Malware Analysis Report

2024-10-16 03:22

Sample ID 220727-hdvz6aegb6
Target 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502.zip
SHA256 d701a12afd0283146465a10768abd1c88c059277d94884c3ed1e04ae03254ae5
Tags
bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d701a12afd0283146465a10768abd1c88c059277d94884c3ed1e04ae03254ae5

Threat Level: Known bad

The file 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502.zip was found to be: Known bad.

Malicious Activity Summary

bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter persistence

Blackmatter family

Deletes system logs

Modifies hosts file

Writes DNS configuration

Creates/modifies Cron job

Reads CPU attributes

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-27 06:37

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-27 06:37

Reported

2022-07-27 06:38

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

0s

Max time network

7s

Command Line

[/tmp/Linux.encryptor]

Signatures

Deletes system logs

Description Indicator Process Target
/var/log/dist-upgrade /var/log/dist-upgrade N/A N/A
/var/log/apt /var/log/apt N/A N/A
/var/log/installer /var/log/installer N/A N/A
/var/log/installer/cdebconf /var/log/installer/cdebconf N/A N/A
/var/log/journal /var/log/journal N/A N/A
/var/log/journal/40aaf6fa720047dbb97c78c09debbef3 /var/log/journal/40aaf6fa720047dbb97c78c09debbef3 N/A N/A

Modifies hosts file

Description Indicator Process Target
/etc/hosts /etc/hosts N/A N/A

Writes DNS configuration

Description Indicator Process Target
/etc/resolv.conf /etc/resolv.conf N/A N/A

Creates/modifies Cron job

persistence
Description Indicator Process Target
/var/spool/cron/crontabs /var/spool/cron/crontabs N/A N/A

Reads CPU attributes

Description Indicator Process Target
/sys/devices/system/cpu/online /sys/devices/system/cpu/online N/A N/A

Writes file to tmp directory

Description Indicator Process Target
/tmp/Linux.encryptor /tmp/Linux.encryptor N/A N/A
/tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 /tmp/Linux.encryptor N/A
/tmp/main.log /tmp/main.log N/A N/A

Processes

/tmp/Linux.encryptor

[/tmp/Linux.encryptor]

Network

Country Destination Domain Proto
US 1.1.1.1:53 mojobiden.com udp
US 207.244.67.174:80 mojobiden.com tcp
US 1.1.1.1:53 paymenthacks.com udp
US 103.224.212.222:80 paymenthacks.com tcp

Files

N/A