253dccd0d44ebb5db85a
SHA1 ee5db9590090efd5549e1c17ec1ee956ef1ed3d1
SHA256 7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd
SHA512 5608fe7bde5072de7c98bacfe7beb928e6073be87c0fbccd8075c808d9a7c642abe254f6eb620d627f5324e35821fc9b41a31970264abcc472adfbe2c214a9fe

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

154s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"

Signatures

Dridex

botnet dridex

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FR 46.105.131.88:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/2236-0-0x0000000001110000-0x0000000001116000-memory.dmp

memory/2236-1-0x0000000000260000-0x0000000000286000-memory.dmp

memory/1400-4-0x0000000077132000-0x0000000077133000-memory.dmp

memory/1400-2-0x0000000002290000-0x0000000002291000-memory.dmp

memory/2236-5-0x0000000000260000-0x0000000000286000-memory.dmp

memory/1400-8-0x00000000023E0000-0x0000000002406000-memory.dmp

memory/1400-13-0x00000000023E0000-0x0000000002406000-memory.dmp

memory/1400-18-0x00000000770E0000-0x00000000771D0000-memory.dmp

memory/1400-12-0x00000000023E0000-0x0000000002406000-memory.dmp

memory/1400-11-0x00000000023E0000-0x0000000002406000-memory.dmp

memory/1400-10-0x00000000023E0000-0x0000000002406000-memory.dmp

memory/1400-9-0x00000000023E0000-0x0000000002406000-memory.dmp

memory/1400-7-0x00000000023E0000-0x0000000002406000-memory.dmp

memory/1400-6-0x00000000023E0000-0x0000000002406000-memory.dmp

memory/1400-26-0x00000000770E0000-0x00000000771D0000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:11

Platform

win7-20240903-en

Max time kernel

5s

Max time network

24s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Emotet.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Emotet.zip

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

141s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/1162/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1197/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/843/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1452/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/82/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1507/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/81/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1386/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1563/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/215/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/776/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/837/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/586/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/88/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/640/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/207/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/114/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/114/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/1565/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1160/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/3/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/756/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/991/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1088/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/14/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/213/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1261/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/636/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/90/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1276/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/409/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1377/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1114/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/866/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/13/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/746/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/635/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/522/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/83/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/76/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1142/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1344/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/314/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/102/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/113/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/1164/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A
File opened for reading /proc/588/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 207.149.33.160:22 tcp
CA 142.72.177.81:2222 tcp
MT 94.17.56.52:22 tcp
US 163.187.218.206:2222 tcp
BR 201.42.189.46:2222 tcp
US 12.64.247.29:2222 tcp
IN 101.216.110.100:22 tcp
UA 176.110.37.63:2222 tcp
HK 203.218.160.180:22 tcp
US 73.148.103.2:22 tcp
US 96.79.194.54:2222 tcp
US 184.143.189.32:22 tcp
N/A 245.227.206.250:22 tcp
CA 129.97.128.214:22 tcp
JP 222.229.155.230:22 tcp
DE 188.174.139.194:2222 tcp
US 4.227.16.237:22 tcp
ID 39.225.213.178:22 tcp
US 24.124.93.248:2222 tcp
BR 189.51.229.59:2222 tcp
CA 129.97.128.214:2222 tcp
KR 183.97.86.185:2222 tcp
US 4.227.16.237:2222 tcp
US 146.235.135.52:2222 tcp
KR 183.97.86.185:22 tcp
US 96.79.194.54:22 tcp
CN 60.207.71.131:2222 tcp
US 18.65.227.216:22 tcp
GE 93.186.220.4:2222 tcp
ID 39.225.213.178:2222 tcp
US 173.108.181.223:2222 tcp
EC 186.33.162.245:22 tcp
PE 186.160.87.56:22 tcp
MT 94.17.56.52:2222 tcp
EG 154.140.7.59:2222 tcp
JP 150.29.237.177:2222 tcp
CN 220.164.18.133:22 tcp
US 73.148.103.2:2222 tcp
US 99.190.92.183:2222 tcp
KR 27.169.159.168:22 tcp
TR 88.249.159.38:2222 tcp
BE 78.22.206.34:2222 tcp
PE 186.160.87.56:2222 tcp
CN 42.193.103.183:22 tcp
US 99.190.92.183:22 tcp
US 140.9.157.2:22 tcp
FR 88.165.232.92:2222 tcp
UA 176.110.37.63:22 tcp
US 66.63.192.229:2222 tcp
EC 186.33.162.245:2222 tcp
BR 201.42.189.46:22 tcp
TR 88.249.159.38:22 tcp
US 166.109.43.132:22 tcp
US 63.208.231.175:22 tcp
GE 93.186.220.4:22 tcp
US 71.211.92.221:2222 tcp
BE 37.44.243.66:2222 tcp
CN 42.193.103.183:2222 tcp
US 207.34.38.87:22 tcp
BR 189.51.229.59:22 tcp
US 163.187.218.206:22 tcp
US 209.149.107.187:2222 tcp
DE 91.58.138.47:22 tcp
US 66.237.131.184:2222 tcp
HK 203.218.160.180:2222 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 76fe4fdd628218f630ba50f91ceba852
SHA1 6e90f2fe619597115e5b8dd8b0d1fb0c8ad33fa4
SHA256 041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742
SHA512 7956505ae0d8479a92ddf97bb09a757566ef526934ee06b4273f0fc450e4da9204808ffa4f4674f4e6e313eb718a7c65f258ef8d23b9769b8aa12d47610d8011

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win7-20240729-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"

Signatures

Danabot

trojan banker danabot

Danabot x86 payload

botnet
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2320 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2608 wrote to memory of 2800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.exe@2320

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll,f0

Network

Country Destination Domain Proto
FR 51.178.195.151:443 tcp
CA 51.222.39.81:443 tcp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp
FR 51.77.7.204:443 tcp

Files

memory/2320-0-0x0000000002360000-0x00000000025D8000-memory.dmp

memory/2320-1-0x0000000002360000-0x00000000025D8000-memory.dmp

memory/2320-2-0x00000000025E0000-0x000000000286D000-memory.dmp

memory/2320-3-0x0000000000400000-0x000000000069A000-memory.dmp

memory/2320-6-0x00000000025E0000-0x000000000286D000-memory.dmp

memory/2608-11-0x00000000026D0000-0x000000000293B000-memory.dmp

\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll

MD5 9cb7b0d8e817636deed7b195e69f6156
SHA1 3a68463ef2313fa9580ff8048900ffcafb604114
SHA256 9e9c58dec15cf26e295f6d4dc1587468e6f1483e78ff2b8a2f47034b9731f5b1
SHA512 c8cb93a387cbfe13d1cfd131cffdce95656543cbb8838983015c981aad5cb9e7a6c1bbf94f248a83017420d7d51eea2ab44449333dd1557e2ec2a7017fc8a793

memory/2320-8-0x0000000000400000-0x000000000069A000-memory.dmp

memory/2320-7-0x0000000002360000-0x00000000025D8000-memory.dmp

memory/2320-5-0x0000000000400000-0x0000000000AAD000-memory.dmp

memory/2800-16-0x0000000002410000-0x000000000267B000-memory.dmp

memory/2800-17-0x0000000002410000-0x000000000267B000-memory.dmp

memory/2800-19-0x0000000002410000-0x000000000267B000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

149s

Max time network

144s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/86/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/1203/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/788/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/720/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/1445/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/85/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/93/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/102/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/195/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/675/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/92/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1251/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/1104/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/225/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/263/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/422/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1169/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/79/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/612/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/18/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/263/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/986/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/1041/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/85/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/1173/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/212/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/412/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/6/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/1357/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/80/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1287/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/728/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/93/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/412/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/518/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/1296/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/204/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/497/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/23/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/75/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/1121/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/1137/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/523/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/99/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/1152/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/1574/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/637/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
FR 62.106.169.253:2222 tcp
CO 179.14.155.64:22 tcp
CN 101.145.75.245:2222 tcp
CL 186.174.200.3:2222 tcp
GB 2.127.27.81:22 tcp
US 97.85.247.16:22 tcp
ES 83.46.113.187:2222 tcp
US 20.84.148.67:2222 tcp
NL 145.200.249.244:22 tcp
N/A 244.109.55.248:22 tcp
IE 57.195.151.160:22 tcp
CN 117.39.37.145:22 tcp
US 207.10.167.225:2222 tcp
AU 161.248.43.155:22 tcp
N/A 245.232.195.180:2222 tcp
US 136.76.40.103:22 tcp
MX 189.245.71.92:2222 tcp
CN 60.31.238.204:2222 tcp
CN 60.31.238.204:22 tcp
CL 186.174.200.3:22 tcp
TN 197.24.96.184:2222 tcp
EG 154.140.116.58:2222 tcp
CN 27.28.76.144:22 tcp
CN 101.145.75.245:22 tcp
JP 59.106.215.18:22 tcp
GB 2.127.27.81:2222 tcp
BR 189.125.54.181:22 tcp
RU 91.221.49.236:22 tcp
IE 57.195.151.160:2222 tcp
TH 17.91.193.193:2222 tcp
N/A 244.109.55.248:2222 tcp
JP 133.93.73.152:22 tcp
FR 62.106.169.253:22 tcp
JP 133.93.73.152:2222 tcp
PL 83.10.117.212:2222 tcp
FI 193.94.135.126:22 tcp
FR 78.246.187.205:2222 tcp
JP 1.73.59.119:22 tcp
FI 130.232.10.63:22 tcp
US 8.33.70.100:22 tcp
N/A 245.232.195.180:22 tcp
US 159.39.104.185:22 tcp
DK 37.96.42.87:22 tcp
US 28.211.246.201:2222 tcp
CN 117.39.37.145:2222 tcp
FI 193.94.135.126:2222 tcp
CN 27.28.76.144:2222 tcp
N/A 246.40.110.242:22 tcp
N/A 246.40.110.242:2222 tcp
SE 95.198.217.236:22 tcp
US 192.180.66.192:22 tcp
DE 141.26.177.99:2222 tcp
RU 91.221.49.236:2222 tcp
JP 1.73.59.119:2222 tcp
ES 85.86.18.35:2222 tcp
US 208.197.88.52:22 tcp
TN 197.24.96.184:22 tcp
AU 161.248.43.155:2222 tcp
N/A 241.145.68.41:2222 tcp
CO 179.14.155.64:2222 tcp
EG 154.140.116.58:22 tcp
SE 95.198.217.236:2222 tcp
US 65.27.178.246:22 tcp
US 28.211.246.201:22 tcp
ES 54.26.117.209:22 tcp
US 55.144.86.59:22 tcp
US 20.84.148.67:22 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 3fe7b88a9ba6c5acee4faae760642b78
SHA1 bae245bc98c516604838c6ce5a233f066de44a50
SHA256 6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
SHA512 02abc8d4fe280306a9ac6a25d28cf174a8d51a43d98b6837bc129701d8c0ab486eebaeef11062b58c455627d4de7c8782b3828aa02891fe439ca1ca617038f95

Analysis: behavioral11

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

win7-20240903-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Network Share Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\whoami.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\whoami.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 1636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe C:\Windows\SysWOW64\svchost.exe
PID 2912 wrote to memory of 2288 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 2912 wrote to memory of 2288 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 2912 wrote to memory of 2288 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 2912 wrote to memory of 2288 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\whoami.exe
PID 2912 wrote to memory of 2252 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 2912 wrote to memory of 2252 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 2912 wrote to memory of 2252 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe
PID 2912 wrote to memory of 2252 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe

"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"

C:\Windows\SysWOW64\whoami.exe

C:\Windows\system32\whoami.exe /all

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe view

Network

Country Destination Domain Proto
BG 91.92.136.107:443 tcp
BG 91.92.136.107:443 tcp

Files

memory/1636-0-0x0000000000840000-0x0000000000862000-memory.dmp

memory/1636-1-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2912-3-0x0000000076C29000-0x0000000076C2A000-memory.dmp

memory/2912-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1636-5-0x0000000000840000-0x0000000000862000-memory.dmp

memory/2912-11-0x00000000002E0000-0x0000000000302000-memory.dmp

memory/2912-7-0x00000000002E0000-0x0000000000302000-memory.dmp

memory/2912-10-0x00000000002E0000-0x0000000000302000-memory.dmp

memory/2912-9-0x00000000002E0000-0x0000000000302000-memory.dmp

memory/2912-8-0x00000000002E0000-0x0000000000302000-memory.dmp

memory/2912-6-0x00000000002E0000-0x0000000000302000-memory.dmp

memory/2912-13-0x00000000002E0000-0x0000000000302000-memory.dmp

memory/2912-12-0x00000000002E0000-0x0000000000302000-memory.dmp

memory/2912-18-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2204-amd64-20240522.1-en

Max time kernel

149s

Max time network

141s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/uptime N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/free N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/1221/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/2/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/119/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/212/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/1590/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/225/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/73/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/76/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1057/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1245/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1280/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/227/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1175/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1180/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1573/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/26/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1436/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1205/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/18/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/682/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/80/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/90/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1100/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/25/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/640/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1113/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1360/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/221/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/77/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/836/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1159/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/self/auxv /usr/bin/uptime N/A
File opened for reading /proc/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/10/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/81/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/3/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/662/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1573/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/215/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/263/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/417/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1067/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/761/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/uptime N/A
File opened for reading /proc/1179/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1489/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/821/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/826/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/free N/A
File opened for reading /proc/94/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/4/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/408/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/self/auxv /usr/bin/free N/A
File opened for reading /proc/219/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/82/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/1133/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/4/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/90/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 185.103.234.116:22 tcp
US 52.23.53.13:22 tcp
GB 25.100.184.165:2222 tcp
N/A 247.7.219.53:22 tcp
RU 84.204.148.213:22 tcp
BR 177.49.191.222:22 tcp
US 16.66.9.76:22 tcp
US 96.2.77.200:22 tcp
US 38.125.53.65:22 tcp
US 75.241.194.221:22 tcp
N/A 247.7.219.53:2222 tcp
US 65.103.33.232:22 tcp
TN 196.225.26.151:22 tcp
TN 196.225.26.151:2222 tcp
JP 158.215.244.59:22 tcp
US 11.145.128.181:22 tcp
N/A 244.11.116.157:2222 tcp
BR 200.193.179.180:22 tcp
FR 144.204.91.112:22 tcp
US 151.125.36.78:22 tcp
US 19.53.129.76:2222 tcp
N/A 244.11.116.157:22 tcp
US 76.187.16.21:22 tcp
CN 42.138.23.231:2222 tcp
US 30.142.90.135:2222 tcp
US 98.148.104.109:2222 tcp
US 65.103.33.232:2222 tcp
JP 133.216.142.120:2222 tcp
AU 103.128.184.142:22 tcp
US 75.241.194.221:2222 tcp
MA 102.101.217.221:2222 tcp
US 99.58.146.218:2222 tcp
RS 193.105.163.135:2222 tcp
FR 144.204.91.112:2222 tcp
US 142.136.205.204:2222 tcp
US 130.248.45.94:22 tcp
N/A 242.118.106.220:2222 tcp
US 47.79.235.228:22 tcp
US 158.146.240.98:2222 tcp
US 73.147.14.228:22 tcp
KR 175.252.155.72:22 tcp
US 208.17.25.229:22 tcp
MD 87.245.236.71:2222 tcp
US 208.17.25.229:2222 tcp
US 44.29.127.124:22 tcp
US 135.248.158.33:2222 tcp
US 30.142.90.135:22 tcp
US 18.227.215.67:22 tcp
MA 102.101.217.221:22 tcp
BR 200.193.179.180:2222 tcp
JP 163.54.144.204:22 tcp
JP 61.205.34.66:22 tcp
DK 86.58.191.232:22 tcp
KR 61.82.120.177:22 tcp
IT 2.34.122.151:22 tcp
MD 87.245.236.71:22 tcp
US 19.111.12.9:2222 tcp
US 73.147.14.228:2222 tcp
US 38.125.53.65:2222 tcp
US 151.125.36.78:2222 tcp
CN 1.63.36.167:22 tcp
US 18.227.215.67:2222 tcp
US 76.187.16.21:2222 tcp
JP 160.186.50.19:22 tcp
US 72.33.162.130:2222 tcp
US 99.20.82.59:2222 tcp
US 19.53.129.76:22 tcp
JP 54.150.240.67:22 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 0263de27fd997a4904ee4a92f91ac733
SHA1 da090fd76b2d92320cf7e55666bb5bd8f50796c9
SHA256 0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
SHA512 09ef02532eb7c3a968c1d04bf1f3aa9a4bf400f8485d3be596d7db3aed5f705fc1f85a1f6218397a70830ad747aa03c61b9c5b1cca24c2620cdbb3e5361db194

Analysis: behavioral25

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2404-amd64-20240729-en

Max time kernel

149s

Max time network

154s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/21/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/2154/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/438/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/6/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/1692/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/2190/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/191/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/1962/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/63/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/8/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1803/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/384/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/1784/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/25/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/2034/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/12/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/1950/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/2034/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/35/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/1066/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/2508/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/80/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/1784/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/2254/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/2505/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/55/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/1700/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/2147/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/20/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/25/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/46/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/40/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/194/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/197/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/29/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/182/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/2002/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/201/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/28/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/30/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/69/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/1980/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/14/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/1/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/12/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/199/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/386/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/510/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/509/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/80/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/11/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/1980/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/338/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/5/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/32/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A
File opened for reading /proc/13/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 44.63.185.194:2222 tcp
UA 91.244.32.245:2222 tcp
ID 114.7.53.39:22 tcp
US 216.140.51.99:2222 tcp
US 206.4.196.47:2222 tcp
FR 5.49.54.202:2222 tcp
IT 88.32.26.180:2222 tcp
LK 203.81.100.234:2222 tcp
UA 91.244.32.245:22 tcp
US 170.37.112.55:2222 tcp
CA 132.213.47.129:2222 tcp
BR 179.162.133.39:22 tcp
US 216.140.51.99:22 tcp
CN 117.164.6.90:22 tcp
EG 156.176.54.200:22 tcp
N/A 250.153.227.186:2222 tcp
N/A 245.198.141.21:2222 tcp
US 216.164.37.97:2222 tcp
KR 223.175.116.244:2222 tcp
US 216.164.37.97:22 tcp
US 140.101.84.1:2222 tcp
US 4.78.44.33:22 tcp
US 163.151.32.158:2222 tcp
MA 160.105.105.200:2222 tcp
ZA 196.212.50.158:2222 tcp
US 69.247.111.190:2222 tcp
US 44.63.185.194:22 tcp
N/A 250.153.227.186:22 tcp
CN 123.125.236.61:2222 tcp
US 4.78.44.33:2222 tcp
AU 58.104.236.243:22 tcp
BR 191.232.159.50:22 tcp
CN 117.164.6.90:2222 tcp
US 140.101.84.1:22 tcp
MA 160.105.105.200:22 tcp
US 69.247.111.190:22 tcp
US 192.69.168.237:22 tcp
JP 43.206.245.140:2222 tcp
US 71.71.130.30:2222 tcp
N/A 250.174.188.177:2222 tcp
US 72.59.202.76:2222 tcp
US 163.151.32.158:22 tcp
CA 170.89.251.91:22 tcp
LK 203.81.100.234:22 tcp
AT 84.114.175.105:2222 tcp
CN 36.17.36.57:2222 tcp
DE 62.155.149.182:2222 tcp
N/A 245.198.141.21:22 tcp
CA 75.154.244.211:2222 tcp
US 192.69.168.237:2222 tcp
US 72.225.191.64:22 tcp
US 72.226.79.245:22 tcp
BR 191.232.159.50:2222 tcp
CA 142.103.237.202:2222 tcp
N/A 247.210.63.88:22 tcp
KR 223.175.116.244:22 tcp
JP 133.174.188.221:22 tcp
N/A 242.237.99.40:2222 tcp
US 132.143.93.80:22 tcp
AT 84.114.175.105:22 tcp
CA 170.89.251.91:2222 tcp
IN 117.230.170.246:22 tcp
BR 187.22.113.214:2222 tcp
RU 185.106.118.13:22 tcp
ID 36.90.228.136:2222 tcp
CA 132.213.47.129:22 tcp
ZA 155.233.224.232:2222 tcp
US 206.4.196.47:22 tcp
OM 148.151.221.172:22 tcp
IN 117.230.170.246:2222 tcp
CN 36.17.36.57:22 tcp
CA 108.173.159.16:22 tcp
CA 108.163.152.152:2222 tcp
US 72.226.79.245:2222 tcp
US 170.37.112.55:22 tcp
JP 60.34.83.248:22 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 3a371a09bfcba3d545465339f1e1d481
SHA1 7f5712878929aab6a2ab297072a5a5f3d3c15a01
SHA256 2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86
SHA512 35efc5129316ea697f1f4591c37e70c74b643942cdb3cb1aac6a0f14f5d133da39c0c393439490bc059361e9feeacee3d4056f88700f56dfe1088ba0ab22613b

Analysis: behavioral27

Detonation Overview

Submitted

2024-09-04 20:01

Reported

2024-09-04 20:10

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

149s

Max time network

146s

Command Line

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5]

Signatures

Adds new SSH keys

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /root/.ssh/authorized_keys /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File deleted /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A

Enumerates running processes

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/cat N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/787/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1864/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1684/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/2288/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/51/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/823/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/2245/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/44/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/8/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/17/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1916/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/2256/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/42/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1072/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/750/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1985/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/65/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/389/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/457/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/2482/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1391/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1392/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1959/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/20/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/274/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1861/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1946/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/17/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1979/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1986/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/2206/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/2135/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/52/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/513/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/773/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/80/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1060/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1986/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/820/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/meminfo /usr/bin/free N/A
File opened for reading /proc/1117/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1940/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/191/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1923/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/884/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/10/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/27/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/56/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/31/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/36/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/6/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1971/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/2200/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/50/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/uptime /usr/bin/uptime N/A
File opened for reading /proc/196/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/2135/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/1802/stat /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A
File opened for reading /proc/loadavg /usr/bin/uptime N/A
File opened for reading /proc/1897/cmdline /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 N/A

Processes

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5

[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5]

/usr/bin/uname

[uname -a]

/usr/bin/cat

[cat /proc/cpuinfo]

/usr/bin/cat

[cat /etc/issue]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/journalctl

[journalctl -S @0 -u sshd]

/usr/bin/cat

[cat /var/log/auth*]

/usr/bin/zcat

[zcat /var/log/auth*]

/usr/local/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/local/bin/gzip

[gzip -cd /var/log/auth*]

/usr/sbin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/gzip

[gzip -cd /var/log/auth*]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

/usr/bin/free

[free -m]

/usr/bin/uptime

[uptime]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 11.202.253.35:2222 tcp
ES 81.47.190.64:22 tcp
US 56.160.20.119:22 tcp
US 174.97.228.148:22 tcp
NZ 118.90.2.178:22 tcp
TH 171.96.46.121:2222 tcp
US 72.206.127.67:22 tcp
MA 196.85.193.57:22 tcp
CN 182.49.139.24:2222 tcp
BR 201.76.5.164:2222 tcp
N/A 250.88.97.117:22 tcp
NZ 219.89.91.38:22 tcp
N/A 248.16.63.127:2222 tcp
TH 171.96.46.121:22 tcp
JP 160.27.195.49:22 tcp
US 161.199.238.12:2222 tcp
UG 102.84.75.204:22 tcp
CN 175.66.203.146:2222 tcp
FR 145.231.198.167:2222 tcp
US 184.211.42.192:2222 tcp
US 15.163.212.134:2222 tcp
KR 134.75.179.61:22 tcp
MU 196.63.36.95:2222 tcp
US 56.172.201.83:2222 tcp
ZA 154.114.49.54:22 tcp
US 64.67.152.201:2222 tcp
N/A 242.122.191.153:22 tcp
CN 111.151.173.3:2222 tcp
CN 124.151.12.63:22 tcp
US 134.134.8.148:2222 tcp
BR 201.45.189.97:22 tcp
N/A 250.88.97.117:2222 tcp
CN 182.144.108.110:22 tcp
CN 182.49.139.24:22 tcp
CA 142.15.169.253:2222 tcp
MU 196.63.36.95:22 tcp
US 144.60.220.114:22 tcp
US 107.160.210.203:22 tcp
CZ 193.37.227.156:2222 tcp
MA 196.85.193.57:2222 tcp
CN 124.151.12.63:2222 tcp
CN 175.66.203.146:22 tcp
CH 57.40.8.230:22 tcp
US 172.57.176.219:2222 tcp
US 17.21.179.189:22 tcp
US 54.163.70.35:2222 tcp
CH 57.40.8.230:2222 tcp
US 72.206.127.67:2222 tcp
NZ 118.90.2.178:2222 tcp
US 56.172.201.83:22 tcp
BR 201.45.189.97:2222 tcp
DE 31.225.61.6:2222 tcp
HN 179.49.114.169:22 tcp
US 97.127.115.79:2222 tcp
JP 36.3.252.112:22 tcp
US 63.19.146.65:2222 tcp
JP 160.27.195.49:2222 tcp
US 15.163.212.134:22 tcp
US 63.19.146.65:22 tcp
US 34.108.19.57:22 tcp
US 172.57.176.219:22 tcp
US 76.2.158.129:22 tcp
N/A 248.16.63.127:22 tcp
GB 17.79.45.41:22 tcp
BR 201.76.5.164:22 tcp

Files

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

MD5 8f0cb7af15afe40ed85f35e1b40b8f38
SHA1 525f97d6e7e3cbb611a1cf37e955c0656f4b3c06
SHA256 3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5
SHA512 bd9e97b4042d89e081eced5781149b0d8e28a6e9d35c2a449a21aee26765ed8eea560434ba5e9a897c4e4c89d7a2b8997e31ad4ac2202a940b8731a5f447170d