Analysis Overview
SHA256
6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
Threat Level: Likely malicious
The file Linux.Encryptor was found to be: Likely malicious.
Malicious Activity Summary
Blackmatter family
Deletes system logs
Modifies hosts file
Writes DNS configuration
Creates/modifies Cron job
Reads CPU attributes
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-26 17:30
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-02 18:37
Reported
2021-08-02 18:43
Platform
ubuntu-amd64
Max time kernel
22128s
Max time network
156s
Command Line
Signatures
Deletes system logs
| Description | Indicator | Process | Target |
| /var/log/installer/cdebconf | /var/log/installer/cdebconf | N/A | N/A |
| /var/log/dist-upgrade | /var/log/dist-upgrade | N/A | N/A |
| /var/log/journal | /var/log/journal | N/A | N/A |
| /var/log/journal/a44f0fe52e404b679b7b2c5bbcd8d157 | /var/log/journal/a44f0fe52e404b679b7b2c5bbcd8d157 | N/A | N/A |
| /var/log/apt | /var/log/apt | N/A | N/A |
| /var/log/installer | /var/log/installer | N/A | N/A |
Modifies hosts file
| Description | Indicator | Process | Target |
| /etc/hosts | /etc/hosts | N/A | N/A |
Writes DNS configuration
| Description | Indicator | Process | Target |
| /etc/resolv.conf | /etc/resolv.conf | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| /var/spool/cron/crontabs | /var/spool/cron/crontabs | N/A | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | N/A | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 | /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 | ./Linux.Encryptor | N/A |
| /tmp/main.log | /tmp/main.log | N/A | N/A |
| /tmp/./Linux.Encryptor | /tmp/./Linux.Encryptor | N/A | N/A |
Processes
./Linux.Encryptor
[./Linux.Encryptor]
Network
| Country | Destination | Domain | Proto |
| N/A | 1.1.1.1:53 | ntp.ubuntu.com | udp |
| N/A | 1.1.1.1:53 | ntp.ubuntu.com | udp |
| N/A | 91.189.94.4:123 | ntp.ubuntu.com | udp |
| N/A | 1.1.1.1:53 | mojobiden.com | udp |
| N/A | 51.79.243.236:80 | mojobiden.com | tcp |
| N/A | 91.189.94.4:123 | ntp.ubuntu.com | udp |
| N/A | 91.189.94.4:123 | ntp.ubuntu.com | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-02 18:37
Reported
2021-08-02 18:37
Platform
debian9-mipsel
Max time kernel
0s
Max time network
10s
Command Line
Signatures
Processes
./Linux.Encryptor
[./Linux.Encryptor]
Network
| Country | Destination | Domain | Proto |
| N/A | 1.1.1.1:53 | 2.debian.pool.ntp.org | udp |
| N/A | 1.1.1.1:53 | 2.debian.pool.ntp.org | udp |
| N/A | 5.79.108.34:123 | 2.debian.pool.ntp.org | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2021-08-02 18:37
Reported
2021-08-02 18:37
Platform
debian9-mipsbe
Max time kernel
0s
Command Line
Signatures
Processes
./Linux.Encryptor
[./Linux.Encryptor]