b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Resubmissions

22/10/2024, 02:07

241022-cka1nssfkj 10

Analysis

max time kernel
149s
max time network
151s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
22/10/2024, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
Size

8.7MB
MD5

97cfb3c26a12e13792f7d1741309d767
SHA1

a010f85cdda9f83cbc738eb1b41cd621f3d6018e
SHA256

5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
SHA512

162028b9e93bb4718427304a96767880da7094c99ae6145e61a562f09dae0ce6726b2dfac95782990f50fa9bfc9f82b1aacb9e7b12442094137872fa8a3f3379
SSDEEP

98304:yM1SkPCVk8rOmgYcGrr69gRQTI6xmiiLuSESStOAco7Xk:yM1SkPCVkIgcWAQ06xniLuSExR

Score

8^/10

antivm defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Adds new SSH keys 1 TTPs 1 IoCs

Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

persistence privilege_escalation

SSH Authorized Keys

T1098.004

description	ioc	Process
File opened for modification	/root/.ssh/authorized_keys	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59

Deletes itself 1 IoCs

pid	Process
2461	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59

Deletes log files 1 TTPs 1 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59

Enumerates running processes
Discovers information about currently running processes on the system

Virtualization/Sandbox Evasion: Time Based Evasion 1 TTPs 15 IoCs

Adversaries may detect and evade virtualized environments and sandboxes.

defense_evasion

Time Based Evasion

T1497.003

pid	Process
2531	uptime
2494	uptime
2499	uptime
2497	uptime
2507	uptime
2485	uptime
2492	uptime
2501	uptime
2503	uptime
2505	uptime
2524	uptime
2477	uptime
2483	uptime
2490	uptime
2529	uptime

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/net/core/somaxconn	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/23/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/46/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/2279/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/790/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/2098/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1879/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/2150/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/8/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1055/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1729/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1093/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/15/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1817/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1894/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/32/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1072/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1895/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/48/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/832/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/30/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1907/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1910/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1910/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/514/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/2218/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/2237/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1072/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/27/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/43/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1642/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1647/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/2215/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/2/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/meminfo	free
File opened for reading	/proc/1749/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/2189/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/65/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/127/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1895/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/1129/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/199/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/46/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/190/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/meminfo	free
File opened for reading	/proc/1851/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/18/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1837/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/777/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/827/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/201/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/2171/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/uptime	uptime
File opened for reading	/proc/18/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/276/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/17/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/24/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/uptime	uptime
File opened for reading	/proc/2247/cmdline	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/14/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/1814/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
File opened for reading	/proc/3/stat	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
2481	gzip
2481	gzip
2481	gzip
2481	gzip

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc	5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59
1⤵
- Adds new SSH keys
- Deletes itself
- Deletes log files
- Reads runtime system information
- Writes file to tmp directory
PID:2456
- /usr/bin/uname
  uname -a
  2⤵
  PID:2473
- /usr/bin/cat
  cat /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:2474
- /usr/bin/cat
  cat /etc/issue
  2⤵
  PID:2475
- /usr/bin/free
  free -m
  2⤵
  PID:2476
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2477
- /usr/bin/journalctl
  journalctl -S "@0" -u sshd
  2⤵
  PID:2478
- /usr/bin/cat
  cat "/var/log/auth*"
  2⤵
  PID:2480
- /usr/bin/zcat
  zcat "/var/log/auth*"
  2⤵
  PID:2481
- /usr/local/sbin/gzip
  gzip -cd "/var/log/auth*"
  2⤵
  - System Network Configuration Discovery
  PID:2481
- /usr/local/bin/gzip
  gzip -cd "/var/log/auth*"
  2⤵
  - System Network Configuration Discovery
  PID:2481
- /usr/sbin/gzip
  gzip -cd "/var/log/auth*"
  2⤵
  - System Network Configuration Discovery
  PID:2481
- /usr/bin/gzip
  gzip -cd "/var/log/auth*"
  2⤵
  - System Network Configuration Discovery
  PID:2481
- /usr/bin/free
  free -m
  2⤵
  PID:2482
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2483
- /usr/bin/free
  free -m
  2⤵
  PID:2484
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2485
- /usr/bin/free
  free -m
  2⤵
  PID:2489
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2490
- /usr/bin/free
  free -m
  2⤵
  PID:2491
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  - Reads runtime system information
  PID:2492
- /usr/bin/free
  free -m
  2⤵
  - Reads runtime system information
  PID:2493
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  - Reads runtime system information
  PID:2494
- /usr/bin/free
  free -m
  2⤵
  PID:2496
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2497
- /usr/bin/free
  free -m
  2⤵
  - Reads runtime system information
  PID:2498
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2499
- /usr/bin/free
  free -m
  2⤵
  PID:2500
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2501
- /usr/bin/free
  free -m
  2⤵
  PID:2502
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2503
- /usr/bin/free
  free -m
  2⤵
  PID:2504
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  - Reads runtime system information
  PID:2505
- /usr/bin/free
  free -m
  2⤵
  PID:2506
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2507
- /usr/bin/free
  free -m
  2⤵
  PID:2523
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2524
- /usr/bin/free
  free -m
  2⤵
  PID:2528
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  PID:2529
- /usr/bin/free
  free -m
  2⤵
  PID:2530
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  - Reads runtime system information
  PID:2531

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Privilege Escalation

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Defense Evasion

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Time Based Evasion

T1497.003

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Time Based Evasion

T1497.003

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

Filesize
8.7MB

MD5
97cfb3c26a12e13792f7d1741309d767

SHA1
a010f85cdda9f83cbc738eb1b41cd621f3d6018e

SHA256
5fb29fb0136978b9ccf60750af09cec74a257a0ca9c47159ca74dbba21fbcc59

SHA512
162028b9e93bb4718427304a96767880da7094c99ae6145e61a562f09dae0ce6726b2dfac95782990f50fa9bfc9f82b1aacb9e7b12442094137872fa8a3f3379

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads