Resubmissions

06-09-2023 00:49

230906-a6cehsce37 10

31-07-2023 12:28

230731-pnngdsgd4v 10

28-02-2021 08:09

210228-xd259lnnps 5

Analysis

  • max time kernel
    5s
  • max time network
    104s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20230621-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20230621-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    31-07-2023 12:28

General

  • Target

    fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73

  • Size

    28KB

  • MD5

    0017f7b913ce66e4d80f7e78cf830a2b

  • SHA1

    f1bf775746a5c882b9ec003617b2a70cf5a5b029

  • SHA256

    fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73

  • SHA512

    ff5dd28ba3f5ce1f85f85fa9b65f9f30fbd300f2ca238cb2713da7077b7a0a8ff094cff4d7de9381726925abdd9ea065fa75ccd02fa5a816b71a6f91479363c1

  • SSDEEP

    384:D4Vc7TIqaFxrfIyqk/MyV36nk/h0iFHCN7qvUa+BlmYJNZRR5uRh0I:D4gQAsMyOi0iFHCF3zZX5uRh0I

Score
10/10

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

  • BPFDoor payload 1 IoCs
  • Changes its process name 1 IoCs
  • Creates Raw socket 1 IoCs

    Creates a socket that captures raw packets at the device level

  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73
    /tmp/fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73
    1⤵
      PID:599
      • /bin/sh
        sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73 /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
        2⤵
          PID:600
          • /bin/rm
            /bin/rm -f /dev/shm/kdmtmpflush
            3⤵
              PID:601
            • /bin/cp
              /bin/cp /tmp/fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73 /dev/shm/kdmtmpflush
              3⤵
              • Reads runtime system information
              • Writes file to shm directory
              PID:602
            • /bin/chmod
              /bin/chmod 755 /dev/shm/kdmtmpflush
              3⤵
                PID:603
              • /dev/shm/kdmtmpflush
                /dev/shm/kdmtmpflush --init
                3⤵
                • Changes its process name
                • Executes dropped EXE
                PID:604
              • /bin/rm
                /bin/rm -f /dev/shm/kdmtmpflush
                3⤵
                • Creates Raw socket
                PID:606

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /dev/shm/kdmtmpflush

            Filesize

            28KB

            MD5

            0017f7b913ce66e4d80f7e78cf830a2b

            SHA1

            f1bf775746a5c882b9ec003617b2a70cf5a5b029

            SHA256

            fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73

            SHA512

            ff5dd28ba3f5ce1f85f85fa9b65f9f30fbd300f2ca238cb2713da7077b7a0a8ff094cff4d7de9381726925abdd9ea065fa75ccd02fa5a816b71a6f91479363c1