dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8

Analysis

max time kernel
0s
max time network
153s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
25-07-2022 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
Size

8.2MB
MD5

f06120e951ac7b534a04f8637ad65f82
SHA1

85a030f4f3ebcfd100fcb687737adf50ac23f066
SHA256

dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
SHA512

c3c41fef917f50e47900420cde9bf79c5f8872e9bece902f0e9e5dd5eede3adcb8b8abab8ceae614a176ec0df3fec5fa9c2fc0427d9175db7d14f2ab3be90676

Score

9^/10

antivm

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs
Checks CPU information for indicators that the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

/proc/cpuinfo /proc/cpuinfo cat
/proc/cpuinfo /proc/cpuinfo cat

description	ioc	process
/proc/cpuinfo	/proc/cpuinfo	cat
/proc/cpuinfo	/proc/cpuinfo	cat

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8catdd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8cat

description	ioc	process
/proc/sys/net/core/somaxconn	/proc/sys/net/core/somaxconn	dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
/proc/version	/proc/version	cat
/proc/sys/net/core/somaxconn	/proc/sys/net/core/somaxconn	dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
/proc/version	/proc/version	cat

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

Processes:

crontab

description	ioc
/tmp/.pid	/tmp/.pid
/tmp/nip9iNeiph5chee	/tmp/nip9iNeiph5chee
/tmp/nip9iNeiph5chee	/tmp/nip9iNeiph5chee	crontab
/tmp/[stealth].pid	/tmp/[stealth].pid

/tmp/dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
/tmp/dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
1⤵
- Reads runtime system information
PID:571

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:579

/bin/cat
cat /proc/cpuinfo
1⤵
- Attempts to identify hypervisor via CPU configuration
PID:580

/bin/uname
uname -a
1⤵
PID:581

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:582

/tmp/dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
"[stealth]"
1⤵
- Reads runtime system information
PID:583

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:587

/bin/cat
cat /proc/cpuinfo
1⤵
- Attempts to identify hypervisor via CPU configuration
PID:588

/bin/uname
uname -a
1⤵
PID:589

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:590

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Writes file to tmp directory
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads