Overview
overview
10Static
static
10xrx/chattr
ubuntu-24.04-amd64
1xrx/init.sh
ubuntu-24.04-amd64
6xrx/init0
ubuntu-18.04-amd64
8xrx/scp
ubuntu-18.04-amd64
1xrx/scp
debian-9-armhf
1xrx/scp
debian-9-mips
1xrx/scp
debian-9-mipsel
1xrx/secure
ubuntu-24.04-amd64
7xrx/uninstall.sh
ubuntu-18.04-amd64
6xrx/uninstall.sh
debian-9-armhf
6xrx/uninstall.sh
debian-9-mips
6xrx/uninstall.sh
debian-9-mipsel
6xrx/xrx
ubuntu-24.04-amd64
6General
-
Target
hoze样本.zip
-
Size
7.6MB
-
Sample
241202-c45dmazqfq
-
MD5
8bb80dc9058ea755ff166d45fbcdbdcf
-
SHA1
e49e083725dcd42fba86a57959ea2cae6c7aed57
-
SHA256
747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7
-
SHA512
87dab1c4e11517538113fddfd22877817455a99a0664c340c56417e9f46d4165ac7236307710378db1016628e664871f2a7db2fd48c752c17fc09370abed7226
-
SSDEEP
196608:8Qz8WgK/p06m121FaxrhZeeWDLAfVPKRWC9:tz5gK/m6mw1U2Dc4EA
Behavioral task
behavioral1
Sample
xrx/chattr
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral2
Sample
xrx/init.sh
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral3
Sample
xrx/init0
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral4
Sample
xrx/scp
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral5
Sample
xrx/scp
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral6
Sample
xrx/scp
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral7
Sample
xrx/scp
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral8
Sample
xrx/secure
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral9
Sample
xrx/uninstall.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral10
Sample
xrx/uninstall.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral11
Sample
xrx/uninstall.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral12
Sample
xrx/uninstall.sh
Resource
debian9-mipsel-20240611-en
Malware Config
Targets
-
-
Target
xrx/chattr
-
Size
35KB
-
MD5
a074fef55aacf28bd6d7a5b2f5a99fc9
-
SHA1
2217b96394209dac95f75bdbd78f97f48a2c7f5d
-
SHA256
34a4f26cb133ab9bfaf9339e73b3421f88b3cf2ae7b59be0a186b19f8dd3fb66
-
SHA512
4c1899197719512f4088253bb8579f139f8a21a67f8f801009c1a3137335ca677d1ef43cebd6d3b05f45fb20b5fe3561798f9a8a720a82442382d620109abf14
-
SSDEEP
768:5TPE/yJQgRjt7wEYp2EeggGPVyzErU2np:xjQgVt8EYp2ETPoorUq
Score1/10 -
-
-
Target
xrx/init.sh
-
Size
1020KB
-
MD5
42693670c71a529a11e81943f5b36c5b
-
SHA1
9026cc25786215bba3bc06c4875f7da410425f8c
-
SHA256
eb2329422e52901d0bea0c0fcc4b3a6d1923ef278a96d2a14ab1839882cd0ecf
-
SHA512
a92d9bd9cd4c1c81a2e8042a9b7c31badba5e033743f34fb851b60350c5833afb246c64fc982112afecad9b1fc48bfdeab16a7bda169b4a635a8922549067d82
-
SSDEEP
12288:ztLJzlNZDaY9FnavUIqEhgvmKe36myOP7/67LN5kwrHNq9EnE:zvxNZD7FnavUILhgvJeb/67LFLNq9
Score6/10-
Enumerates running processes
Discovers information about currently running processes on the system
-
-
-
Target
xrx/init0
-
Size
1.0MB
-
MD5
73f9917255a953eb749f5a3c90e3b383
-
SHA1
c8e392cf523aca7e2df62f72d68c83829f0c085d
-
SHA256
c5c11802623d02ba9b1c2c7a52579dbf0c3aa4c87ae6fc85cbfcd71dffffec27
-
SHA512
65b8946b67d42003272690266ccddb59ce715edd16eb6e67e8c3e2b34bb9e092ec736900432efbc1c70777c831742f820b61de8098a6438005641df4f3ddbe46
-
SSDEEP
12288:fbS+JhtEBBYYFkfciIqELZ3OlN6myOP7/i7L95k2rHNq9EnE:fXJ/EBJFkfciIjLZ3Ih/i7LbLNq9
-
Adds new SSH keys
Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
-
Modifies password files for system users/ groups
Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
OS Credential Dumping
Adversaries may attempt to dump credentials to use it in password cracking.
-
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Abuse sudo or cached sudo credentials to execute code.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
-
-
Target
xrx/scp
-
Size
63B
-
MD5
7e21ae4da5edbbe4adaeacd5f7c1ece6
-
SHA1
f5574230833e98e010ecea9ceb027c2981f57488
-
SHA256
fc26873006164decacbcfb01d246b54539b786b404be0bb1a5cde5263031663a
-
SHA512
113ca3b1217fa477acd003d65faac8913e805281ae7f664a7a91d6195c0e354831645238f98c6c9d7fe622587065e1db5e7d2a2385ad32ff17b6644832563b1c
Score1/10 -
-
-
Target
xrx/secure
-
Size
1023KB
-
MD5
069ad3938c3f9c049f670a8eb49dc1d8
-
SHA1
f4fd0c87a18d45ab4b642f32a94673c949ab7caf
-
SHA256
84d4b99f0d98900b4eadb7e107bf54196f2e5796d8707ebf0dcd76f5b6693295
-
SHA512
3c627883f53082face65b22d353c1926c4d4f4de008cf41cf2a3326762ad080dd95324f2fd35c3f60c069df4fb2c510d4fa07b26cbc404678f8a655c884beedb
-
SSDEEP
12288:SBgtRmLBGYhFcueTIqRe/w/Yt6myOP7/x7L15k7bKrHNq9EnE:SQRmLBTFcueTIie/wgB/x7LFLNq9
Score7/10-
File and Directory Permissions Modification
Adversaries may modify file or directory permissions to evade defenses.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
-
-
Target
xrx/uninstall.sh
-
Size
2KB
-
MD5
e4cc1a7f992909e8509520fdd6c9a3f7
-
SHA1
2978a46c0be87a65e4371c0682329fbda7f631b0
-
SHA256
5b6783965bcab2350aa9559c6f4c08fe44d7ae764ac8fbdcb7722056a2b000d3
-
SHA512
20e14b888f90e5f5ee3c560326f16be46dfded9cf992a8436295d0318c41336109cc9750e9f3b9e5461cd95fc226da9619af0b65fdcf9093c289df983cb5040b
Score6/10-
Enumerates running processes
Discovers information about currently running processes on the system
-
-
-
Target
xrx/xrx
-
Size
5.9MB
-
MD5
9d099882a24757ac5033b0c675fecbe5
-
SHA1
1c1b1a4608918b6e95065c86b4a338e245ab36b2
-
SHA256
fb86120a4a1b13b29957eb5f95f7857cf9e469514fc20d25fad02ae87bf99091
-
SHA512
a59a855b10c0b0a0f84cfdfa89ae004c76be08a4879761d588810ef2e5f247298be63e3cd60dd2510ab35e3f3653fa4423ffb579c17f7b3e09ac47c5d4aeb9d0
-
SSDEEP
98304:h5ge1EgVtDw6pvf0pttZppppppZppppRlclclJGToGToGTCaqOpU6cXTpKDL4xW+:hNrD2irwCYM5qDv
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1SSH Authorized Keys
1Modify Authentication Process
1Pluggable Authentication Modules
1Scheduled Task/Job
1Cron
1Privilege Escalation
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1Account Manipulation
1SSH Authorized Keys
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
1Sudo and Sudo Caching
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Modify Authentication Process
1Pluggable Authentication Modules
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Modify Authentication Process
1Pluggable Authentication Modules
1OS Credential Dumping
1/etc/passwd and /etc/shadow
1