Analysis
-
max time kernel
17676s -
max time network
103s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
01-07-2022 05:38
Static task
static1
Behavioral task
behavioral1
Sample
106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
-
Size
8.2MB
-
MD5
af7bee72c11cf18c92b171ff8494c652
-
SHA1
e3316f59eb7de8a140b09a7a49d14e8a7ebfe0ac
-
SHA256
106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
-
SHA512
0f5c50f643c801186a71df6ff4114e666476c996f6211cd7f992e6116a1df8671d08c103468f5311b5be343f7ee8475b63ed0606d779b8413ff9ae2801c620a6
Malware Config
Signatures
-
Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs
Checks CPU information for indicators that the system is a virtual machine.
Processes:
catcatdescription ioc process /proc/cpuinfo /proc/cpuinfo cat /proc/cpuinfo /proc/cpuinfo cat -
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
description ioc /etc/hosts /etc/hosts -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104cat106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104catdescription ioc process /proc/sys/net/core/somaxconn /proc/sys/net/core/somaxconn 106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104 /proc/version /proc/version cat /proc/sys/net/core/somaxconn /proc/sys/net/core/somaxconn 106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104 /proc/version /proc/version cat -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
crontabdescription ioc /tmp/.pid /tmp/.pid /tmp/nip9iNeiph5chee /tmp/nip9iNeiph5chee /tmp/nip9iNeiph5chee /tmp/nip9iNeiph5chee crontab /tmp/[stealth].pid /tmp/[stealth].pid
Processes
-
./106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104./106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff531041⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Attempts to identify hypervisor via CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104"[stealth]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Attempts to identify hypervisor via CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Writes file to tmp directory