General

  • Target

    hoze样本.zip

  • Size

    7.6MB

  • Sample

    241202-c45dmazqfq

  • MD5

    8bb80dc9058ea755ff166d45fbcdbdcf

  • SHA1

    e49e083725dcd42fba86a57959ea2cae6c7aed57

  • SHA256

    747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7

  • SHA512

    87dab1c4e11517538113fddfd22877817455a99a0664c340c56417e9f46d4165ac7236307710378db1016628e664871f2a7db2fd48c752c17fc09370abed7226

  • SSDEEP

    196608:8Qz8WgK/p06m121FaxrhZeeWDLAfVPKRWC9:tz5gK/m6mw1U2Dc4EA

Malware Config

Targets

    • Target

      xrx/chattr

    • Size

      35KB

    • MD5

      a074fef55aacf28bd6d7a5b2f5a99fc9

    • SHA1

      2217b96394209dac95f75bdbd78f97f48a2c7f5d

    • SHA256

      34a4f26cb133ab9bfaf9339e73b3421f88b3cf2ae7b59be0a186b19f8dd3fb66

    • SHA512

      4c1899197719512f4088253bb8579f139f8a21a67f8f801009c1a3137335ca677d1ef43cebd6d3b05f45fb20b5fe3561798f9a8a720a82442382d620109abf14

    • SSDEEP

      768:5TPE/yJQgRjt7wEYp2EeggGPVyzErU2np:xjQgVt8EYp2ETPoorUq

    Score
    1/10
    • Target

      xrx/init.sh

    • Size

      1020KB

    • MD5

      42693670c71a529a11e81943f5b36c5b

    • SHA1

      9026cc25786215bba3bc06c4875f7da410425f8c

    • SHA256

      eb2329422e52901d0bea0c0fcc4b3a6d1923ef278a96d2a14ab1839882cd0ecf

    • SHA512

      a92d9bd9cd4c1c81a2e8042a9b7c31badba5e033743f34fb851b60350c5833afb246c64fc982112afecad9b1fc48bfdeab16a7bda169b4a635a8922549067d82

    • SSDEEP

      12288:ztLJzlNZDaY9FnavUIqEhgvmKe36myOP7/67LN5kwrHNq9EnE:zvxNZD7FnavUILhgvJeb/67LFLNq9

    Score
    6/10
    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Target

      xrx/init0

    • Size

      1.0MB

    • MD5

      73f9917255a953eb749f5a3c90e3b383

    • SHA1

      c8e392cf523aca7e2df62f72d68c83829f0c085d

    • SHA256

      c5c11802623d02ba9b1c2c7a52579dbf0c3aa4c87ae6fc85cbfcd71dffffec27

    • SHA512

      65b8946b67d42003272690266ccddb59ce715edd16eb6e67e8c3e2b34bb9e092ec736900432efbc1c70777c831742f820b61de8098a6438005641df4f3ddbe46

    • SSDEEP

      12288:fbS+JhtEBBYYFkfciIqELZ3OlN6myOP7/i7L95k2rHNq9EnE:fXJ/EBJFkfciIjLZ3Ih/i7LbLNq9

    • Adds new SSH keys

      Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

    • Modifies password files for system users/ groups

      Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • OS Credential Dumping

      Adversaries may attempt to dump credentials to use it in password cracking.

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Target

      xrx/scp

    • Size

      63B

    • MD5

      7e21ae4da5edbbe4adaeacd5f7c1ece6

    • SHA1

      f5574230833e98e010ecea9ceb027c2981f57488

    • SHA256

      fc26873006164decacbcfb01d246b54539b786b404be0bb1a5cde5263031663a

    • SHA512

      113ca3b1217fa477acd003d65faac8913e805281ae7f664a7a91d6195c0e354831645238f98c6c9d7fe622587065e1db5e7d2a2385ad32ff17b6644832563b1c

    Score
    1/10
    • Target

      xrx/secure

    • Size

      1023KB

    • MD5

      069ad3938c3f9c049f670a8eb49dc1d8

    • SHA1

      f4fd0c87a18d45ab4b642f32a94673c949ab7caf

    • SHA256

      84d4b99f0d98900b4eadb7e107bf54196f2e5796d8707ebf0dcd76f5b6693295

    • SHA512

      3c627883f53082face65b22d353c1926c4d4f4de008cf41cf2a3326762ad080dd95324f2fd35c3f60c069df4fb2c510d4fa07b26cbc404678f8a655c884beedb

    • SSDEEP

      12288:SBgtRmLBGYhFcueTIqRe/w/Yt6myOP7/x7L15k7bKrHNq9EnE:SQRmLBTFcueTIie/wgB/x7LFLNq9

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

    • Attempts to change immutable files

      Modifies inode attributes on the filesystem to allow changing of immutable files.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Target

      xrx/uninstall.sh

    • Size

      2KB

    • MD5

      e4cc1a7f992909e8509520fdd6c9a3f7

    • SHA1

      2978a46c0be87a65e4371c0682329fbda7f631b0

    • SHA256

      5b6783965bcab2350aa9559c6f4c08fe44d7ae764ac8fbdcb7722056a2b000d3

    • SHA512

      20e14b888f90e5f5ee3c560326f16be46dfded9cf992a8436295d0318c41336109cc9750e9f3b9e5461cd95fc226da9619af0b65fdcf9093c289df983cb5040b

    Score
    6/10
    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Target

      xrx/xrx

    • Size

      5.9MB

    • MD5

      9d099882a24757ac5033b0c675fecbe5

    • SHA1

      1c1b1a4608918b6e95065c86b4a338e245ab36b2

    • SHA256

      fb86120a4a1b13b29957eb5f95f7857cf9e469514fc20d25fad02ae87bf99091

    • SHA512

      a59a855b10c0b0a0f84cfdfa89ae004c76be08a4879761d588810ef2e5f247298be63e3cd60dd2510ab35e3f3653fa4423ffb579c17f7b3e09ac47c5d4aeb9d0

    • SSDEEP

      98304:h5ge1EgVtDw6pvf0pttZppppppZppppRlclclJGToGToGTCaqOpU6cXTpKDL4xW+:hNrD2irwCYM5qDv

    Score
    6/10
    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

MITRE ATT&CK Enterprise v15

Tasks