Analysis
-
max time kernel
4s -
max time network
102s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20221125-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
15-05-2023 21:25
General
-
Target
d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin
-
Size
27KB
-
MD5
acea44892fc67223f43f4af2ec81aa83
-
SHA1
f79255a73611bca2e1ff159eb8be6b0aa68c2748
-
SHA256
d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291
-
SHA512
8291808ba9f796bf37c637a252897dda69d29c5087a277cbb4c5d4821d8953d9ebc05d5a3088a33d380ae55538d4c802cd73de5d3ee34b67ebcd236997698393
-
SSDEEP
768:sMUDrIR0pRIrPP6JxdSbDRSDIh7Lz0iFCDq4p:QrY0LQH+DS90iFCDp
Malware Config
Signatures
-
BPFDoor payload 1 IoCs
Processes:
resource yara_rule /dev/shm/kdmtmpflush family_bpfdoor -
Changes its process name 1 IoCs
Processes:
kdmtmpflushdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /usr/lib/systemd/systemd-journald 619 kdmtmpflush -
Creates Raw socket 1 IoCs
Creates a socket that captures raw packets at the device level
Processes:
rmpid process 620 rm -
Executes dropped EXE 1 IoCs
Processes:
kdmtmpflushpid process 619 kdmtmpflush -
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
Processes:
cpdescription ioc process File opened for modification /dev/shm/kdmtmpflush cp -
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpdescription ioc process File opened for reading /proc/filesystems cp
Processes
-
/tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin/tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin1⤵
-
shsh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"2⤵
-
/bin/rm/bin/rm -f /dev/shm/kdmtmpflush3⤵
-
/bin/cp/bin/cp /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin /dev/shm/kdmtmpflush3⤵
- Writes file to shm directory
- Reads runtime system information
-
/bin/chmod/bin/chmod 755 /dev/shm/kdmtmpflush3⤵
-
/dev/shm/kdmtmpflush/dev/shm/kdmtmpflush --init3⤵
- Changes its process name
- Executes dropped EXE
-
/bin/rm/bin/rm -f /dev/shm/kdmtmpflush3⤵
- Creates Raw socket
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/dev/shm/kdmtmpflushFilesize
27KB
MD5acea44892fc67223f43f4af2ec81aa83
SHA1f79255a73611bca2e1ff159eb8be6b0aa68c2748
SHA256d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291
SHA5128291808ba9f796bf37c637a252897dda69d29c5087a277cbb4c5d4821d8953d9ebc05d5a3088a33d380ae55538d4c802cd73de5d3ee34b67ebcd236997698393