Analysis
-
max time kernel
0s -
max time network
153s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
25-07-2022 02:41
Behavioral task
behavioral1
Sample
dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
3 signatures
150 seconds
General
-
Target
dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
-
Size
8.2MB
-
MD5
f06120e951ac7b534a04f8637ad65f82
-
SHA1
85a030f4f3ebcfd100fcb687737adf50ac23f066
-
SHA256
dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
-
SHA512
c3c41fef917f50e47900420cde9bf79c5f8872e9bece902f0e9e5dd5eede3adcb8b8abab8ceae614a176ec0df3fec5fa9c2fc0427d9175db7d14f2ab3be90676
Score
9/10
Malware Config
Signatures
-
Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs
Checks CPU information for indicators that the system is a virtual machine.
Processes:
catcatdescription ioc process /proc/cpuinfo /proc/cpuinfo cat /proc/cpuinfo /proc/cpuinfo cat -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8catdd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8catdescription ioc process /proc/sys/net/core/somaxconn /proc/sys/net/core/somaxconn dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8 /proc/version /proc/version cat /proc/sys/net/core/somaxconn /proc/sys/net/core/somaxconn dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8 /proc/version /proc/version cat -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
crontabdescription ioc /tmp/.pid /tmp/.pid /tmp/nip9iNeiph5chee /tmp/nip9iNeiph5chee /tmp/nip9iNeiph5chee /tmp/nip9iNeiph5chee crontab /tmp/[stealth].pid /tmp/[stealth].pid
Processes
-
/tmp/dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8/tmp/dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e81⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Attempts to identify hypervisor via CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8"[stealth]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Attempts to identify hypervisor via CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Writes file to tmp directory