General
-
Target
bitspin
-
Size
1KB
-
Sample
220809-1r6mxsgghq
-
MD5
6b13e69cc37757b1f2dbc2a1c8f806f1
-
SHA1
01364dc40e5f1005fd7cd6e087368d64b35896f7
-
SHA256
d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374
-
SHA512
c46a38378e024c06251f3aa61a35a2e31f2e6a17da1284d100d78de0708a1e0852b10da74d59ec888e374a3ed8c0533851e46410d0df48da901b151b086ffdab
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Targets
-
-
Target
bitspin
-
Size
1KB
-
MD5
6b13e69cc37757b1f2dbc2a1c8f806f1
-
SHA1
01364dc40e5f1005fd7cd6e087368d64b35896f7
-
SHA256
d318e9f2086c3cf2a258e275f9c63929b4560744a504ced68622b2e0b3f56374
-
SHA512
c46a38378e024c06251f3aa61a35a2e31f2e6a17da1284d100d78de0708a1e0852b10da74d59ec888e374a3ed8c0533851e46410d0df48da901b151b086ffdab
Score9/10-
Attempts to identify hypervisor via CPU configuration
Checks CPU information for indicators that the system is a virtual machine.
-
Modifies hosts file
Adds to hosts file used for mapping hosts to IP addresses.
-
Writes DNS configuration
Writes data to DNS resolver config file.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Reads CPU attributes
-
Enumerates kernel/hardware configuration
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory
Malware often drops required files in the /tmp directory.
-