Overview

overview

10

Static

static

10

cca78516c6...c4f760

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    4s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221111-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    15-05-2023 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cca78516c62e1b7cf3c56b665a3537dca6beb54d335c633454b325fd44c4f760

  • Size

    27KB

  • MD5

    b4b92c6cd0ddfc27f38c45cbac0d0f01

  • SHA1

    037d51686f2c5749b78a4a9ce638966aea8798a1

  • SHA256

    cca78516c62e1b7cf3c56b665a3537dca6beb54d335c633454b325fd44c4f760

  • SHA512

    b96173503c265547b7473b5b13822f05c38f71ebfbee78dc75f778d2e63755d26c7bd13f7207163432d38690434c873214e830a3a7217cd4d2f02975e3254b7c

  • SSDEEP

    768:ttDPYOFMXrThYxt+2ZcMyObDRSDfPrgd0iFn79+Rt:bPYOFMXrThYxttcMyOh0iF7gR

Score
10/10
bpfdoorbackdoor

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

    backdoorbpfdoor
  • BPFDoor payload 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/cca78516c62e1b7cf3c56b665a3537dca6beb54d335c633454b325fd44c4f760
    /tmp/cca78516c62e1b7cf3c56b665a3537dca6beb54d335c633454b325fd44c4f760
    1⤵
      PID:598
      • sh
        sh -c "/bin/rm -f /var/lock/kcdump;/bin/cp /tmp/cca78516c62e1b7cf3c56b665a3537dca6beb54d335c633454b325fd44c4f760 /var/lock/kcdump && /bin/chmod 755 /var/lock/kcdump && /var/lock/kcdump --init"
        2⤵
          PID:599
          • /bin/rm
            /bin/rm -f /var/lock/kcdump
            3⤵
              PID:600
            • /bin/cp
              /bin/cp /tmp/cca78516c62e1b7cf3c56b665a3537dca6beb54d335c633454b325fd44c4f760 /var/lock/kcdump
              3⤵
              • Reads runtime system information
              PID:601
            • /bin/chmod
              /bin/chmod 755 /var/lock/kcdump
              3⤵
                PID:602
              • /var/lock/kcdump
                /var/lock/kcdump --init
                3⤵
                  PID:603

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /run/lock/kcdump
              Filesize

              27KB

              MD5

              b4b92c6cd0ddfc27f38c45cbac0d0f01

              SHA1

              037d51686f2c5749b78a4a9ce638966aea8798a1

              SHA256

              cca78516c62e1b7cf3c56b665a3537dca6beb54d335c633454b325fd44c4f760

              SHA512

              b96173503c265547b7473b5b13822f05c38f71ebfbee78dc75f778d2e63755d26c7bd13f7207163432d38690434c873214e830a3a7217cd4d2f02975e3254b7c

              Download Submit