Analysis
-
max time kernel
152s -
max time network
132s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-12-2023 23:08
Behavioral task
behavioral1
Sample
47d704b79364e2ab333e614c166d0b7d
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
47d704b79364e2ab333e614c166d0b7d
-
Size
7.0MB
-
MD5
47d704b79364e2ab333e614c166d0b7d
-
SHA1
d29fb7df26ecef83abc99e5b4f0d9dd58ad0a2d6
-
SHA256
0f4755f65c495d3711bf22271f85f1ee86da8b7a487e770f769af56e189be48c
-
SHA512
a58054d2bf47e59d8ef48beda1089d35867faaebd3ee1bf023c95773dd74b79717e8f681eda005662736e873646bd0c2449fa27623f3e088ffce6a4e1dc70906
-
SSDEEP
98304:EE1b80T1Mv8SzjLZ/YJG9MMa2megmG5OFZj8KIX:n980JpSzBsMa2ac8K
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.jgOHVp crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
cat47d704b79364e2ab333e614c166d0b7dcat47d704b79364e2ab333e614c166d0b7ddescription ioc process File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn 47d704b79364e2ab333e614c166d0b7d File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn 47d704b79364e2ab333e614c166d0b7d -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.pid File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stealth].pid
Processes
-
/tmp/47d704b79364e2ab333e614c166d0b7d/tmp/47d704b79364e2ab333e614c166d0b7d1⤵
- Reads runtime system information
-
/bin/catcat /proc/version1⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/47d704b79364e2ab333e614c166d0b7d"[stealth]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.pidFilesize
4B
MD5819c9fbfb075d62a16393b9fe4fcbaa5
SHA18959169251e7394bcf4b9004326f83e266a06bfb
SHA25650a0a04f2d67b4a26d3aaa163fa2fb0d80a5457716579587cc45ce5bc89d8fce
SHA5121a2836932a771fac43e720d14d8df08c3e32ca5d6d335ae38788fa774e05568c6c05a7c5531ab745b8ec7a9d410f7460ea86c3f5fb6fc097a991170cf26feb57
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD5b6b967ae2f83d3acd9cc0b1875cbd52d
SHA13cf14be897ad13088a62c726b2d68d15f39eb676
SHA256655bfb4796f01ed1882df41880b6d8f5b76a39c82edd2912e3343b25240f4844
SHA512be48670696bd35587db80971d814360e3c49af2d244feac9cb9e6d59eb35aa1e363b591e162ddfae0d70355d3f307442eaf4e49900891dc82c375fa086701815
-
/var/spool/cron/crontabs/tmp.jgOHVpFilesize
260B
MD5bdad7c934de0b4bb22ef1071cfa8481d
SHA1c2b0f08bec4d91d9235b6a388c3bdd68ead7aeba
SHA25693334fb86e282443e8e7b8e818cdc544ed23f89f430c45c37aad47bb1388be51
SHA5129e85b3d3bd5b595f873095b469b0bfd7a5e391d5ec2616166537dce23dd3b7ebcdbce26791e6296fbfffadf070aee4c5206acbb409a759cb8c2bd05edebf3510