bpfdoor | fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73

Resubmissions

06-09-2023 00:49

31-07-2023 12:28

28-02-2021 08:09

max time kernel
4s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20230831-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20230831-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
06-09-2023 00:49

Target

fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73
Size

28KB
MD5

0017f7b913ce66e4d80f7e78cf830a2b
SHA1

f1bf775746a5c882b9ec003617b2a70cf5a5b029
SHA256

fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73
SHA512

ff5dd28ba3f5ce1f85f85fa9b65f9f30fbd300f2ca238cb2713da7077b7a0a8ff094cff4d7de9381726925abdd9ea065fa75ccd02fa5a816b71a6f91479363c1
SSDEEP

384:D4Vc7TIqaFxrfIyqk/MyV36nk/h0iFHCN7qvUa+BlmYJNZRR5uRh0I:D4gQAsMyOi0iFHCF3zZX5uRh0I

Score

10^/10

bpfdoor backdoor

BPFDoor
BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.
backdoor bpfdoor

BPFDoor payload 1 IoCs

Processes:

resource	yara_rule
/dev/shm/kdmtmpflush	family_bpfdoor_v1

Changes its process name 1 IoCs

Processes:

kdmtmpflush

description ioc pid process

Changes the process name, possibly in an attempt to hide itself /usr/sbin/console-kit-daemon --no-daemon 615 kdmtmpflush
Creates Raw socket 1 IoCs
Creates a socket that captures raw packets at the device level

Processes:

pid

616
Executes dropped EXE 1 IoCs

Processes:

kdmtmpflush

ioc pid process

/dev/shm/kdmtmpflush 615 kdmtmpflush
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

cp

description ioc process

File opened for reading /proc/filesystems cp
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

cp

description ioc process

File opened for modification /dev/shm/kdmtmpflush cp

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/usr/sbin/console-kit-daemon --no-daemon	615	kdmtmpflush

pid
616

ioc	pid	process
/dev/shm/kdmtmpflush	615	kdmtmpflush

description	ioc	process
File opened for reading	/proc/filesystems	cp

description	ioc	process
File opened for modification	/dev/shm/kdmtmpflush	cp

/tmp/fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73
/tmp/fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73
1⤵
PID:610
- /bin/sh
  sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73 /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
  2⤵
  PID:611
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:612
- - /bin/cp
    /bin/cp /tmp/fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73 /dev/shm/kdmtmpflush
    3⤵
    - Reads runtime system information
    - Writes file to shm directory
    PID:613
- - /bin/chmod
    /bin/chmod 755 /dev/shm/kdmtmpflush
    3⤵
    PID:614
- - /dev/shm/kdmtmpflush
    /dev/shm/kdmtmpflush --init
    3⤵
    - Changes its process name
    - Executes dropped EXE
    PID:615
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:617

/dev/shm/kdmtmpflush

Filesize
28KB

MD5
0017f7b913ce66e4d80f7e78cf830a2b

SHA1
f1bf775746a5c882b9ec003617b2a70cf5a5b029

SHA256
fa0defdabd9fd43fe2ef1ec33574ea1af1290bd3d763fdb2bed443f2bd996d73

SHA512
ff5dd28ba3f5ce1f85f85fa9b65f9f30fbd300f2ca238cb2713da7077b7a0a8ff094cff4d7de9381726925abdd9ea065fa75ccd02fa5a816b71a6f91479363c1

Download Submit