Malware Analysis Report

2024-10-24 18:33

Sample ID 210802-xqe2pesr3s
Target Linux.Encryptor
SHA256 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
Tags
bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502

Threat Level: Likely malicious

The file Linux.Encryptor was found to be: Likely malicious.

Malicious Activity Summary

bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter persistence

Blackmatter family

Deletes system logs

Modifies hosts file

Writes DNS configuration

Creates/modifies Cron job

Reads CPU attributes

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-26 17:30

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-02 18:37

Reported

2021-08-02 18:43

Platform

ubuntu-amd64

Max time kernel

22128s

Max time network

156s

Command Line

[./Linux.Encryptor]

Signatures

Deletes system logs

Description Indicator Process Target
/var/log/installer/cdebconf /var/log/installer/cdebconf N/A N/A
/var/log/dist-upgrade /var/log/dist-upgrade N/A N/A
/var/log/journal /var/log/journal N/A N/A
/var/log/journal/a44f0fe52e404b679b7b2c5bbcd8d157 /var/log/journal/a44f0fe52e404b679b7b2c5bbcd8d157 N/A N/A
/var/log/apt /var/log/apt N/A N/A
/var/log/installer /var/log/installer N/A N/A

Modifies hosts file

Description Indicator Process Target
/etc/hosts /etc/hosts N/A N/A

Writes DNS configuration

Description Indicator Process Target
/etc/resolv.conf /etc/resolv.conf N/A N/A

Creates/modifies Cron job

persistence
Description Indicator Process Target
/var/spool/cron/crontabs /var/spool/cron/crontabs N/A N/A

Reads CPU attributes

Description Indicator Process Target
/sys/devices/system/cpu/online /sys/devices/system/cpu/online N/A N/A

Writes file to tmp directory

Description Indicator Process Target
/tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 ./Linux.Encryptor N/A
/tmp/main.log /tmp/main.log N/A N/A
/tmp/./Linux.Encryptor /tmp/./Linux.Encryptor N/A N/A

Processes

./Linux.Encryptor

[./Linux.Encryptor]

Network

Country Destination Domain Proto
N/A 1.1.1.1:53 ntp.ubuntu.com udp
N/A 1.1.1.1:53 ntp.ubuntu.com udp
N/A 91.189.94.4:123 ntp.ubuntu.com udp
N/A 1.1.1.1:53 mojobiden.com udp
N/A 51.79.243.236:80 mojobiden.com tcp
N/A 91.189.94.4:123 ntp.ubuntu.com udp
N/A 91.189.94.4:123 ntp.ubuntu.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-02 18:37

Reported

2021-08-02 18:37

Platform

debian9-mipsel

Max time kernel

0s

Max time network

10s

Command Line

[./Linux.Encryptor]

Signatures

N/A

Processes

./Linux.Encryptor

[./Linux.Encryptor]

Network

Country Destination Domain Proto
N/A 1.1.1.1:53 2.debian.pool.ntp.org udp
N/A 1.1.1.1:53 2.debian.pool.ntp.org udp
N/A 5.79.108.34:123 2.debian.pool.ntp.org udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2021-08-02 18:37

Reported

2021-08-02 18:37

Platform

debian9-mipsbe

Max time kernel

0s

Command Line

[./Linux.Encryptor]

Signatures

N/A

Processes

./Linux.Encryptor

[./Linux.Encryptor]

Network

N/A

Files

N/A