Analysis Overview
score
10/10
SHA256
d701a12afd0283146465a10768abd1c88c059277d94884c3ed1e04ae03254ae5
Threat Level: Known bad
The file 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502.zip was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Deletes system logs
Modifies hosts file
Writes DNS configuration
Creates/modifies Cron job
Reads CPU attributes
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-27 06:37
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-27 06:37
Reported
2022-07-27 06:38
Platform
ubuntu1804-amd64-en-20211208
Max time kernel
0s
Max time network
7s
Command Line
[/tmp/Linux.encryptor]
Signatures
Deletes system logs
| Description | Indicator | Process | Target |
| /var/log/dist-upgrade | /var/log/dist-upgrade | N/A | N/A |
| /var/log/apt | /var/log/apt | N/A | N/A |
| /var/log/installer | /var/log/installer | N/A | N/A |
| /var/log/installer/cdebconf | /var/log/installer/cdebconf | N/A | N/A |
| /var/log/journal | /var/log/journal | N/A | N/A |
| /var/log/journal/40aaf6fa720047dbb97c78c09debbef3 | /var/log/journal/40aaf6fa720047dbb97c78c09debbef3 | N/A | N/A |
Modifies hosts file
| Description | Indicator | Process | Target |
| /etc/hosts | /etc/hosts | N/A | N/A |
Writes DNS configuration
| Description | Indicator | Process | Target |
| /etc/resolv.conf | /etc/resolv.conf | N/A | N/A |
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| /var/spool/cron/crontabs | /var/spool/cron/crontabs | N/A | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| /sys/devices/system/cpu/online | /sys/devices/system/cpu/online | N/A | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| /tmp/Linux.encryptor | /tmp/Linux.encryptor | N/A | N/A |
| /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 | /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 | /tmp/Linux.encryptor | N/A |
| /tmp/main.log | /tmp/main.log | N/A | N/A |
Processes
/tmp/Linux.encryptor
[/tmp/Linux.encryptor]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | mojobiden.com | udp |
| US | 207.244.67.174:80 | mojobiden.com | tcp |
| US | 1.1.1.1:53 | paymenthacks.com | udp |
| US | 103.224.212.222:80 | paymenthacks.com | tcp |
Files
N/A