Overview

overview

10

Static

static

10

d97625f7ad...1a9df4

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    5s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20230621-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20230621-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    31-07-2023 10:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d97625f7ad46e24fc958b1ab1c2de9591bad0127b204f99d7110fe1c401a9df4

  • Size

    32KB

  • MD5

    0e33e26094a8cb71837c29e26287edbe

  • SHA1

    ad9232de3297fa7031482d8d9ad198a93f86f25e

  • SHA256

    d97625f7ad46e24fc958b1ab1c2de9591bad0127b204f99d7110fe1c401a9df4

  • SHA512

    6a3f5dba7ae279b83b564088ed981db130a6cfbc285b21121443c77df1afbc23233f19471f82dd525d2849d6802eea7d0a19eca9857e8620a4f1ad16d1883538

  • SSDEEP

    768:JMO9NDv4MFMXrThYxtM6TOvakqDZM1jBybDRSD/fIEa0iFpiq:Rpv4MFMXrThYxtSvmVcjByB0iFg

Score
10/10
bpfdoorbackdoor

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

    backdoorbpfdoor
  • BPFDoor payload 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/d97625f7ad46e24fc958b1ab1c2de9591bad0127b204f99d7110fe1c401a9df4
    /tmp/d97625f7ad46e24fc958b1ab1c2de9591bad0127b204f99d7110fe1c401a9df4
    1⤵
      PID:603
      • /bin/sh
        sh -c "/bin/rm -f /var/lock/kdmtmpflush;/bin/cp /tmp/d97625f7ad46e24fc958b1ab1c2de9591bad0127b204f99d7110fe1c401a9df4 /var/lock/kdmtmpflush && /bin/chmod 755 /var/lock/kdmtmpflush && /var/lock/kdmtmpflush --init"
        2⤵
          PID:604
          • /bin/rm
            /bin/rm -f /var/lock/kdmtmpflush
            3⤵
              PID:605
            • /bin/cp
              /bin/cp /tmp/d97625f7ad46e24fc958b1ab1c2de9591bad0127b204f99d7110fe1c401a9df4 /var/lock/kdmtmpflush
              3⤵
              • Reads runtime system information
              PID:606
            • /bin/chmod
              /bin/chmod 755 /var/lock/kdmtmpflush
              3⤵
                PID:607
              • /var/lock/kdmtmpflush
                /var/lock/kdmtmpflush --init
                3⤵
                  PID:608

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /run/lock/kdmtmpflush
              Filesize

              32KB

              MD5

              0e33e26094a8cb71837c29e26287edbe

              SHA1

              ad9232de3297fa7031482d8d9ad198a93f86f25e

              SHA256

              d97625f7ad46e24fc958b1ab1c2de9591bad0127b204f99d7110fe1c401a9df4

              SHA512

              6a3f5dba7ae279b83b564088ed981db130a6cfbc285b21121443c77df1afbc23233f19471f82dd525d2849d6802eea7d0a19eca9857e8620a4f1ad16d1883538

              Download Submit