Analysis

  • max time kernel
    152s
  • max time network
    132s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    19-12-2023 23:08

General

  • Target

    47d704b79364e2ab333e614c166d0b7d

  • Size

    7.0MB

  • MD5

    47d704b79364e2ab333e614c166d0b7d

  • SHA1

    d29fb7df26ecef83abc99e5b4f0d9dd58ad0a2d6

  • SHA256

    0f4755f65c495d3711bf22271f85f1ee86da8b7a487e770f769af56e189be48c

  • SHA512

    a58054d2bf47e59d8ef48beda1089d35867faaebd3ee1bf023c95773dd74b79717e8f681eda005662736e873646bd0c2449fa27623f3e088ffce6a4e1dc70906

  • SSDEEP

    98304:EE1b80T1Mv8SzjLZ/YJG9MMa2megmG5OFZj8KIX:n980JpSzBsMa2ac8K

Score
6/10

Malware Config

Signatures

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/47d704b79364e2ab333e614c166d0b7d
    /tmp/47d704b79364e2ab333e614c166d0b7d
    1⤵
    • Reads runtime system information
    PID:1534
  • /bin/cat
    cat /proc/version
    1⤵
    • Reads runtime system information
    PID:1538
  • /bin/cat
    cat /proc/cpuinfo
    1⤵
    • Checks CPU configuration
    PID:1539
  • /bin/uname
    uname -a
    1⤵
      PID:1541
    • /usr/bin/getconf
      getconf LONG_BIT
      1⤵
        PID:1542
      • /tmp/47d704b79364e2ab333e614c166d0b7d
        "[stealth]"
        1⤵
        • Reads runtime system information
        PID:1543
        • /bin/cat
          cat /proc/version
          2⤵
          • Reads runtime system information
          PID:1549
      • /bin/cat
        cat /proc/cpuinfo
        1⤵
        • Checks CPU configuration
        PID:1550
      • /bin/uname
        uname -a
        1⤵
          PID:1551
        • /usr/bin/getconf
          getconf LONG_BIT
          1⤵
            PID:1552
          • /usr/bin/crontab
            /usr/bin/crontab /tmp/nip9iNeiph5chee
            1⤵
            • Creates/modifies Cron job
            PID:1553

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Scheduled Task/Job

          1
          T1053

          Persistence

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Virtualization/Sandbox Evasion

          1
          T1497

          Discovery

          Virtualization/Sandbox Evasion

          1
          T1497

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/.pid
            Filesize

            4B

            MD5

            819c9fbfb075d62a16393b9fe4fcbaa5

            SHA1

            8959169251e7394bcf4b9004326f83e266a06bfb

            SHA256

            50a0a04f2d67b4a26d3aaa163fa2fb0d80a5457716579587cc45ce5bc89d8fce

            SHA512

            1a2836932a771fac43e720d14d8df08c3e32ca5d6d335ae38788fa774e05568c6c05a7c5531ab745b8ec7a9d410f7460ea86c3f5fb6fc097a991170cf26feb57

          • /tmp/nip9iNeiph5chee
            Filesize

            66B

            MD5

            b6b967ae2f83d3acd9cc0b1875cbd52d

            SHA1

            3cf14be897ad13088a62c726b2d68d15f39eb676

            SHA256

            655bfb4796f01ed1882df41880b6d8f5b76a39c82edd2912e3343b25240f4844

            SHA512

            be48670696bd35587db80971d814360e3c49af2d244feac9cb9e6d59eb35aa1e363b591e162ddfae0d70355d3f307442eaf4e49900891dc82c375fa086701815

          • /var/spool/cron/crontabs/tmp.jgOHVp
            Filesize

            260B

            MD5

            bdad7c934de0b4bb22ef1071cfa8481d

            SHA1

            c2b0f08bec4d91d9235b6a388c3bdd68ead7aeba

            SHA256

            93334fb86e282443e8e7b8e818cdc544ed23f89f430c45c37aad47bb1388be51

            SHA512

            9e85b3d3bd5b595f873095b469b0bfd7a5e391d5ec2616166537dce23dd3b7ebcdbce26791e6296fbfffadf070aee4c5206acbb409a759cb8c2bd05edebf3510