Resubmissions

15-05-2023 21:25

230515-z94qlsac38 10

16-05-2022 14:48

220516-r6yq7aaadq 5

Analysis

  • max time kernel
    4s
  • max time network
    102s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221125-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221125-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    15-05-2023 21:25

General

  • Target

    d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin

  • Size

    27KB

  • MD5

    acea44892fc67223f43f4af2ec81aa83

  • SHA1

    f79255a73611bca2e1ff159eb8be6b0aa68c2748

  • SHA256

    d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291

  • SHA512

    8291808ba9f796bf37c637a252897dda69d29c5087a277cbb4c5d4821d8953d9ebc05d5a3088a33d380ae55538d4c802cd73de5d3ee34b67ebcd236997698393

  • SSDEEP

    768:sMUDrIR0pRIrPP6JxdSbDRSDIh7Lz0iFCDq4p:QrY0LQH+DS90iFCDp

Score
10/10

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

  • BPFDoor payload 1 IoCs
  • Changes its process name 1 IoCs
  • Creates Raw socket 1 IoCs

    Creates a socket that captures raw packets at the device level

  • Executes dropped EXE 1 IoCs
  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin
    /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin
    1⤵
      PID:614
      • sh
        sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
        2⤵
          PID:615
          • /bin/rm
            /bin/rm -f /dev/shm/kdmtmpflush
            3⤵
              PID:616
            • /bin/cp
              /bin/cp /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291.bin /dev/shm/kdmtmpflush
              3⤵
              • Writes file to shm directory
              • Reads runtime system information
              PID:617
            • /bin/chmod
              /bin/chmod 755 /dev/shm/kdmtmpflush
              3⤵
                PID:618
              • /dev/shm/kdmtmpflush
                /dev/shm/kdmtmpflush --init
                3⤵
                • Changes its process name
                • Executes dropped EXE
                PID:619
              • /bin/rm
                /bin/rm -f /dev/shm/kdmtmpflush
                3⤵
                • Creates Raw socket
                PID:621

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /dev/shm/kdmtmpflush
            Filesize

            27KB

            MD5

            acea44892fc67223f43f4af2ec81aa83

            SHA1

            f79255a73611bca2e1ff159eb8be6b0aa68c2748

            SHA256

            d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291

            SHA512

            8291808ba9f796bf37c637a252897dda69d29c5087a277cbb4c5d4821d8953d9ebc05d5a3088a33d380ae55538d4c802cd73de5d3ee34b67ebcd236997698393