bpfdoor | d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291

Resubmissions

15-05-2023 21:25

230515-z94qlsac38 10

16-05-2022 14:48

220516-r6yq7aaadq 5

Analysis

max time kernel
4s
max time network
102s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20221125-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
15-05-2023 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin
Size

27KB
MD5

acea44892fc67223f43f4af2ec81aa83
SHA1

f79255a73611bca2e1ff159eb8be6b0aa68c2748
SHA256

d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291
SHA512

8291808ba9f796bf37c637a252897dda69d29c5087a277cbb4c5d4821d8953d9ebc05d5a3088a33d380ae55538d4c802cd73de5d3ee34b67ebcd236997698393
SSDEEP

768:sMUDrIR0pRIrPP6JxdSbDRSDIh7Lz0iFCDq4p:QrY0LQH+DS90iFCDp

Score

10^/10

bpfdoor backdoor

Malware Config

Signatures

BPFDoor
BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.
backdoor bpfdoor

BPFDoor payload 1 IoCs

Processes:

resource	yara_rule
/dev/shm/kdmtmpflush	family_bpfdoor

Changes its process name 1 IoCs

Processes:

kdmtmpflush

description ioc pid process

Changes the process name, possibly in an attempt to hide itself /usr/lib/systemd/systemd-journald 619 kdmtmpflush
Creates Raw socket 1 IoCs
Creates a socket that captures raw packets at the device level

Processes:

rm

pid process

620 rm
Executes dropped EXE 1 IoCs

Processes:

kdmtmpflush

pid process

619 kdmtmpflush
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

cp

description ioc process

File opened for modification /dev/shm/kdmtmpflush cp
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

cp

description ioc process

File opened for reading /proc/filesystems cp

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/usr/lib/systemd/systemd-journald	619	kdmtmpflush

pid	process
620	rm

pid	process
619	kdmtmpflush

description	ioc	process
File opened for modification	/dev/shm/kdmtmpflush	cp

description	ioc	process
File opened for reading	/proc/filesystems	cp

/tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin
/tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin
1⤵
PID:614

sh
sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
2⤵
PID:615

/bin/rm
/bin/rm -f /dev/shm/kdmtmpflush
3⤵
PID:616

/bin/cp
/bin/cp /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin /dev/shm/kdmtmpflush
3⤵
- Writes file to shm directory
- Reads runtime system information
PID:617

/bin/chmod
/bin/chmod 755 /dev/shm/kdmtmpflush
3⤵
PID:618

/dev/shm/kdmtmpflush
/dev/shm/kdmtmpflush --init
3⤵
- Changes its process name
- Executes dropped EXE
PID:619

/bin/rm
/bin/rm -f /dev/shm/kdmtmpflush
3⤵
- Creates Raw socket
PID:621

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/kdmtmpflush
Filesize
27KB

MD5
acea44892fc67223f43f4af2ec81aa83

SHA1
f79255a73611bca2e1ff159eb8be6b0aa68c2748

SHA256
d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291

SHA512
8291808ba9f796bf37c637a252897dda69d29c5087a277cbb4c5d4821d8953d9ebc05d5a3088a33d380ae55538d4c802cd73de5d3ee34b67ebcd236997698393

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads