Resubmissions

06-09-2023 00:50

230906-a613wace39 10

02-06-2022 16:49

220602-vb6p4acdhn 10

18-05-2022 18:03

220518-wm78qsfbgl 5

Analysis

  • max time kernel
    4s
  • max time network
    134s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20230831-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20230831-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    06-09-2023 00:50

General

  • Target

    2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin

  • Size

    30KB

  • MD5

    a4bbcbdb2d65d1b966943f6955c05048

  • SHA1

    68af74718f5eeb824258e69af5a23a3c0f6fb54d

  • SHA256

    2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb

  • SHA512

    4b5d69f3ceb9e2a9311bf08bc3b853dcddf2f33228e31dfaa3c6484dfc4057ba210c1995833bbd26eeea15496623a13e1c895e71e8094707c78ed4b6738274a6

  • SSDEEP

    384:fna1+r7+bTJta9vZxofpCjR1g/CNXyCEAFp0MyV4Eh6kSE0wyktwBZFAND7foVlX:SEPigZxiEXbFyMycctw5AIzrLFo

Score
10/10

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

  • BPFDoor payload 1 IoCs
  • Changes its process name 1 IoCs
  • Creates Raw socket 1 IoCs

    Creates a socket that captures raw packets at the device level

  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin
    /tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin
    1⤵
      PID:588
      • /bin/sh
        sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
        2⤵
          PID:589
          • /bin/rm
            /bin/rm -f /dev/shm/kdmtmpflush
            3⤵
              PID:590
            • /bin/cp
              /bin/cp /tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin /dev/shm/kdmtmpflush
              3⤵
              • Reads runtime system information
              • Writes file to shm directory
              PID:591
            • /bin/chmod
              /bin/chmod 755 /dev/shm/kdmtmpflush
              3⤵
                PID:592
              • /dev/shm/kdmtmpflush
                /dev/shm/kdmtmpflush --init
                3⤵
                • Changes its process name
                • Executes dropped EXE
                PID:593
              • /bin/rm
                /bin/rm -f /dev/shm/kdmtmpflush
                3⤵
                  PID:595

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /dev/shm/kdmtmpflush

              Filesize

              30KB

              MD5

              a4bbcbdb2d65d1b966943f6955c05048

              SHA1

              68af74718f5eeb824258e69af5a23a3c0f6fb54d

              SHA256

              2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb

              SHA512

              4b5d69f3ceb9e2a9311bf08bc3b853dcddf2f33228e31dfaa3c6484dfc4057ba210c1995833bbd26eeea15496623a13e1c895e71e8094707c78ed4b6738274a6