Resubmissions
06-09-2023 00:50
230906-a613wace39 1002-06-2022 16:49
220602-vb6p4acdhn 1018-05-2022 18:03
220518-wm78qsfbgl 5Analysis
-
max time kernel
4s -
max time network
134s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20230831-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20230831-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
06-09-2023 00:50
General
-
Target
2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin
-
Size
30KB
-
MD5
a4bbcbdb2d65d1b966943f6955c05048
-
SHA1
68af74718f5eeb824258e69af5a23a3c0f6fb54d
-
SHA256
2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb
-
SHA512
4b5d69f3ceb9e2a9311bf08bc3b853dcddf2f33228e31dfaa3c6484dfc4057ba210c1995833bbd26eeea15496623a13e1c895e71e8094707c78ed4b6738274a6
-
SSDEEP
384:fna1+r7+bTJta9vZxofpCjR1g/CNXyCEAFp0MyV4Eh6kSE0wyktwBZFAND7foVlX:SEPigZxiEXbFyMycctw5AIzrLFo
Malware Config
Signatures
-
BPFDoor payload 1 IoCs
Processes:
resource yara_rule /dev/shm/kdmtmpflush family_bpfdoor_v1 -
Changes its process name 1 IoCs
Processes:
kdmtmpflushdescription ioc pid process Changes the process name, possibly in an attempt to hide itself /sbin/auditd -n 593 kdmtmpflush -
Creates Raw socket 1 IoCs
Creates a socket that captures raw packets at the device level
Processes:
pid 594 -
Executes dropped EXE 1 IoCs
Processes:
kdmtmpflushioc pid process /dev/shm/kdmtmpflush 593 kdmtmpflush -
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpdescription ioc process File opened for reading /proc/filesystems cp -
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
Processes:
cpdescription ioc process File opened for modification /dev/shm/kdmtmpflush cp
Processes
-
/tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin/tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin1⤵PID:588
-
/bin/shsh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"2⤵PID:589
-
/bin/rm/bin/rm -f /dev/shm/kdmtmpflush3⤵PID:590
-
-
/bin/cp/bin/cp /tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb.bin /dev/shm/kdmtmpflush3⤵
- Reads runtime system information
- Writes file to shm directory
PID:591
-
-
/bin/chmod/bin/chmod 755 /dev/shm/kdmtmpflush3⤵PID:592
-
-
/dev/shm/kdmtmpflush/dev/shm/kdmtmpflush --init3⤵
- Changes its process name
- Executes dropped EXE
PID:593
-
-
/bin/rm/bin/rm -f /dev/shm/kdmtmpflush3⤵PID:595
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD5a4bbcbdb2d65d1b966943f6955c05048
SHA168af74718f5eeb824258e69af5a23a3c0f6fb54d
SHA2562e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb
SHA5124b5d69f3ceb9e2a9311bf08bc3b853dcddf2f33228e31dfaa3c6484dfc4057ba210c1995833bbd26eeea15496623a13e1c895e71e8094707c78ed4b6738274a6