Analysis Overview
SHA256
b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
Threat Level: Known bad
The file The-MALWARE-Repo-master.zip was found to be: Known bad.
Malicious Activity Summary
Darkcomet family
ModiLoader First Stage
Revengerat family
Wipelock Android payload
Modiloader family
Dridex
Detects MyDoom family
Wipelock family
Njrat family
Remcos family
Process spawned unexpected child process
RevengeRat Executable
Danabot
Danabot x86 payload
Mydoom family
Adds new SSH keys
Office macro that triggers on suspicious action
Blocklisted process makes network request
Suspicious Office macro
ASPack v2.12-2.42
Deletes itself
Loads dropped DLL
UPX packed file
Declares broadcast receivers with permission to handle system events
Enumerates connected drives
Requests dangerous framework permissions
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Deletes log files
Enumerates running processes
Adds Run key to start application
Network Share Discovery
Declares services with permission to bind to the system
AutoIT Executable
Drops file in System32 directory
Checks CPU configuration
Reads CPU attributes
Reads runtime system information
System Location Discovery: System Language Discovery
Enumerates kernel/hardware configuration
Event Triggered Execution: Accessibility Features
Program crash
Unsigned PE
Writes file to tmp directory
NSIS installer
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Modifies registry class
Discovers systems in the same network
Enumerates system info in registry
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-04 20:03
Signatures
Darkcomet family
Detects MyDoom family
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ModiLoader First Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modiloader family
Mydoom family
Njrat family
Remcos family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Wipelock Android payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Wipelock family
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. | android.permission.BIND_WALLPAPER | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral28
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 117.88.86.212:22 | tcp | |
| US | 18.54.145.64:22 | tcp | |
| US | 67.160.171.83:2222 | tcp | |
| DE | 53.106.51.222:22 | tcp | |
| IR | 5.112.155.75:22 | tcp | |
| US | 35.133.118.184:22 | tcp | |
| PL | 90.156.7.163:2222 | tcp | |
| US | 199.78.121.135:2222 | tcp | |
| US | 100.217.20.8:22 | tcp | |
| US | 17.33.132.88:2222 | tcp | |
| KE | 196.109.132.226:22 | tcp | |
| EG | 102.59.145.178:22 | tcp | |
| US | 199.78.121.135:22 | tcp | |
| US | 70.207.29.194:2222 | tcp | |
| IT | 82.215.147.31:2222 | tcp | |
| JP | 219.192.219.19:22 | tcp | |
| GB | 103.189.29.196:2222 | tcp | |
| US | 48.168.78.28:2222 | tcp | |
| CN | 125.119.6.9:2222 | tcp | |
| JP | 121.81.7.31:2222 | tcp | |
| IE | 57.141.251.6:22 | tcp | |
| MX | 201.135.108.197:2222 | tcp | |
| US | 70.207.29.194:22 | tcp | |
| N/A | 251.10.153.112:2222 | tcp | |
| RU | 5.172.29.122:2222 | tcp | |
| FR | 161.22.79.231:22 | tcp | |
| US | 172.226.187.226:22 | tcp | |
| CA | 209.29.23.99:2222 | tcp | |
| US | 169.44.232.236:22 | tcp | |
| IE | 57.141.251.6:2222 | tcp | |
| AU | 203.38.100.96:22 | tcp | |
| US | 97.76.33.239:22 | tcp | |
| US | 16.13.2.181:22 | tcp | |
| US | 144.93.77.213:22 | tcp | |
| RU | 5.172.29.122:22 | tcp | |
| US | 98.115.214.110:22 | tcp | |
| CA | 99.235.224.1:2222 | tcp | |
| US | 149.168.223.208:2222 | tcp | |
| CA | 134.117.214.87:2222 | tcp | |
| IT | 82.215.147.31:22 | tcp | |
| MX | 201.135.108.197:22 | tcp | |
| CA | 144.217.68.1:2222 | tcp | |
| JP | 121.81.7.31:22 | tcp | |
| US | 156.145.76.125:22 | tcp | |
| US | 35.133.118.184:2222 | tcp | |
| US | 65.142.145.86:22 | tcp | |
| CN | 125.119.6.9:22 | tcp | |
| US | 65.142.145.86:2222 | tcp | |
| US | 71.69.208.60:22 | tcp | |
| TH | 45.144.167.96:22 | tcp | |
| IN | 45.125.141.196:2222 | tcp | |
| AU | 138.194.200.117:2222 | tcp | |
| CA | 142.8.220.158:22 | tcp | |
| JP | 219.192.219.19:2222 | tcp | |
| CN | 113.122.90.130:22 | tcp | |
| IN | 220.226.173.29:22 | tcp | |
| GB | 94.10.204.187:2222 | tcp | |
| AU | 203.38.100.96:2222 | tcp | |
| US | 18.126.6.96:22 | tcp | |
| N/A | 249.250.8.158:22 | tcp | |
| US | 55.239.196.179:22 | tcp | |
| IN | 45.125.141.196:22 | tcp | |
| US | 170.109.230.54:2222 | tcp | |
| TH | 45.144.167.96:2222 | tcp | |
| UY | 190.64.230.10:2222 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | 682ac123d740321e6ba04d82e8cc4ed8 |
| SHA1 | 088a8c8c2b7f9db92ec0ae39e1dc77c8707d3895 |
| SHA256 | 453468b86856665f2cc0e0e71668c0b6aac8b14326c623995ba5963f22257619 |
| SHA512 | 26ddc0a1b91337de2314465f82f3a02ec478f32708fa91b7cdf75fc235eda7b3cf7c495616145dc29fc081ac4398cab5aac0d42978ea694fa183518533fcf4ad |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win7-20240903-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
Danabot
Danabot x86 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4272 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4272 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4272 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5072 wrote to memory of 4864 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5072 wrote to memory of 4864 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5072 wrote to memory of 4864 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.exe@4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4272 -ip 4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 460
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll,f0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 51.178.195.151:443 | tcp | |
| CA | 51.222.39.81:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 149.255.35.125:443 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 38.68.50.179:443 | tcp | |
| FR | 51.77.7.204:443 | tcp |
Files
memory/4272-1-0x00000000027E0000-0x0000000002A65000-memory.dmp
memory/4272-2-0x0000000002A70000-0x0000000002CFD000-memory.dmp
memory/4272-3-0x0000000000400000-0x000000000069A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll
| MD5 | 7e76f7a5c55a5bc5f5e2d7a9e886782b |
| SHA1 | fc500153dba682e53776bef53123086f00c0e041 |
| SHA256 | abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3 |
| SHA512 | 0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24 |
memory/5072-8-0x0000000002450000-0x00000000026BB000-memory.dmp
memory/5072-9-0x0000000000A90000-0x0000000000A91000-memory.dmp
memory/4272-11-0x0000000000400000-0x0000000000AAD000-memory.dmp
memory/4272-13-0x0000000000400000-0x000000000069A000-memory.dmp
memory/4272-12-0x0000000002A70000-0x0000000002CFD000-memory.dmp
memory/4864-14-0x0000000000400000-0x000000000066B000-memory.dmp
memory/4864-16-0x0000000000400000-0x000000000066B000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
158s
Command Line
Signatures
Dridex
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| JP | 60.124.4.241:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
memory/4168-0-0x0000000000F00000-0x0000000000F06000-memory.dmp
memory/4168-1-0x0000000000210000-0x0000000000234000-memory.dmp
memory/2124-4-0x0000000076692000-0x0000000076693000-memory.dmp
memory/2124-2-0x0000000002480000-0x0000000002481000-memory.dmp
memory/4168-5-0x0000000000210000-0x0000000000234000-memory.dmp
memory/2124-9-0x00000000025D0000-0x00000000025F4000-memory.dmp
memory/2124-10-0x00000000025D0000-0x00000000025F4000-memory.dmp
memory/2124-8-0x00000000025D0000-0x00000000025F4000-memory.dmp
memory/2124-7-0x00000000025D0000-0x00000000025F4000-memory.dmp
memory/2124-6-0x00000000025D0000-0x00000000025F4000-memory.dmp
memory/2124-16-0x0000000076640000-0x0000000076730000-memory.dmp
memory/2124-11-0x00000000025D0000-0x00000000025F4000-memory.dmp
memory/2124-24-0x0000000076640000-0x0000000076730000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 192.48.88.22:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/1828-0-0x0000000000210000-0x0000000000246000-memory.dmp
memory/1828-1-0x0000000001180000-0x0000000001186000-memory.dmp
memory/1772-3-0x0000000002C80000-0x0000000002C81000-memory.dmp
memory/1772-2-0x0000000076912000-0x0000000076913000-memory.dmp
memory/1828-5-0x0000000000210000-0x0000000000246000-memory.dmp
memory/1772-7-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1772-9-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1772-8-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1772-16-0x00000000768C0000-0x00000000769B0000-memory.dmp
memory/1772-11-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1772-10-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1772-6-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1772-24-0x00000000768C0000-0x00000000769B0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win7-20240708-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Enumerates connected drives
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1064 wrote to memory of 2792 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\rundll32.exe |
| PID 1064 wrote to memory of 2792 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\rundll32.exe |
| PID 1064 wrote to memory of 2792 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\rundll32.exe |
| PID 1064 wrote to memory of 2792 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\rundll32.exe |
| PID 1064 wrote to memory of 2792 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\rundll32.exe |
| PID 1064 wrote to memory of 2792 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\rundll32.exe |
| PID 1064 wrote to memory of 2792 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | erpoweredent.at | udp |
Files
memory/1064-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1064-1-0x000000007217D000-0x0000000072188000-memory.dmp
memory/1064-2-0x000000007217D000-0x0000000072188000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Enumerates connected drives
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1820 wrote to memory of 1704 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\rundll32.exe |
| PID 1820 wrote to memory of 1704 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\System32\rundll32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Zloader.xlsm"
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\nxTgTGh\ECeMdPT\EnVYsVZ.dll,DllRegisterServer
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | erpoweredent.at | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1820-1-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp
memory/1820-0-0x00007FFC2930D000-0x00007FFC2930E000-memory.dmp
memory/1820-3-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp
memory/1820-2-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp
memory/1820-4-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp
memory/1820-5-0x00007FFBE92F0000-0x00007FFBE9300000-memory.dmp
memory/1820-6-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-7-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-8-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-10-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-11-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-12-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-9-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-13-0x00007FFBE69F0000-0x00007FFBE6A00000-memory.dmp
memory/1820-14-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-15-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-16-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-17-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-19-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-18-0x00007FFBE69F0000-0x00007FFBE6A00000-memory.dmp
memory/1820-23-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-22-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-21-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-20-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-33-0x00007FFC2930D000-0x00007FFC2930E000-memory.dmp
memory/1820-34-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-35-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
memory/1820-36-0x00007FFC29270000-0x00007FFC29465000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 06af2cee6bd761b25777e228372add1b |
| SHA1 | 8c4684d5d3f532b8aa1dc077d82edb13319ad78f |
| SHA256 | aab41c2f639a632dcc5534407d2300b756ea588dcbb6c7bed1738488e359c5c4 |
| SHA512 | 2d90db706dbb4ec9b355b9ce99121e3cb8cca833a919e6f75e0c6cdb3d6f1fd1886a52ebeddfd6ff961181b12cdb38e1bd684edc90effb8f1f256d5d996426d9 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2404-amd64-20240729-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 94.180.26.200:22 | tcp | |
| US | 3.141.92.202:2222 | tcp | |
| US | 167.89.181.31:22 | tcp | |
| US | 68.188.220.208:2222 | tcp | |
| GB | 93.177.74.172:2222 | tcp | |
| US | 96.72.248.64:2222 | tcp | |
| CA | 70.83.141.238:2222 | tcp | |
| US | 73.30.103.77:22 | tcp | |
| US | 72.197.89.217:2222 | tcp | |
| US | 28.229.236.149:2222 | tcp | |
| IN | 103.60.177.93:2222 | tcp | |
| US | 29.118.66.109:22 | tcp | |
| JP | 160.240.226.218:2222 | tcp | |
| US | 21.90.146.204:2222 | tcp | |
| TR | 178.244.82.63:22 | tcp | |
| US | 68.188.220.208:22 | tcp | |
| IN | 103.60.177.93:22 | tcp | |
| KR | 223.50.55.34:22 | tcp | |
| JP | 54.240.188.22:2222 | tcp | |
| NL | 145.186.39.35:22 | tcp | |
| IE | 20.223.63.3:22 | tcp | |
| CA | 142.238.202.103:2222 | tcp | |
| US | 22.96.142.202:2222 | tcp | |
| FR | 82.234.165.150:22 | tcp | |
| MX | 187.204.198.112:2222 | tcp | |
| US | 22.96.142.202:22 | tcp | |
| FR | 82.234.165.150:2222 | tcp | |
| JP | 219.103.63.119:22 | tcp | |
| ID | 39.242.73.136:2222 | tcp | |
| DE | 52.29.158.120:2222 | tcp | |
| DE | 84.190.50.223:2222 | tcp | |
| NL | 145.186.39.35:2222 | tcp | |
| KR | 218.50.99.233:2222 | tcp | |
| ID | 39.242.73.136:22 | tcp | |
| US | 73.251.246.223:22 | tcp | |
| DE | 129.70.48.162:22 | tcp | |
| DE | 53.122.36.223:2222 | tcp | |
| DE | 53.82.23.113:2222 | tcp | |
| DE | 37.138.162.78:22 | tcp | |
| FR | 92.204.227.14:22 | tcp | |
| GR | 2.85.161.131:2222 | tcp | |
| US | 136.120.47.143:22 | tcp | |
| IR | 2.144.125.232:2222 | tcp | |
| US | 136.120.47.143:2222 | tcp | |
| IN | 115.96.130.130:22 | tcp | |
| BR | 177.39.140.144:2222 | tcp | |
| US | 29.118.66.109:2222 | tcp | |
| JP | 153.212.182.186:22 | tcp | |
| US | 22.217.186.31:22 | tcp | |
| GR | 150.140.43.129:2222 | tcp | |
| DE | 52.29.158.120:22 | tcp | |
| US | 96.72.248.64:22 | tcp | |
| US | 73.251.246.223:2222 | tcp | |
| GB | 25.66.4.68:22 | tcp | |
| US | 207.222.246.174:2222 | tcp | |
| US | 174.234.205.100:2222 | tcp | |
| BR | 177.39.140.144:22 | tcp | |
| UZ | 82.215.89.207:2222 | tcp | |
| TR | 178.244.82.63:2222 | tcp | |
| DE | 37.138.162.78:2222 | tcp | |
| CN | 112.131.136.161:2222 | tcp | |
| US | 9.170.111.138:22 | tcp | |
| GB | 93.177.74.172:22 | tcp | |
| TH | 171.102.23.241:2222 | tcp | |
| AE | 5.31.218.224:22 | tcp | |
| US | 167.89.181.31:2222 | tcp | |
| N/A | 242.64.39.174:22 | tcp | |
| CA | 142.238.202.103:22 | tcp | |
| N/A | 246.253.59.47:22 | tcp | |
| KE | 105.54.230.6:22 | tcp | |
| GR | 150.140.43.129:22 | tcp | |
| JP | 54.240.188.22:22 | tcp | |
| US | 54.191.52.121:2222 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | 799c965e0a5a132ec2263d5fea0b0e1c |
| SHA1 | a15c5a706122fabdef1989c893c72c6530fedcb4 |
| SHA256 | 001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 |
| SHA512 | 6c481a855ee6f81dd388c8a4623e519bfbb9f496dada93672360f0a7476fb2b32fd261324156fd4729cef3cbe13f0a8b5862fe47b6db1860d0d67a77283b5ad8 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| BG | 91.92.136.107:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4912-0-0x00000000007F0000-0x00000000007F6000-memory.dmp
memory/4912-1-0x0000000000760000-0x0000000000782000-memory.dmp
memory/2672-2-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/2672-4-0x0000000075912000-0x0000000075913000-memory.dmp
memory/4912-5-0x0000000000760000-0x0000000000782000-memory.dmp
memory/2672-12-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2672-8-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2672-7-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2672-6-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2672-18-0x00000000758C0000-0x00000000759B0000-memory.dmp
memory/2672-13-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2672-11-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2672-10-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2672-9-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2672-26-0x00000000758C0000-0x00000000759B0000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win7-20240708-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Dridex
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| FR | 37.187.54.76:443 | tcp | |
| FR | 37.187.54.76:443 | tcp |
Files
memory/2860-0-0x0000000002560000-0x000000000258F000-memory.dmp
memory/2860-1-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1744-2-0x00000000000C0000-0x00000000000C1000-memory.dmp
memory/1744-3-0x0000000075899000-0x000000007589A000-memory.dmp
memory/2860-5-0x0000000002560000-0x000000000258F000-memory.dmp
memory/1744-6-0x0000000003000000-0x000000000302F000-memory.dmp
memory/1744-12-0x0000000003000000-0x000000000302F000-memory.dmp
memory/1744-11-0x0000000003000000-0x000000000302F000-memory.dmp
memory/1744-10-0x0000000003000000-0x000000000302F000-memory.dmp
memory/1744-9-0x0000000003000000-0x000000000302F000-memory.dmp
memory/1744-8-0x0000000003000000-0x000000000302F000-memory.dmp
memory/1744-7-0x0000000003000000-0x000000000302F000-memory.dmp
memory/1744-17-0x0000000075810000-0x0000000075920000-memory.dmp
memory/1744-26-0x0000000075810000-0x0000000075920000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
160s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfaxdafbicozcso = "\"C:\\Users\\Admin\\AppData\\Roaming\\3TtfmAT\\RecoveryDrive.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\Iyx1\wbengine.exe | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\system32\Iyx1\wbengine.exe | C:\Windows\System32\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\OrMao4j.cmd" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command\DelegateExecute | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command | N/A | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Mczz4p.cmd
C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\h7uFo2.cmd
C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\OrMao4j.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Qdvojli" /TR C:\Windows\system32\Iyx1\wbengine.exe /SC minute /MO 60 /RL highest
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4184-0-0x00007FFE66420000-0x00007FFE664BD000-memory.dmp
memory/4184-2-0x00000210E82F0000-0x00000210E82F7000-memory.dmp
memory/3436-3-0x00007FFE7399A000-0x00007FFE7399B000-memory.dmp
memory/3436-4-0x0000000002C00000-0x0000000002C01000-memory.dmp
memory/4184-6-0x00007FFE66420000-0x00007FFE664BD000-memory.dmp
memory/3436-12-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-20-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-22-0x00007FFE75000000-0x00007FFE75010000-memory.dmp
memory/3436-21-0x0000000001240000-0x0000000001247000-memory.dmp
memory/3436-14-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-13-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-11-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-10-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-33-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-31-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-9-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-8-0x0000000140000000-0x000000014009D000-memory.dmp
memory/3436-7-0x0000000140000000-0x000000014009D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Mczz4p.cmd
| MD5 | a27a2a0effc1711a81c28371d74fa60b |
| SHA1 | ab074ec19eac2c5a0b44df05ea92dd003c621155 |
| SHA256 | 8be40d27ff168c9a0cd6927285139262e713778568e7e341c1a7556819d2bb89 |
| SHA512 | 4d04bb6428f0b0e1614b96af2123a77ea1748f89cf388f18b2fe957539a1ef27c5c163b6706c868706bd4573fe8a2817a8ac93bf936bbf6357950aa0798f2825 |
C:\Users\Admin\AppData\Local\Temp\j952.tmp
| MD5 | 639a8a082e6284fbc68dfdc77ea44427 |
| SHA1 | 98aee8f25c24c16639dab573d9d3411e579c257e |
| SHA256 | 9c6bd4fd6cb4fb3958fd55434ad6fc93f16220fa934a424b8d4646bcb3ed72e0 |
| SHA512 | 603a3ce9386d0e2d64c7b62bce6a980d21898ec915543f9444b69bcaf3ee1fc95b1fb24817dab99a3c5db916493dc06781e7f48ef1a2ccad080c473087c27178 |
C:\Users\Admin\AppData\Roaming\3TtfmAT\RecoveryDrive.exe
| MD5 | b9b3dc6f2eb89e41ff27400952602c74 |
| SHA1 | 24ae07e0db3ace0809d08bbd039db3a9d533e81b |
| SHA256 | 630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4 |
| SHA512 | 7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe |
C:\Users\Admin\AppData\Local\Temp\h7uFo2.cmd
| MD5 | 054700d42bbf1d1442986c38395e647e |
| SHA1 | ad21a5350b20e54bf45971ed3f8db7c65859cbf6 |
| SHA256 | b0fc161ff520232624b2b6200302edf179ba6fdf1c21a25aa8da594b91c5ad15 |
| SHA512 | 7183c226784fdcd74034b33d9139a644fcd079f6bbfda10aa21a1a691b5d9c01110da64f297665b4f44b62dd43c4b6a0b5d8200bc4eff3f29373ff3304dbb0f9 |
C:\Users\Admin\AppData\Local\Temp\E31CA.tmp
| MD5 | 45c99a94f559f9e4a93b6096043890bb |
| SHA1 | f3e02bebfb0cdf6aac2a6782acce6931b4c6287c |
| SHA256 | 3efce7e77209052b0159588f3e94b41fd34d9199fceff08a0c88dc2d3e2e17e9 |
| SHA512 | 94fad758b4ea970ba1e8b54e2d0748832009d0d9cff20516883a37e90927787f64b4970c4997a3266e9a820479bc004f19c0d6b696a706791f5ef371a02425e9 |
C:\Users\Admin\AppData\Local\Temp\OrMao4j.cmd
| MD5 | 6b80f661b41e8d91f465957eda7c0531 |
| SHA1 | 9656d53bbb9ba2cadf3b573ef0b2e19e7a4a3230 |
| SHA256 | 0a19c109cab4c5739512a668b7c613ec0d0ab8c40326653bbdec33dbc9bdb612 |
| SHA512 | 90b8a22f33a22b26350399bf2f8e39eb1586ed857cc4632afbbeb33c0ccb0d19d575697b4359701096bc1228aef45d5c261fdb863a78213b9012ee7b2be35ab3 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vfaxdafbicozcso.lnk
| MD5 | 64f66e448f32bd08d6b7a307d13fcfea |
| SHA1 | f532d318d4685258843f1cb303d54ab77d508821 |
| SHA256 | 19829b251eb4d007f60442a1e40a4ec53425476eee35ebfaea814445fa643a8d |
| SHA512 | c575d459759fa95cbcf5b0a9eed7bb0f65a6bab12910c24867f40d6371f1733330bd253112c9dd6aeab2da57e21d343fa4d41985fca3148fad6009260f1eb978 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win7-20240903-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Dridex
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| FR | 46.105.131.88:443 | tcp | |
| FR | 46.105.131.88:443 | tcp |
Files
memory/2900-0-0x0000000000B20000-0x0000000000B46000-memory.dmp
memory/2900-1-0x0000000000130000-0x0000000000136000-memory.dmp
memory/2836-2-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2836-4-0x0000000076CE9000-0x0000000076CEA000-memory.dmp
memory/2900-5-0x0000000000B20000-0x0000000000B46000-memory.dmp
memory/2836-6-0x00000000001C0000-0x00000000001E6000-memory.dmp
memory/2836-13-0x00000000001C0000-0x00000000001E6000-memory.dmp
memory/2836-12-0x00000000001C0000-0x00000000001E6000-memory.dmp
memory/2836-11-0x00000000001C0000-0x00000000001E6000-memory.dmp
memory/2836-10-0x00000000001C0000-0x00000000001E6000-memory.dmp
memory/2836-9-0x00000000001C0000-0x00000000001E6000-memory.dmp
memory/2836-8-0x00000000001C0000-0x00000000001E6000-memory.dmp
memory/2836-7-0x00000000001C0000-0x00000000001E6000-memory.dmp
memory/2836-18-0x0000000076C60000-0x0000000076D70000-memory.dmp
memory/2836-27-0x0000000076C60000-0x0000000076D70000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win7-20240903-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexLoader.bin.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| US | 192.48.88.22:443 | tcp | |
| US | 192.48.88.22:443 | tcp |
Files
memory/2692-1-0x0000000000070000-0x0000000000076000-memory.dmp
memory/2692-0-0x0000000000FD0000-0x0000000001006000-memory.dmp
memory/1272-2-0x0000000000180000-0x0000000000181000-memory.dmp
memory/1272-4-0x00000000752A9000-0x00000000752AA000-memory.dmp
memory/2692-5-0x0000000000FD0000-0x0000000001006000-memory.dmp
memory/1272-6-0x0000000000190000-0x00000000001C6000-memory.dmp
memory/1272-9-0x0000000000190000-0x00000000001C6000-memory.dmp
memory/1272-8-0x0000000000190000-0x00000000001C6000-memory.dmp
memory/1272-7-0x0000000000190000-0x00000000001C6000-memory.dmp
memory/1272-11-0x0000000000190000-0x00000000001C6000-memory.dmp
memory/1272-10-0x0000000000190000-0x00000000001C6000-memory.dmp
memory/1272-16-0x0000000075220000-0x0000000075330000-memory.dmp
memory/1272-25-0x0000000075220000-0x0000000075330000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win7-20240903-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zoekctxdbskyzr = "\"C:\\Users\\Admin\\AppData\\Roaming\\qAf0yl\\perfmon.exe\"" | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\4QmF\Magnify.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\system32\4QmF\Magnify.exe | C:\Windows\System32\cmd.exe | N/A |
Event Triggered Execution: Accessibility Features
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\4QFxKr.cmd" | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\MSCFile\shell\open\command | N/A | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\l5hL.cmd
C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1ab5MJK.cmd
C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\4QFxKr.cmd
C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Gugio" /TR C:\Windows\system32\4QmF\Magnify.exe /SC minute /MO 60 /RL highest
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Gugio"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Gugio"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Gugio"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Gugio"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Gugio"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Gugio"
Network
Files
memory/2712-0-0x000007FEF7E80000-0x000007FEF7F1D000-memory.dmp
memory/2712-2-0x0000000000180000-0x0000000000187000-memory.dmp
memory/1244-3-0x0000000077996000-0x0000000077997000-memory.dmp
memory/1244-4-0x00000000029B0000-0x00000000029B1000-memory.dmp
memory/2712-6-0x000007FEF7E80000-0x000007FEF7F1D000-memory.dmp
memory/1244-10-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-9-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-8-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-7-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-20-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-21-0x00000000025C0000-0x00000000025C7000-memory.dmp
memory/1244-14-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-13-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-12-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-11-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-23-0x0000000077C00000-0x0000000077C02000-memory.dmp
memory/1244-22-0x0000000077AA1000-0x0000000077AA2000-memory.dmp
memory/1244-32-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-37-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-33-0x0000000140000000-0x000000014009D000-memory.dmp
memory/1244-43-0x0000000077996000-0x0000000077997000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\l5hL.cmd
| MD5 | 346eaac10f27ee818583dab257c085f0 |
| SHA1 | 2170d98a0c11859288af7ab61c93ef9e88996160 |
| SHA256 | 2100d0a70eefe559dc0e1ae7a1b0b86ffa32ffbade1054c8c9d1bf5bd8ed197e |
| SHA512 | b53839d68f8a6d02cb9ffccef84cf10482795d30790f9b01d9f0b1106592484d4259c29a29f1b7537d39c7e7a17b0c8d2609c54b8062bd0e36bb77df3069f308 |
C:\Users\Admin\AppData\Local\Temp\m48047.tmp
| MD5 | 87301407b8c71c9c44acb0440fbffad5 |
| SHA1 | d8c52cadd229765f4c86e06185c813c34bbfcf8d |
| SHA256 | 4cad76f0400499a3c4d0d7ecdb6e3006e33501f490059751b46ca6e06383e685 |
| SHA512 | e5b83565267fa32081f2de632d68c9a1baab6af82107bded737d6e7bdd7e245a645e7e83a5e419afd80d8041bffc2b1f2222c0fcd43e757707e4df274279d51d |
\Users\Admin\AppData\Roaming\qAf0yl\perfmon.exe
| MD5 | 3eb98cff1c242167df5fdbc6441ce3c5 |
| SHA1 | 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69 |
| SHA256 | 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081 |
| SHA512 | f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35 |
C:\Users\Admin\AppData\Local\Temp\1ab5MJK.cmd
| MD5 | 9818458013aa957cfae58ec744e8fb5a |
| SHA1 | d68981dc9b8ffb7acd27e40214057bbd95000d53 |
| SHA256 | cb6ef21e54cde404e4d88f1f36262e133fae6da2d0eb8c0d515edd53c5c6603b |
| SHA512 | b0a4215d76cb93a7d3ea5b2a58ff8cc7772eb791ee3d391bc282eb352a270bc57b40f735f85835341d3d60ec5e36c41c455ed214483b9273b04aaaf88f70598a |
C:\Users\Admin\AppData\Local\Temp\lvA7E4.tmp
| MD5 | e5a83a5c4fd6b3742cb1bdd4504e115d |
| SHA1 | d538fddf3227eb990bb713ea251661d6c9b75938 |
| SHA256 | b90abdce3910b2be736a67db788444b0131e6116e8894258b52d0102cac65b18 |
| SHA512 | e24ab7578dd045451ff68400405e6361d28fb1a12175bd0c3afe2ffb3520559be3879cbafb955ed6916939b6023aed167d75a775567cfa152d2d64563543515a |
C:\Users\Admin\AppData\Local\Temp\4QFxKr.cmd
| MD5 | 819e3a2901d6e1c85bd5dad94758ce17 |
| SHA1 | 31a02a71fcd19400b0c75bc04d4dcebf3a9148ec |
| SHA256 | 40bdf3586e0b23cf8654ffff3f74f6c4be324ea90d594a8a4768c30c09098cdf |
| SHA512 | d310ec18878c1c6f4260cb107b0832c95ccf237e4c87f5858a80cb48a2e570032b62dd6443ab777ff034e2a5a2fece8259f24448605c2a27765871409f14d85c |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zoekctxdbskyzr.lnk
| MD5 | 686acba2c190cd0f636b355d21bf2745 |
| SHA1 | 7a49dfe621466ec1dba5f023da8d7be2448581de |
| SHA256 | d6bdeab505a66b9c5b11ceffab89a986287979571effd59846734a475358a8d4 |
| SHA512 | 41e01b7cffa9c089d90df9b6e86b45f25925736f694ca39064830595eeca030b9010c1b429dbc8cf4062b73d6cf3bd182a1dc1e115928e2958005279c5b62bea |
Analysis: behavioral18
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Emotet.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| NL | 52.111.243.31:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
160s
Command Line
Signatures
Dridex
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FR | 37.187.54.76:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/4520-0-0x0000000002630000-0x000000000265F000-memory.dmp
memory/4520-1-0x0000000000960000-0x0000000000966000-memory.dmp
memory/4956-2-0x0000000077AB2000-0x0000000077AB3000-memory.dmp
memory/4956-3-0x0000000002F00000-0x0000000002F01000-memory.dmp
memory/4520-5-0x0000000002630000-0x000000000265F000-memory.dmp
memory/4956-10-0x0000000003050000-0x000000000307F000-memory.dmp
memory/4956-12-0x0000000003050000-0x000000000307F000-memory.dmp
memory/4956-17-0x0000000077A60000-0x0000000077B50000-memory.dmp
memory/4956-11-0x0000000003050000-0x000000000307F000-memory.dmp
memory/4956-9-0x0000000003050000-0x000000000307F000-memory.dmp
memory/4956-8-0x0000000003050000-0x000000000307F000-memory.dmp
memory/4956-7-0x0000000003050000-0x000000000307F000-memory.dmp
memory/4956-6-0x0000000003050000-0x000000000307F000-memory.dmp
memory/4956-25-0x0000000077A60000-0x0000000077B50000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| AU | 66.186.206.164:2222 | tcp | |
| HK | 202.85.198.79:22 | tcp | |
| US | 44.185.105.109:2222 | tcp | |
| N/A | 248.41.152.30:22 | tcp | |
| US | 159.53.73.106:22 | tcp | |
| DK | 85.80.36.48:22 | tcp | |
| N/A | 248.41.152.30:2222 | tcp | |
| N/A | 251.59.112.102:22 | tcp | |
| DE | 185.41.105.174:22 | tcp | |
| US | 7.241.116.10:22 | tcp | |
| US | 24.219.177.245:22 | tcp | |
| FR | 78.249.170.20:22 | tcp | |
| US | 162.50.154.91:22 | tcp | |
| US | 26.241.222.75:2222 | tcp | |
| US | 72.41.34.16:2222 | tcp | |
| JP | 221.253.10.68:22 | tcp | |
| IT | 51.118.180.67:22 | tcp | |
| N/A | 242.73.61.123:22 | tcp | |
| MX | 201.115.182.10:2222 | tcp | |
| US | 17.204.237.154:22 | tcp | |
| FR | 90.93.158.82:2222 | tcp | |
| N/A | 252.161.49.174:22 | tcp | |
| CN | 27.201.73.195:22 | tcp | |
| KE | 154.154.48.250:2222 | tcp | |
| GB | 31.205.176.28:22 | tcp | |
| JO | 80.10.10.40:22 | tcp | |
| JP | 220.19.226.22:2222 | tcp | |
| GB | 31.205.176.28:2222 | tcp | |
| KG | 212.112.118.196:22 | tcp | |
| HK | 160.121.26.99:22 | tcp | |
| US | 7.100.195.187:22 | tcp | |
| JP | 219.63.108.227:22 | tcp | |
| US | 63.37.153.11:2222 | tcp | |
| US | 68.242.102.178:2222 | tcp | |
| N/A | 242.73.61.123:2222 | tcp | |
| GB | 25.153.207.239:22 | tcp | |
| N/A | 252.239.168.131:22 | tcp | |
| JP | 150.77.10.43:2222 | tcp | |
| ID | 36.72.189.9:22 | tcp | |
| SG | 43.46.121.114:2222 | tcp | |
| DE | 93.227.2.150:22 | tcp | |
| IT | 51.118.180.67:2222 | tcp | |
| DK | 85.80.36.48:2222 | tcp | |
| US | 24.219.177.245:2222 | tcp | |
| PH | 112.204.232.248:22 | tcp | |
| JP | 146.99.160.52:22 | tcp | |
| TR | 178.244.204.44:2222 | tcp | |
| IT | 94.88.116.237:2222 | tcp | |
| US | 215.69.19.32:22 | tcp | |
| US | 44.185.105.109:22 | tcp | |
| CN | 39.79.206.65:2222 | tcp | |
| US | 68.242.102.178:22 | tcp | |
| JP | 219.63.108.227:2222 | tcp | |
| US | 50.197.152.73:22 | tcp | |
| US | 16.92.184.168:22 | tcp | |
| US | 135.47.115.11:22 | tcp | |
| N/A | 244.93.137.45:2222 | tcp | |
| DE | 84.163.69.100:22 | tcp | |
| BR | 187.3.250.9:22 | tcp | |
| N/A | 251.59.112.102:2222 | tcp | |
| JP | 116.94.191.237:22 | tcp | |
| FR | 78.249.170.20:2222 | tcp | |
| SG | 43.46.121.114:22 | tcp | |
| US | 72.41.34.16:22 | tcp | |
| US | 147.224.245.47:22 | tcp | |
| JP | 220.19.226.22:22 | tcp | |
| US | 70.22.253.225:22 | tcp | |
| KR | 211.247.60.87:2222 | tcp | |
| MX | 187.144.77.1:22 | tcp | |
| US | 155.119.41.74:2222 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | 819b0fdb2b9c8a440b734a7b72522f12 |
| SHA1 | f3aff7e1c44d21508eb60797211570c84a53597a |
| SHA256 | 30c150419000d27dafcd5d00702411b2b23b0f5d7e4d0cc729a7d63b2e460a01 |
| SHA512 | fee2c0dbbc91e2486e409e8b6a877c6ec500e6c7c0491d4c44d37006c30de79b95dd4640c7c8c8efcc920abccbdb659a590fde1e2526126279b7486778d08b5a |
Analysis: behavioral29
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 117.115.184.13:22 | tcp | |
| US | 63.237.234.161:2222 | tcp | |
| CN | 175.102.147.118:2222 | tcp | |
| US | 137.32.31.189:2222 | tcp | |
| HK | 202.83.4.78:2222 | tcp | |
| DE | 194.9.206.219:2222 | tcp | |
| CN | 183.206.153.237:2222 | tcp | |
| US | 12.242.187.166:2222 | tcp | |
| GB | 141.241.157.52:2222 | tcp | |
| CA | 154.5.161.18:22 | tcp | |
| US | 66.176.75.91:2222 | tcp | |
| US | 6.2.42.248:22 | tcp | |
| US | 8.80.249.1:2222 | tcp | |
| CN | 117.115.184.13:2222 | tcp | |
| US | 33.219.178.233:2222 | tcp | |
| US | 55.153.154.69:2222 | tcp | |
| US | 207.48.114.206:2222 | tcp | |
| BR | 191.130.207.136:22 | tcp | |
| SG | 154.208.1.123:2222 | tcp | |
| AE | 92.98.190.150:2222 | tcp | |
| AU | 137.157.103.29:2222 | tcp | |
| AE | 92.98.190.150:22 | tcp | |
| IT | 151.5.203.96:22 | tcp | |
| US | 15.7.70.140:2222 | tcp | |
| CN | 175.102.147.118:22 | tcp | |
| GB | 141.241.157.52:22 | tcp | |
| US | 29.18.144.187:2222 | tcp | |
| US | 63.237.234.161:22 | tcp | |
| SG | 154.208.1.123:22 | tcp | |
| RU | 62.109.191.109:2222 | tcp | |
| US | 56.235.49.29:2222 | tcp | |
| DK | 176.23.8.248:2222 | tcp | |
| MX | 187.209.123.170:22 | tcp | |
| US | 137.32.31.189:22 | tcp | |
| US | 198.101.147.157:22 | tcp | |
| JP | 119.240.32.104:22 | tcp | |
| RU | 62.109.191.109:22 | tcp | |
| IN | 35.154.120.75:22 | tcp | |
| JP | 60.97.40.129:2222 | tcp | |
| JP | 60.118.123.19:22 | tcp | |
| CN | 222.185.216.64:22 | tcp | |
| US | 17.42.229.205:2222 | tcp | |
| JP | 49.156.203.11:2222 | tcp | |
| CN | 114.113.65.135:22 | tcp | |
| ES | 37.12.192.188:2222 | tcp | |
| IT | 95.250.113.209:2222 | tcp | |
| CN | 114.113.65.135:2222 | tcp | |
| GB | 31.70.19.123:2222 | tcp | |
| US | 70.125.64.63:22 | tcp | |
| JP | 60.97.40.129:22 | tcp | |
| US | 215.173.153.89:2222 | tcp | |
| US | 34.213.198.54:22 | tcp | |
| GB | 206.245.236.16:2222 | tcp | |
| US | 29.18.144.187:22 | tcp | |
| DK | 176.23.8.248:22 | tcp | |
| BR | 191.130.207.136:2222 | tcp | |
| US | 33.219.178.233:22 | tcp | |
| MX | 187.140.26.132:2222 | tcp | |
| US | 30.33.97.142:22 | tcp | |
| JP | 49.156.203.11:22 | tcp | |
| US | 6.2.42.248:2222 | tcp | |
| CA | 154.5.161.18:2222 | tcp | |
| DE | 88.75.169.45:2222 | tcp | |
| EG | 196.136.59.42:22 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | 97cfb3c26a12e13792f7d1741309d767 |
| SHA1 | a010f85cdda9f83cbc738eb1b41cd621f3d6018e |
| SHA256 | 5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59 |
| SHA512 | 162028b9e93bb4718427304a96767880da7094c99ae6145e61a562f09dae0ce6726b2dfac95782990f50fa9bfc9f82b1aacb9e7b12442094137872fa8a3f3379 |
Analysis: behavioral31
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2204-amd64-20240522.1-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 145.116.187.108:2222 | tcp | |
| N/A | 247.172.71.158:22 | tcp | |
| CN | 123.158.74.165:22 | tcp | |
| N/A | 240.87.205.218:22 | tcp | |
| CN | 47.98.23.248:2222 | tcp | |
| PK | 203.223.169.52:2222 | tcp | |
| US | 130.76.145.5:2222 | tcp | |
| US | 63.94.52.250:2222 | tcp | |
| US | 158.246.65.214:2222 | tcp | |
| US | 16.20.127.240:22 | tcp | |
| BR | 201.86.81.193:2222 | tcp | |
| BG | 93.123.49.231:2222 | tcp | |
| US | 174.22.32.82:2222 | tcp | |
| IN | 123.238.201.139:22 | tcp | |
| IR | 5.202.180.8:2222 | tcp | |
| US | 216.178.191.241:2222 | tcp | |
| MX | 200.92.243.240:22 | tcp | |
| MX | 200.92.243.240:2222 | tcp | |
| CN | 211.158.14.212:2222 | tcp | |
| PH | 180.193.18.153:22 | tcp | |
| MA | 105.128.63.18:2222 | tcp | |
| CO | 181.131.83.10:2222 | tcp | |
| JP | 106.190.155.208:2222 | tcp | |
| JP | 106.190.155.208:22 | tcp | |
| TR | 78.185.155.44:2222 | tcp | |
| N/A | 250.194.145.234:2222 | tcp | |
| N/A | 241.76.90.139:2222 | tcp | |
| CZ | 77.48.243.190:2222 | tcp | |
| MA | 105.66.166.100:22 | tcp | |
| NL | 84.241.206.33:22 | tcp | |
| US | 206.94.46.207:22 | tcp | |
| NL | 84.241.206.33:2222 | tcp | |
| CO | 181.131.83.10:22 | tcp | |
| CN | 123.158.74.165:2222 | tcp | |
| SG | 20.24.139.110:2222 | tcp | |
| US | 69.18.168.126:22 | tcp | |
| N/A | 247.172.71.158:2222 | tcp | |
| PK | 203.223.169.52:22 | tcp | |
| US | 157.187.170.44:2222 | tcp | |
| US | 63.94.52.250:22 | tcp | |
| TR | 86.108.248.58:22 | tcp | |
| TR | 86.108.248.58:2222 | tcp | |
| BR | 201.86.81.193:22 | tcp | |
| US | 157.202.178.101:22 | tcp | |
| US | 68.62.115.69:2222 | tcp | |
| US | 143.43.252.119:2222 | tcp | |
| IN | 103.143.168.228:22 | tcp | |
| US | 16.20.127.240:2222 | tcp | |
| BG | 93.123.49.231:22 | tcp | |
| PH | 180.193.18.153:2222 | tcp | |
| CA | 135.19.108.71:2222 | tcp | |
| N/A | 250.194.145.234:22 | tcp | |
| IN | 103.143.168.228:2222 | tcp | |
| CA | 142.201.15.198:22 | tcp | |
| IN | 123.238.201.139:2222 | tcp | |
| US | 11.251.69.51:2222 | tcp | |
| VN | 42.115.64.130:22 | tcp | |
| N/A | 249.194.28.83:2222 | tcp | |
| US | 15.26.144.139:2222 | tcp | |
| US | 164.119.220.127:2222 | tcp | |
| IR | 5.202.180.8:22 | tcp | |
| US | 130.76.145.5:22 | tcp | |
| US | 165.104.116.109:2222 | tcp | |
| US | 157.202.178.101:2222 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | d4e533f9c11b5cc9e755d94c1315553a |
| SHA1 | 9e15020cd2688b537bae18e5f291ee8cbe9a85e7 |
| SHA256 | 7745b070943e910e8807e3521ac7b7a01401d131bf6c18a63433f8177ed539a6 |
| SHA512 | 149226355b2e5c3fac403289b5e66bd4164a7aee76d8dc8f1d698c509db7a081bad9d4172cc950bb0e6e6909e0073d551dcde82cbeaaf61a9c1b02c9ba48fb38 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win7-20240903-en
Max time kernel
121s
Max time network
129s
Command Line
Signatures
Dridex
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\DridexDroppedVBS.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| JP | 60.124.4.241:443 | tcp | |
| JP | 60.124.4.241:443 | tcp |
Files
memory/2344-1-0x00000000000A0000-0x00000000000A6000-memory.dmp
memory/2344-0-0x0000000000850000-0x0000000000874000-memory.dmp
memory/1908-2-0x0000000000170000-0x0000000000171000-memory.dmp
memory/1908-3-0x00000000765D9000-0x00000000765DA000-memory.dmp
memory/2344-5-0x0000000000850000-0x0000000000874000-memory.dmp
memory/1908-7-0x0000000000180000-0x00000000001A4000-memory.dmp
memory/1908-11-0x0000000000180000-0x00000000001A4000-memory.dmp
memory/1908-10-0x0000000000180000-0x00000000001A4000-memory.dmp
memory/1908-9-0x0000000000180000-0x00000000001A4000-memory.dmp
memory/1908-8-0x0000000000180000-0x00000000001A4000-memory.dmp
memory/1908-6-0x0000000000180000-0x00000000001A4000-memory.dmp
memory/1908-16-0x0000000076550000-0x0000000076660000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
149s
Max time network
161s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
| Description | Indicator | Process | Target |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | /usr/bin/sudo | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | /usr/bin/which | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/ps | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
| File opened for reading | /sys/devices/system/cpu/possible | N/A | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/pkill | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/ps | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
| File opened for reading | /sys/devices/system/node | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/2370/cgroup | N/A | N/A |
| File opened for reading | /proc/63/cgroup | N/A | N/A |
| File opened for reading | /proc/2300/cmdline | N/A | N/A |
| File opened for reading | /proc/2367/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/37/stat | /usr/bin/killall | N/A |
| File opened for reading | /proc/2529/stat | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2867/ctty | N/A | N/A |
| File opened for reading | /proc/2878/status | N/A | N/A |
| File opened for reading | /proc/2346/status | N/A | N/A |
| File opened for reading | /proc/12/stat | N/A | N/A |
| File opened for reading | /proc/7/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2628 | /usr/bin/killall | N/A |
| File opened for reading | /proc/2284/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/sys/kernel/seccomp/actions_avail | /usr/bin/sudo | N/A |
| File opened for reading | /proc/2877/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/728/cgroup | N/A | N/A |
| File opened for reading | /proc/2368/environ | N/A | N/A |
| File opened for reading | /proc/194/stat | /usr/bin/pidof | N/A |
| File opened for reading | /proc/2189/environ | /usr/bin/ps | N/A |
| File opened for reading | /proc/24/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/56/stat | N/A | N/A |
| File opened for reading | /proc/2300/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/731/stat | N/A | N/A |
| File opened for reading | /proc/2651/ctty | N/A | N/A |
| File opened for reading | /proc/2074 | /usr/bin/killall | N/A |
| File opened for reading | /proc/56/cmdline | N/A | N/A |
| File opened for reading | /proc/13/stat | N/A | N/A |
| File opened for reading | /proc/1112/ctty | /usr/bin/ps | N/A |
| File opened for reading | /proc/2189 | /usr/bin/killall | N/A |
| File opened for reading | /proc/1400/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/31/environ | /usr/bin/ps | N/A |
| File opened for reading | /proc/52/ctty | /usr/bin/pkill | N/A |
| File opened for reading | /proc/1067/cgroup | N/A | N/A |
| File opened for reading | /proc/25/cmdline | N/A | N/A |
| File opened for reading | /proc/2191/status | N/A | N/A |
| File opened for reading | /proc/2 | /usr/bin/killall | N/A |
| File opened for reading | /proc/33/environ | /usr/bin/ps | N/A |
| File opened for reading | /proc/3545 | /usr/bin/killall | N/A |
| File opened for reading | /proc/2345/cmdline | N/A | N/A |
| File opened for reading | /proc/2300/cgroup | N/A | N/A |
| File opened for reading | /proc/2523 | /usr/bin/killall | N/A |
| File opened for reading | /proc/1085/stat | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2621/environ | /usr/bin/ps | N/A |
| File opened for reading | /proc/2867/cgroup | N/A | N/A |
| File opened for reading | /proc/2352/status | /usr/bin/ps | N/A |
| File opened for reading | /proc/199/status | /usr/bin/pkill | N/A |
| File opened for reading | /proc/357/ctty | N/A | N/A |
| File opened for reading | /proc/2300/stat | N/A | N/A |
| File opened for reading | /proc/8 | N/A | N/A |
| File opened for reading | /proc/51 | N/A | N/A |
| File opened for reading | /proc/2610/cmdline | N/A | N/A |
| File opened for reading | /proc/21/ctty | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2639/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/457/stat | N/A | N/A |
| File opened for reading | /proc/2539/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/49/status | N/A | N/A |
| File opened for reading | /proc/2870/cmdline | /usr/bin/ps | N/A |
| File opened for reading | /proc/2161/cmdline | /usr/bin/pkill | N/A |
| File opened for reading | /proc/2682/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/2370/stat | /usr/bin/ps | N/A |
| File opened for reading | /proc/2807/ctty | N/A | N/A |
| File opened for reading | /proc/2373/environ | N/A | N/A |
| File opened for reading | /proc/2468 | N/A | N/A |
| File opened for reading | /proc/793/environ | N/A | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_2149 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20765 | N/A | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_10129 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_19923 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_29275 | N/A | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_21234 | N/A | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_28289 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_4503 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_24732 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20634 | N/A | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_30673 | N/A | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9137 | N/A | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9481 | N/A | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_15039 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9750 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_7509 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_31374 | N/A | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20654 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_24420 | /usr/bin/touch | N/A |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_22887 | N/A | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/bin/bash
[/bin/bash -]
/usr/bin/which
[which sudo]
/usr/bin/wc
[wc -l]
/usr/bin/sudo
[sudo -S touch .local_20654]
/usr/bin/touch
[touch .local_20654]
/usr/bin/grep
[grep -c root]
/usr/bin/ls
[ls -l .local_20654]
/usr/bin/sudo
[sudo rm .local_20654]
/usr/bin/rm
[rm .local_20654]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep stratum]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep \[\]]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/bin/bash
[/bin/bash -]
/usr/bin/which
[which sudo]
/usr/bin/wc
[wc -l]
/usr/bin/sudo
[sudo -S touch .local_28289]
/usr/bin/touch
[touch .local_28289]
/usr/bin/grep
[grep -c root]
/usr/bin/ls
[ls -l .local_28289]
/usr/bin/sudo
[sudo rm .local_28289]
/usr/bin/rm
[rm .local_28289]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep stratum]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep \[\]]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/bin/bash
[/bin/bash -]
/usr/bin/which
[which sudo]
/usr/bin/wc
[wc -l]
/usr/bin/sudo
[sudo -S touch .local_2149]
/usr/bin/touch
[touch .local_2149]
/usr/bin/ls
[ls -l .local_2149]
/usr/bin/grep
[grep -c root]
/usr/bin/sudo
[sudo rm .local_2149]
/usr/bin/rm
[rm .local_2149]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep stratum]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep -v grep]
/usr/bin/grep
[grep \[\]]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/bin/bash
[/bin/bash -]
/usr/bin/which
[which sudo]
/usr/bin/wc
[wc -l]
/usr/bin/sudo
[sudo -S touch .local_4503]
/usr/bin/touch
[touch .local_4503]
/usr/bin/ls
[ls -l .local_4503]
/usr/bin/grep
[grep -c root]
/usr/bin/sudo
[sudo rm .local_4503]
/usr/bin/rm
[rm .local_4503]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/grep
[grep -v grep]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep stratum]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep \[\]]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/bin/bash
[/bin/bash -]
/usr/bin/which
[which sudo]
/usr/bin/wc
[wc -l]
/usr/bin/sudo
[sudo -S touch .local_24732]
/usr/bin/touch
[touch .local_24732]
/usr/bin/ls
[ls -l .local_24732]
/usr/bin/grep
[grep -c root]
/usr/bin/sudo
[sudo rm .local_24732]
/usr/bin/rm
[rm .local_24732]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep stratum]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep \[\]]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/bin/bash
[/bin/bash -]
/usr/bin/which
[which sudo]
/usr/bin/wc
[wc -l]
/usr/bin/sudo
[sudo -S touch .local_15039]
/usr/bin/touch
[touch .local_15039]
/usr/bin/ls
[ls -l .local_15039]
/usr/bin/grep
[grep -c root]
/usr/bin/sudo
[sudo rm .local_15039]
/usr/bin/rm
[rm .local_15039]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep stratum]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep \[\]]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/bin/bash
[/bin/bash -]
/usr/bin/which
[which sudo]
/usr/bin/wc
[wc -l]
/usr/bin/sudo
[sudo -S touch .local_9750]
/usr/bin/touch
[touch .local_9750]
/usr/bin/ls
[ls -l .local_9750]
/usr/bin/grep
[grep -c root]
/usr/bin/sudo
[sudo rm .local_9750]
/usr/bin/rm
[rm .local_9750]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/grep
[grep stratum]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep \[\]]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/bin/bash
[/bin/bash -]
/usr/bin/wc
[wc -l]
/usr/bin/which
[which sudo]
/usr/bin/sudo
[sudo -S touch .local_7509]
/usr/bin/touch
[touch .local_7509]
/usr/bin/ls
[ls -l .local_7509]
/usr/bin/grep
[grep -c root]
/usr/bin/sudo
[sudo rm .local_7509]
/usr/bin/rm
[rm .local_7509]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep stratum]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep \[\]]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/bin/bash
[/bin/bash -]
/usr/bin/which
[which sudo]
/usr/bin/wc
[wc -l]
/usr/bin/sudo
[sudo -S touch .local_24420]
/usr/bin/touch
[touch .local_24420]
/usr/bin/ls
[ls -l .local_24420]
/usr/bin/grep
[grep -c root]
/usr/bin/sudo
[sudo rm .local_24420]
/usr/bin/rm
[rm .local_24420]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep stratum]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep \[\]]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/bin/bash
[/bin/bash -]
/usr/bin/wc
[wc -l]
/usr/bin/which
[which sudo]
/usr/bin/sudo
[sudo -S touch .local_10129]
/usr/bin/touch
[touch .local_10129]
/usr/bin/ls
[ls -l .local_10129]
/usr/bin/grep
[grep -c root]
/usr/bin/sudo
[sudo rm .local_10129]
/usr/bin/rm
[rm .local_10129]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
/usr/bin/rm
[rm -rf /tmp/.iolanda]
/usr/bin/sudo
[sudo pkill test.mod]
/usr/bin/pkill
[pkill test.mod]
/usr/bin/sudo
[sudo pkill daemon.i686.mod]
/usr/bin/pkill
[pkill daemon.i686.mod]
/usr/bin/sudo
[sudo pkill daemon.armv4l.mod]
/usr/bin/pkill
[pkill daemon.armv4l.mod]
/usr/bin/sudo
[sudo pkill daemon.mips.mod]
/usr/bin/pkill
[pkill daemon.mips.mod]
/usr/bin/sudo
[sudo pkill daemon.mipsel.mod]
/usr/bin/pkill
[pkill daemon.mipsel.mod]
/usr/bin/sudo
[sudo rm -rf /tmp/.xs]
/usr/bin/rm
[rm -rf /tmp/.xs]
/usr/bin/sudo
[sudo pkill ld-linux-x86-64]
/usr/bin/pkill
[pkill ld-linux-x86-64]
/usr/bin/rm
[rm -rf /var/tmp/. *]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xmr]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep cryptonight]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep stratum]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/grep
[grep -v grep]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep dbus-daemon--system]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep \[\]]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/grep
[grep -v grep]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo ps auxf]
/usr/bin/grep
[grep xm64]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxf]
/usr/bin/sudo
[sudo killall -9 [atd]]
/usr/bin/killall
[killall -9 [atd]]
/usr/bin/sudo
[sudo rm -rf /tmp/.jk]
/usr/bin/rm
[rm -rf /tmp/.jk]
/usr/bin/sudo
[sudo killall -9 [ntpd]]
/usr/bin/killall
[killall -9 [ntpd]]
/usr/bin/sudo
[sudo killall -9 [rpciod]]
/usr/bin/killall
[killall -9 [rpciod]]
/usr/bin/sudo
[sudo killall -9 [ext4-dio-unwrit]]
/usr/bin/killall
[killall -9 [ext4-dio-unwrit]]
/usr/bin/sudo
[sudo rm -rf /tmp/.xm*]
/usr/bin/rm
[rm -rf /tmp/.xm*]
/usr/bin/pidof
[pidof libexec]
/bin/bash
[/bin/bash -]
/usr/bin/which
[which sudo]
/usr/bin/wc
[wc -l]
/usr/bin/sudo
[sudo -S touch .local_19923]
/usr/bin/touch
[touch .local_19923]
/usr/bin/ls
[ls -l .local_19923]
/usr/bin/grep
[grep -c root]
/usr/bin/sudo
[sudo rm .local_19923]
/usr/bin/rm
[rm .local_19923]
/usr/bin/sudo
[sudo ps auxff]
/usr/bin/grep
[grep ./crond -t=all]
/usr/bin/grep
[grep -v grep]
/usr/bin/awk
[awk { print $2 }]
/usr/bin/ps
[ps auxff]
/usr/bin/sudo
[sudo killall -9 bssh]
/usr/bin/killall
[killall -9 bssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.an]
/usr/bin/rm
[rm -rf /tmp/.an]
/usr/bin/sudo
[sudo killall -9 xm64]
/usr/bin/killall
[killall -9 xm64]
/usr/bin/sudo
[sudo killall -9 rpc.idmapd]
/usr/bin/killall
[killall -9 rpc.idmapd]
/usr/bin/sudo
[sudo rm -rf /tmp/.m2]
/usr/bin/rm
[rm -rf /tmp/.m2]
/usr/bin/sudo
[sudo killall -9 xorgg]
/usr/bin/killall
[killall -9 xorgg]
/usr/bin/sudo
[sudo rm -rf /tmp/seconfig]
/usr/bin/rm
[rm -rf /tmp/seconfig]
/usr/bin/sudo
[sudo killall -9 crond64]
/usr/bin/killall
[killall -9 crond64]
/usr/bin/sudo
[sudo killall -9 tsm]
/usr/bin/killall
[killall -9 tsm]
/usr/bin/sudo
[sudo rm -rf /tmp/.ssh]
/usr/bin/rm
[rm -rf /tmp/.ssh]
/usr/bin/sudo
[sudo rm -rf /tmp/.java]
/usr/bin/rm
[rm -rf /tmp/.java]
/usr/bin/sudo
[sudo rm -rf /tmp/.iolanda]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 240.129.24.200:2222 | tcp | |
| US | 209.221.4.50:22 | tcp | |
| KR | 124.55.195.23:2222 | tcp | |
| MX | 177.234.120.167:22 | tcp | |
| US | 97.213.147.238:22 | tcp | |
| SE | 95.199.156.191:22 | tcp | |
| CN | 183.226.105.62:2222 | tcp | |
| CN | 211.142.141.133:2222 | tcp | |
| IN | 157.49.155.212:2222 | tcp | |
| SE | 95.199.156.191:2222 | tcp | |
| US | 140.190.106.67:22 | tcp | |
| SK | 151.236.228.186:22 | tcp | |
| FI | 65.21.69.160:22 | tcp | |
| US | 139.32.243.198:2222 | tcp | |
| US | 68.84.121.108:2222 | tcp | |
| PL | 91.235.219.121:22 | tcp | |
| KR | 211.198.212.97:22 | tcp | |
| IL | 89.138.84.53:22 | tcp | |
| US | 68.85.8.193:22 | tcp | |
| N/A | 242.136.96.130:2222 | tcp | |
| CN | 27.207.153.71:2222 | tcp | |
| IQ | 169.224.76.4:22 | tcp | |
| US | 72.117.161.115:2222 | tcp | |
| US | 32.100.137.46:2222 | tcp | |
| US | 172.180.138.168:2222 | tcp | |
| US | 32.126.82.246:2222 | tcp | |
| MX | 177.234.120.167:2222 | tcp | |
| IN | 157.49.155.212:22 | tcp | |
| KR | 27.126.63.51:2222 | tcp | |
| RU | 92.248.200.67:2222 | tcp | |
| US | 12.8.6.75:2222 | tcp | |
| US | 208.249.206.190:22 | tcp | |
| ES | 88.3.199.56:22 | tcp | |
| NL | 146.50.215.13:22 | tcp | |
| CA | 209.115.241.202:22 | tcp | |
| US | 65.53.8.29:22 | tcp | |
| US | 63.239.176.167:2222 | tcp | |
| US | 63.239.176.167:22 | tcp | |
| SE | 213.102.67.148:2222 | tcp | |
| US | 74.204.223.123:2222 | tcp | |
| BW | 129.205.193.89:22 | tcp | |
| US | 199.104.253.194:2222 | tcp | |
| US | 167.1.51.19:2222 | tcp | |
| US | 135.100.15.172:2222 | tcp | |
| US | 149.95.173.163:22 | tcp | |
| US | 130.99.103.219:22 | tcp | |
| US | 167.1.51.19:22 | tcp | |
| NZ | 161.29.225.242:22 | tcp | |
| CH | 128.179.137.253:22 | tcp | |
| CN | 36.102.4.134:2222 | tcp | |
| US | 172.43.97.37:2222 | tcp | |
| US | 74.204.223.123:22 | tcp | |
| DE | 164.59.160.46:22 | tcp | |
| MA | 102.72.132.252:2222 | tcp | |
| US | 67.149.101.6:22 | tcp | |
| KR | 163.239.47.197:22 | tcp | |
| DE | 139.19.112.76:2222 | tcp | |
| US | 76.94.141.83:22 | tcp | |
| IQ | 169.224.76.4:2222 | tcp | |
| US | 204.193.30.70:2222 | tcp | |
| US | 55.58.187.38:22 | tcp | |
| JP | 115.179.13.197:22 | tcp | |
| US | 65.53.8.29:2222 | tcp | |
| CN | 183.249.93.103:2222 | tcp | |
| US | 215.239.106.236:22 | tcp | |
| US | 208.76.97.208:2222 | tcp | |
| US | 18.224.180.50:2222 | tcp | |
| NZ | 161.29.225.242:2222 | tcp | |
| KR | 163.239.47.197:2222 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | ae747bc7fff9bc23f06635ef60ea0e8d |
| SHA1 | 64315e834f67905ed4e47f36155362a78ac23462 |
| SHA256 | 103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046 |
| SHA512 | e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2404-amd64-20240729-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 243.88.197.184:2222 | tcp | |
| US | 199.178.19.195:2222 | tcp | |
| N/A | 243.88.197.184:22 | tcp | |
| HK | 202.181.247.251:22 | tcp | |
| HK | 202.181.247.251:2222 | tcp | |
| US | 70.219.48.173:2222 | tcp | |
| US | 198.229.154.249:2222 | tcp | |
| GB | 161.76.202.154:2222 | tcp | |
| US | 167.159.196.229:2222 | tcp | |
| US | 143.165.15.104:22 | tcp | |
| CN | 175.71.211.153:22 | tcp | |
| TW | 61.219.248.142:2222 | tcp | |
| TW | 61.219.248.142:22 | tcp | |
| US | 44.221.188.73:2222 | tcp | |
| US | 40.150.113.23:22 | tcp | |
| TR | 178.241.35.194:22 | tcp | |
| US | 24.229.67.20:2222 | tcp | |
| US | 143.165.15.104:2222 | tcp | |
| KR | 118.46.169.211:22 | tcp | |
| GB | 161.76.202.154:22 | tcp | |
| CN | 182.106.219.181:2222 | tcp | |
| US | 19.161.93.191:2222 | tcp | |
| US | 164.245.65.178:2222 | tcp | |
| CN | 59.221.14.92:2222 | tcp | |
| US | 107.106.43.97:22 | tcp | |
| GB | 87.82.130.122:22 | tcp | |
| US | 207.232.194.92:22 | tcp | |
| US | 15.92.28.226:22 | tcp | |
| US | 26.104.64.100:22 | tcp | |
| US | 192.174.127.200:22 | tcp | |
| CN | 116.24.56.123:22 | tcp | |
| US | 151.194.11.80:2222 | tcp | |
| US | 151.194.11.80:22 | tcp | |
| AU | 120.21.167.96:22 | tcp | |
| GB | 87.82.130.122:2222 | tcp | |
| CN | 58.117.1.32:22 | tcp | |
| US | 141.163.231.137:2222 | tcp | |
| SG | 20.247.205.208:22 | tcp | |
| US | 16.188.18.17:2222 | tcp | |
| US | 167.159.196.229:22 | tcp | |
| US | 71.144.101.7:2222 | tcp | |
| US | 192.174.127.200:2222 | tcp | |
| RU | 37.208.72.47:2222 | tcp | |
| CA | 132.210.209.69:22 | tcp | |
| AU | 120.21.167.96:2222 | tcp | |
| VN | 14.247.159.177:22 | tcp | |
| MX | 216.171.78.112:2222 | tcp | |
| KZ | 2.79.252.46:22 | tcp | |
| US | 170.208.221.206:2222 | tcp | |
| US | 24.229.67.20:22 | tcp | |
| US | 26.101.222.46:2222 | tcp | |
| US | 198.229.154.249:22 | tcp | |
| VN | 14.247.159.177:2222 | tcp | |
| CN | 175.71.211.153:2222 | tcp | |
| US | 70.219.48.173:22 | tcp | |
| CN | 180.102.187.161:22 | tcp | |
| N/A | 245.227.191.132:22 | tcp | |
| US | 50.35.189.224:22 | tcp | |
| DE | 62.4.95.141:2222 | tcp | |
| AR | 200.70.141.212:22 | tcp | |
| CN | 101.246.86.19:22 | tcp | |
| SA | 188.51.151.74:2222 | tcp | |
| US | 68.118.228.214:22 | tcp | |
| MX | 216.171.78.112:22 | tcp | |
| BE | 141.134.3.249:2222 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | b2e0eede7b18253dccd0d44ebb5db85a |
| SHA1 | ee5db9590090efd5549e1c17ec1ee956ef1ed3d1 |
| SHA256 | 7f18e5b5b7645a80a0d44adf3fecdafcbf937bfe30a4cfb965a1421e034996dd |
| SHA512 | 5608fe7bde5072de7c98bacfe7beb928e6073be87c0fbccd8075c808d9a7c642abe254f6eb620d627f5324e35821fc9b41a31970264abcc472adfbe2c214a9fe |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
Dridex
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Dridex.JhiSharp.dll.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| FR | 46.105.131.88:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
memory/2236-0-0x0000000001110000-0x0000000001116000-memory.dmp
memory/2236-1-0x0000000000260000-0x0000000000286000-memory.dmp
memory/1400-4-0x0000000077132000-0x0000000077133000-memory.dmp
memory/1400-2-0x0000000002290000-0x0000000002291000-memory.dmp
memory/2236-5-0x0000000000260000-0x0000000000286000-memory.dmp
memory/1400-8-0x00000000023E0000-0x0000000002406000-memory.dmp
memory/1400-13-0x00000000023E0000-0x0000000002406000-memory.dmp
memory/1400-18-0x00000000770E0000-0x00000000771D0000-memory.dmp
memory/1400-12-0x00000000023E0000-0x0000000002406000-memory.dmp
memory/1400-11-0x00000000023E0000-0x0000000002406000-memory.dmp
memory/1400-10-0x00000000023E0000-0x0000000002406000-memory.dmp
memory/1400-9-0x00000000023E0000-0x0000000002406000-memory.dmp
memory/1400-7-0x00000000023E0000-0x0000000002406000-memory.dmp
memory/1400-6-0x00000000023E0000-0x0000000002406000-memory.dmp
memory/1400-26-0x00000000770E0000-0x00000000771D0000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:11
Platform
win7-20240903-en
Max time kernel
5s
Max time network
24s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Emotet.zip
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 207.149.33.160:22 | tcp | |
| CA | 142.72.177.81:2222 | tcp | |
| MT | 94.17.56.52:22 | tcp | |
| US | 163.187.218.206:2222 | tcp | |
| BR | 201.42.189.46:2222 | tcp | |
| US | 12.64.247.29:2222 | tcp | |
| IN | 101.216.110.100:22 | tcp | |
| UA | 176.110.37.63:2222 | tcp | |
| HK | 203.218.160.180:22 | tcp | |
| US | 73.148.103.2:22 | tcp | |
| US | 96.79.194.54:2222 | tcp | |
| US | 184.143.189.32:22 | tcp | |
| N/A | 245.227.206.250:22 | tcp | |
| CA | 129.97.128.214:22 | tcp | |
| JP | 222.229.155.230:22 | tcp | |
| DE | 188.174.139.194:2222 | tcp | |
| US | 4.227.16.237:22 | tcp | |
| ID | 39.225.213.178:22 | tcp | |
| US | 24.124.93.248:2222 | tcp | |
| BR | 189.51.229.59:2222 | tcp | |
| CA | 129.97.128.214:2222 | tcp | |
| KR | 183.97.86.185:2222 | tcp | |
| US | 4.227.16.237:2222 | tcp | |
| US | 146.235.135.52:2222 | tcp | |
| KR | 183.97.86.185:22 | tcp | |
| US | 96.79.194.54:22 | tcp | |
| CN | 60.207.71.131:2222 | tcp | |
| US | 18.65.227.216:22 | tcp | |
| GE | 93.186.220.4:2222 | tcp | |
| ID | 39.225.213.178:2222 | tcp | |
| US | 173.108.181.223:2222 | tcp | |
| EC | 186.33.162.245:22 | tcp | |
| PE | 186.160.87.56:22 | tcp | |
| MT | 94.17.56.52:2222 | tcp | |
| EG | 154.140.7.59:2222 | tcp | |
| JP | 150.29.237.177:2222 | tcp | |
| CN | 220.164.18.133:22 | tcp | |
| US | 73.148.103.2:2222 | tcp | |
| US | 99.190.92.183:2222 | tcp | |
| KR | 27.169.159.168:22 | tcp | |
| TR | 88.249.159.38:2222 | tcp | |
| BE | 78.22.206.34:2222 | tcp | |
| PE | 186.160.87.56:2222 | tcp | |
| CN | 42.193.103.183:22 | tcp | |
| US | 99.190.92.183:22 | tcp | |
| US | 140.9.157.2:22 | tcp | |
| FR | 88.165.232.92:2222 | tcp | |
| UA | 176.110.37.63:22 | tcp | |
| US | 66.63.192.229:2222 | tcp | |
| EC | 186.33.162.245:2222 | tcp | |
| BR | 201.42.189.46:22 | tcp | |
| TR | 88.249.159.38:22 | tcp | |
| US | 166.109.43.132:22 | tcp | |
| US | 63.208.231.175:22 | tcp | |
| GE | 93.186.220.4:22 | tcp | |
| US | 71.211.92.221:2222 | tcp | |
| BE | 37.44.243.66:2222 | tcp | |
| CN | 42.193.103.183:2222 | tcp | |
| US | 207.34.38.87:22 | tcp | |
| BR | 189.51.229.59:22 | tcp | |
| US | 163.187.218.206:22 | tcp | |
| US | 209.149.107.187:2222 | tcp | |
| DE | 91.58.138.47:22 | tcp | |
| US | 66.237.131.184:2222 | tcp | |
| HK | 203.218.160.180:2222 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | 76fe4fdd628218f630ba50f91ceba852 |
| SHA1 | 6e90f2fe619597115e5b8dd8b0d1fb0c8ad33fa4 |
| SHA256 | 041bc20ca8ac3161098cbc976e67e3c0f1b672ad36ecbe22fd21cbd53bcaa742 |
| SHA512 | 7956505ae0d8479a92ddf97bb09a757566ef526934ee06b4273f0fc450e4da9204808ffa4f4674f4e6e313eb718a7c65f258ef8d23b9769b8aa12d47610d8011 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win7-20240729-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
Danabot
Danabot x86 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.exe@2320
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll,f0
Network
| Country | Destination | Domain | Proto |
| FR | 51.178.195.151:443 | tcp | |
| CA | 51.222.39.81:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp | |
| FR | 51.77.7.204:443 | tcp |
Files
memory/2320-0-0x0000000002360000-0x00000000025D8000-memory.dmp
memory/2320-1-0x0000000002360000-0x00000000025D8000-memory.dmp
memory/2320-2-0x00000000025E0000-0x000000000286D000-memory.dmp
memory/2320-3-0x0000000000400000-0x000000000069A000-memory.dmp
memory/2320-6-0x00000000025E0000-0x000000000286D000-memory.dmp
memory/2608-11-0x00000000026D0000-0x000000000293B000-memory.dmp
\Users\Admin\AppData\Local\Temp\THE-MA~1\BANKIN~1\DanaBot.dll
| MD5 | 9cb7b0d8e817636deed7b195e69f6156 |
| SHA1 | 3a68463ef2313fa9580ff8048900ffcafb604114 |
| SHA256 | 9e9c58dec15cf26e295f6d4dc1587468e6f1483e78ff2b8a2f47034b9731f5b1 |
| SHA512 | c8cb93a387cbfe13d1cfd131cffdce95656543cbb8838983015c981aad5cb9e7a6c1bbf94f248a83017420d7d51eea2ab44449333dd1557e2ec2a7017fc8a793 |
memory/2320-8-0x0000000000400000-0x000000000069A000-memory.dmp
memory/2320-7-0x0000000002360000-0x00000000025D8000-memory.dmp
memory/2320-5-0x0000000000400000-0x0000000000AAD000-memory.dmp
memory/2800-16-0x0000000002410000-0x000000000267B000-memory.dmp
memory/2800-17-0x0000000002410000-0x000000000267B000-memory.dmp
memory/2800-19-0x0000000002410000-0x000000000267B000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2204-amd64-20240611-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 62.106.169.253:2222 | tcp | |
| CO | 179.14.155.64:22 | tcp | |
| CN | 101.145.75.245:2222 | tcp | |
| CL | 186.174.200.3:2222 | tcp | |
| GB | 2.127.27.81:22 | tcp | |
| US | 97.85.247.16:22 | tcp | |
| ES | 83.46.113.187:2222 | tcp | |
| US | 20.84.148.67:2222 | tcp | |
| NL | 145.200.249.244:22 | tcp | |
| N/A | 244.109.55.248:22 | tcp | |
| IE | 57.195.151.160:22 | tcp | |
| CN | 117.39.37.145:22 | tcp | |
| US | 207.10.167.225:2222 | tcp | |
| AU | 161.248.43.155:22 | tcp | |
| N/A | 245.232.195.180:2222 | tcp | |
| US | 136.76.40.103:22 | tcp | |
| MX | 189.245.71.92:2222 | tcp | |
| CN | 60.31.238.204:2222 | tcp | |
| CN | 60.31.238.204:22 | tcp | |
| CL | 186.174.200.3:22 | tcp | |
| TN | 197.24.96.184:2222 | tcp | |
| EG | 154.140.116.58:2222 | tcp | |
| CN | 27.28.76.144:22 | tcp | |
| CN | 101.145.75.245:22 | tcp | |
| JP | 59.106.215.18:22 | tcp | |
| GB | 2.127.27.81:2222 | tcp | |
| BR | 189.125.54.181:22 | tcp | |
| RU | 91.221.49.236:22 | tcp | |
| IE | 57.195.151.160:2222 | tcp | |
| TH | 17.91.193.193:2222 | tcp | |
| N/A | 244.109.55.248:2222 | tcp | |
| JP | 133.93.73.152:22 | tcp | |
| FR | 62.106.169.253:22 | tcp | |
| JP | 133.93.73.152:2222 | tcp | |
| PL | 83.10.117.212:2222 | tcp | |
| FI | 193.94.135.126:22 | tcp | |
| FR | 78.246.187.205:2222 | tcp | |
| JP | 1.73.59.119:22 | tcp | |
| FI | 130.232.10.63:22 | tcp | |
| US | 8.33.70.100:22 | tcp | |
| N/A | 245.232.195.180:22 | tcp | |
| US | 159.39.104.185:22 | tcp | |
| DK | 37.96.42.87:22 | tcp | |
| US | 28.211.246.201:2222 | tcp | |
| CN | 117.39.37.145:2222 | tcp | |
| FI | 193.94.135.126:2222 | tcp | |
| CN | 27.28.76.144:2222 | tcp | |
| N/A | 246.40.110.242:22 | tcp | |
| N/A | 246.40.110.242:2222 | tcp | |
| SE | 95.198.217.236:22 | tcp | |
| US | 192.180.66.192:22 | tcp | |
| DE | 141.26.177.99:2222 | tcp | |
| RU | 91.221.49.236:2222 | tcp | |
| JP | 1.73.59.119:2222 | tcp | |
| ES | 85.86.18.35:2222 | tcp | |
| US | 208.197.88.52:22 | tcp | |
| TN | 197.24.96.184:22 | tcp | |
| AU | 161.248.43.155:2222 | tcp | |
| N/A | 241.145.68.41:2222 | tcp | |
| CO | 179.14.155.64:2222 | tcp | |
| EG | 154.140.116.58:22 | tcp | |
| SE | 95.198.217.236:2222 | tcp | |
| US | 65.27.178.246:22 | tcp | |
| US | 28.211.246.201:22 | tcp | |
| ES | 54.26.117.209:22 | tcp | |
| US | 55.144.86.59:22 | tcp | |
| US | 20.84.148.67:22 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | 3fe7b88a9ba6c5acee4faae760642b78 |
| SHA1 | bae245bc98c516604838c6ce5a233f066de44a50 |
| SHA256 | 6fe6808b9cfe654f526108ec61cb5211bb6601d28e192cadf06102073b54f69c |
| SHA512 | 02abc8d4fe280306a9ac6a25d28cf174a8d51a43d98b6837bc129701d8c0ab486eebaeef11062b58c455627d4de7c8782b3828aa02891fe439ca1ca617038f95 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
win7-20240903-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Network Share Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\whoami.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe
"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
C:\Windows\SysWOW64\whoami.exe
C:\Windows\system32\whoami.exe /all
C:\Windows\SysWOW64\net.exe
C:\Windows\system32\net.exe view
Network
| Country | Destination | Domain | Proto |
| BG | 91.92.136.107:443 | tcp | |
| BG | 91.92.136.107:443 | tcp |
Files
memory/1636-0-0x0000000000840000-0x0000000000862000-memory.dmp
memory/1636-1-0x0000000000130000-0x0000000000136000-memory.dmp
memory/2912-3-0x0000000076C29000-0x0000000076C2A000-memory.dmp
memory/2912-2-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1636-5-0x0000000000840000-0x0000000000862000-memory.dmp
memory/2912-11-0x00000000002E0000-0x0000000000302000-memory.dmp
memory/2912-7-0x00000000002E0000-0x0000000000302000-memory.dmp
memory/2912-10-0x00000000002E0000-0x0000000000302000-memory.dmp
memory/2912-9-0x00000000002E0000-0x0000000000302000-memory.dmp
memory/2912-8-0x00000000002E0000-0x0000000000302000-memory.dmp
memory/2912-6-0x00000000002E0000-0x0000000000302000-memory.dmp
memory/2912-13-0x00000000002E0000-0x0000000000302000-memory.dmp
memory/2912-12-0x00000000002E0000-0x0000000000302000-memory.dmp
memory/2912-18-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2204-amd64-20240522.1-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/uptime | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/free | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 185.103.234.116:22 | tcp | |
| US | 52.23.53.13:22 | tcp | |
| GB | 25.100.184.165:2222 | tcp | |
| N/A | 247.7.219.53:22 | tcp | |
| RU | 84.204.148.213:22 | tcp | |
| BR | 177.49.191.222:22 | tcp | |
| US | 16.66.9.76:22 | tcp | |
| US | 96.2.77.200:22 | tcp | |
| US | 38.125.53.65:22 | tcp | |
| US | 75.241.194.221:22 | tcp | |
| N/A | 247.7.219.53:2222 | tcp | |
| US | 65.103.33.232:22 | tcp | |
| TN | 196.225.26.151:22 | tcp | |
| TN | 196.225.26.151:2222 | tcp | |
| JP | 158.215.244.59:22 | tcp | |
| US | 11.145.128.181:22 | tcp | |
| N/A | 244.11.116.157:2222 | tcp | |
| BR | 200.193.179.180:22 | tcp | |
| FR | 144.204.91.112:22 | tcp | |
| US | 151.125.36.78:22 | tcp | |
| US | 19.53.129.76:2222 | tcp | |
| N/A | 244.11.116.157:22 | tcp | |
| US | 76.187.16.21:22 | tcp | |
| CN | 42.138.23.231:2222 | tcp | |
| US | 30.142.90.135:2222 | tcp | |
| US | 98.148.104.109:2222 | tcp | |
| US | 65.103.33.232:2222 | tcp | |
| JP | 133.216.142.120:2222 | tcp | |
| AU | 103.128.184.142:22 | tcp | |
| US | 75.241.194.221:2222 | tcp | |
| MA | 102.101.217.221:2222 | tcp | |
| US | 99.58.146.218:2222 | tcp | |
| RS | 193.105.163.135:2222 | tcp | |
| FR | 144.204.91.112:2222 | tcp | |
| US | 142.136.205.204:2222 | tcp | |
| US | 130.248.45.94:22 | tcp | |
| N/A | 242.118.106.220:2222 | tcp | |
| US | 47.79.235.228:22 | tcp | |
| US | 158.146.240.98:2222 | tcp | |
| US | 73.147.14.228:22 | tcp | |
| KR | 175.252.155.72:22 | tcp | |
| US | 208.17.25.229:22 | tcp | |
| MD | 87.245.236.71:2222 | tcp | |
| US | 208.17.25.229:2222 | tcp | |
| US | 44.29.127.124:22 | tcp | |
| US | 135.248.158.33:2222 | tcp | |
| US | 30.142.90.135:22 | tcp | |
| US | 18.227.215.67:22 | tcp | |
| MA | 102.101.217.221:22 | tcp | |
| BR | 200.193.179.180:2222 | tcp | |
| JP | 163.54.144.204:22 | tcp | |
| JP | 61.205.34.66:22 | tcp | |
| DK | 86.58.191.232:22 | tcp | |
| KR | 61.82.120.177:22 | tcp | |
| IT | 2.34.122.151:22 | tcp | |
| MD | 87.245.236.71:22 | tcp | |
| US | 19.111.12.9:2222 | tcp | |
| US | 73.147.14.228:2222 | tcp | |
| US | 38.125.53.65:2222 | tcp | |
| US | 151.125.36.78:2222 | tcp | |
| CN | 1.63.36.167:22 | tcp | |
| US | 18.227.215.67:2222 | tcp | |
| US | 76.187.16.21:2222 | tcp | |
| JP | 160.186.50.19:22 | tcp | |
| US | 72.33.162.130:2222 | tcp | |
| US | 99.20.82.59:2222 | tcp | |
| US | 19.53.129.76:22 | tcp | |
| JP | 54.150.240.67:22 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | 0263de27fd997a4904ee4a92f91ac733 |
| SHA1 | da090fd76b2d92320cf7e55666bb5bd8f50796c9 |
| SHA256 | 0ab8836efcaa62c7daac314e0b7ab1679319b2901578fd9e95ec3476b4c1a732 |
| SHA512 | 09ef02532eb7c3a968c1d04bf1f3aa9a4bf400f8485d3be596d7db3aed5f705fc1f85a1f6218397a70830ad747aa03c61b9c5b1cca24c2620cdbb3e5361db194 |
Analysis: behavioral25
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2404-amd64-20240729-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 44.63.185.194:2222 | tcp | |
| UA | 91.244.32.245:2222 | tcp | |
| ID | 114.7.53.39:22 | tcp | |
| US | 216.140.51.99:2222 | tcp | |
| US | 206.4.196.47:2222 | tcp | |
| FR | 5.49.54.202:2222 | tcp | |
| IT | 88.32.26.180:2222 | tcp | |
| LK | 203.81.100.234:2222 | tcp | |
| UA | 91.244.32.245:22 | tcp | |
| US | 170.37.112.55:2222 | tcp | |
| CA | 132.213.47.129:2222 | tcp | |
| BR | 179.162.133.39:22 | tcp | |
| US | 216.140.51.99:22 | tcp | |
| CN | 117.164.6.90:22 | tcp | |
| EG | 156.176.54.200:22 | tcp | |
| N/A | 250.153.227.186:2222 | tcp | |
| N/A | 245.198.141.21:2222 | tcp | |
| US | 216.164.37.97:2222 | tcp | |
| KR | 223.175.116.244:2222 | tcp | |
| US | 216.164.37.97:22 | tcp | |
| US | 140.101.84.1:2222 | tcp | |
| US | 4.78.44.33:22 | tcp | |
| US | 163.151.32.158:2222 | tcp | |
| MA | 160.105.105.200:2222 | tcp | |
| ZA | 196.212.50.158:2222 | tcp | |
| US | 69.247.111.190:2222 | tcp | |
| US | 44.63.185.194:22 | tcp | |
| N/A | 250.153.227.186:22 | tcp | |
| CN | 123.125.236.61:2222 | tcp | |
| US | 4.78.44.33:2222 | tcp | |
| AU | 58.104.236.243:22 | tcp | |
| BR | 191.232.159.50:22 | tcp | |
| CN | 117.164.6.90:2222 | tcp | |
| US | 140.101.84.1:22 | tcp | |
| MA | 160.105.105.200:22 | tcp | |
| US | 69.247.111.190:22 | tcp | |
| US | 192.69.168.237:22 | tcp | |
| JP | 43.206.245.140:2222 | tcp | |
| US | 71.71.130.30:2222 | tcp | |
| N/A | 250.174.188.177:2222 | tcp | |
| US | 72.59.202.76:2222 | tcp | |
| US | 163.151.32.158:22 | tcp | |
| CA | 170.89.251.91:22 | tcp | |
| LK | 203.81.100.234:22 | tcp | |
| AT | 84.114.175.105:2222 | tcp | |
| CN | 36.17.36.57:2222 | tcp | |
| DE | 62.155.149.182:2222 | tcp | |
| N/A | 245.198.141.21:22 | tcp | |
| CA | 75.154.244.211:2222 | tcp | |
| US | 192.69.168.237:2222 | tcp | |
| US | 72.225.191.64:22 | tcp | |
| US | 72.226.79.245:22 | tcp | |
| BR | 191.232.159.50:2222 | tcp | |
| CA | 142.103.237.202:2222 | tcp | |
| N/A | 247.210.63.88:22 | tcp | |
| KR | 223.175.116.244:22 | tcp | |
| JP | 133.174.188.221:22 | tcp | |
| N/A | 242.237.99.40:2222 | tcp | |
| US | 132.143.93.80:22 | tcp | |
| AT | 84.114.175.105:22 | tcp | |
| CA | 170.89.251.91:2222 | tcp | |
| IN | 117.230.170.246:22 | tcp | |
| BR | 187.22.113.214:2222 | tcp | |
| RU | 185.106.118.13:22 | tcp | |
| ID | 36.90.228.136:2222 | tcp | |
| CA | 132.213.47.129:22 | tcp | |
| ZA | 155.233.224.232:2222 | tcp | |
| US | 206.4.196.47:22 | tcp | |
| OM | 148.151.221.172:22 | tcp | |
| IN | 117.230.170.246:2222 | tcp | |
| CN | 36.17.36.57:22 | tcp | |
| CA | 108.173.159.16:22 | tcp | |
| CA | 108.163.152.152:2222 | tcp | |
| US | 72.226.79.245:2222 | tcp | |
| US | 170.37.112.55:22 | tcp | |
| JP | 60.34.83.248:22 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | 3a371a09bfcba3d545465339f1e1d481 |
| SHA1 | 7f5712878929aab6a2ab297072a5a5f3d3c15a01 |
| SHA256 | 2378e76aba1ad6e0c937fb39989217bf0de616fdad4726c0f4233bf5414cde86 |
| SHA512 | 35efc5129316ea697f1f4591c37e70c74b643942cdb3cb1aac6a0f14f5d133da39c0c393439490bc059361e9feeacee3d4056f88700f56dfe1088ba0ab22613b |
Analysis: behavioral27
Detonation Overview
Submitted
2024-09-04 20:01
Reported
2024-09-04 20:10
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Adds new SSH keys
| Description | Indicator | Process | Target |
| File opened for modification | /root/.ssh/authorized_keys | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File deleted | /var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 | N/A |
Enumerates running processes
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/cat | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 | N/A |
Reads runtime system information
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc | /tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 | N/A |
Processes
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5
[/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5]
/usr/bin/uname
[uname -a]
/usr/bin/cat
[cat /proc/cpuinfo]
/usr/bin/cat
[cat /etc/issue]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/journalctl
[journalctl -S @0 -u sshd]
/usr/bin/cat
[cat /var/log/auth*]
/usr/bin/zcat
[zcat /var/log/auth*]
/usr/local/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/local/bin/gzip
[gzip -cd /var/log/auth*]
/usr/sbin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/gzip
[gzip -cd /var/log/auth*]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
/usr/bin/free
[free -m]
/usr/bin/uptime
[uptime]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 11.202.253.35:2222 | tcp | |
| ES | 81.47.190.64:22 | tcp | |
| US | 56.160.20.119:22 | tcp | |
| US | 174.97.228.148:22 | tcp | |
| NZ | 118.90.2.178:22 | tcp | |
| TH | 171.96.46.121:2222 | tcp | |
| US | 72.206.127.67:22 | tcp | |
| MA | 196.85.193.57:22 | tcp | |
| CN | 182.49.139.24:2222 | tcp | |
| BR | 201.76.5.164:2222 | tcp | |
| N/A | 250.88.97.117:22 | tcp | |
| NZ | 219.89.91.38:22 | tcp | |
| N/A | 248.16.63.127:2222 | tcp | |
| TH | 171.96.46.121:22 | tcp | |
| JP | 160.27.195.49:22 | tcp | |
| US | 161.199.238.12:2222 | tcp | |
| UG | 102.84.75.204:22 | tcp | |
| CN | 175.66.203.146:2222 | tcp | |
| FR | 145.231.198.167:2222 | tcp | |
| US | 184.211.42.192:2222 | tcp | |
| US | 15.163.212.134:2222 | tcp | |
| KR | 134.75.179.61:22 | tcp | |
| MU | 196.63.36.95:2222 | tcp | |
| US | 56.172.201.83:2222 | tcp | |
| ZA | 154.114.49.54:22 | tcp | |
| US | 64.67.152.201:2222 | tcp | |
| N/A | 242.122.191.153:22 | tcp | |
| CN | 111.151.173.3:2222 | tcp | |
| CN | 124.151.12.63:22 | tcp | |
| US | 134.134.8.148:2222 | tcp | |
| BR | 201.45.189.97:22 | tcp | |
| N/A | 250.88.97.117:2222 | tcp | |
| CN | 182.144.108.110:22 | tcp | |
| CN | 182.49.139.24:22 | tcp | |
| CA | 142.15.169.253:2222 | tcp | |
| MU | 196.63.36.95:22 | tcp | |
| US | 144.60.220.114:22 | tcp | |
| US | 107.160.210.203:22 | tcp | |
| CZ | 193.37.227.156:2222 | tcp | |
| MA | 196.85.193.57:2222 | tcp | |
| CN | 124.151.12.63:2222 | tcp | |
| CN | 175.66.203.146:22 | tcp | |
| CH | 57.40.8.230:22 | tcp | |
| US | 172.57.176.219:2222 | tcp | |
| US | 17.21.179.189:22 | tcp | |
| US | 54.163.70.35:2222 | tcp | |
| CH | 57.40.8.230:2222 | tcp | |
| US | 72.206.127.67:2222 | tcp | |
| NZ | 118.90.2.178:2222 | tcp | |
| US | 56.172.201.83:22 | tcp | |
| BR | 201.45.189.97:2222 | tcp | |
| DE | 31.225.61.6:2222 | tcp | |
| HN | 179.49.114.169:22 | tcp | |
| US | 97.127.115.79:2222 | tcp | |
| JP | 36.3.252.112:22 | tcp | |
| US | 63.19.146.65:2222 | tcp | |
| JP | 160.27.195.49:2222 | tcp | |
| US | 15.163.212.134:22 | tcp | |
| US | 63.19.146.65:22 | tcp | |
| US | 34.108.19.57:22 | tcp | |
| US | 172.57.176.219:22 | tcp | |
| US | 76.2.158.129:22 | tcp | |
| N/A | 248.16.63.127:22 | tcp | |
| GB | 17.79.45.41:22 | tcp | |
| BR | 201.76.5.164:22 | tcp |
Files
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc
| MD5 | 8f0cb7af15afe40ed85f35e1b40b8f38 |
| SHA1 | 525f97d6e7e3cbb611a1cf37e955c0656f4b3c06 |
| SHA256 | 3205603282a636979a55aa1e1be518cd3adcbbe491745d996ceb4b5a4dece0c5 |
| SHA512 | bd9e97b4042d89e081eced5781149b0d8e28a6e9d35c2a449a21aee26765ed8eea560434ba5e9a897c4e4c89d7a2b8997e31ad4ac2202a940b8731a5f447170d |