0f4755f65c495d3711bf22271f85f1ee86da8b7a487e770f769af56e189be48c

Analysis

max time kernel
152s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47d704b79364e2ab333e614c166d0b7d
Size

7.0MB
MD5

47d704b79364e2ab333e614c166d0b7d
SHA1

d29fb7df26ecef83abc99e5b4f0d9dd58ad0a2d6
SHA256

0f4755f65c495d3711bf22271f85f1ee86da8b7a487e770f769af56e189be48c
SHA512

a58054d2bf47e59d8ef48beda1089d35867faaebd3ee1bf023c95773dd74b79717e8f681eda005662736e873646bd0c2449fa27623f3e088ffce6a4e1dc70906
SSDEEP

98304:EE1b80T1Mv8SzjLZ/YJG9MMa2megmG5OFZj8KIX:n980JpSzBsMa2ac8K

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.jgOHVp crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.jgOHVp	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

cat47d704b79364e2ab333e614c166d0b7dcat47d704b79364e2ab333e614c166d0b7d

description	ioc	process
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	47d704b79364e2ab333e614c166d0b7d
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	47d704b79364e2ab333e614c166d0b7d

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/.pid
File opened for modification /tmp/nip9iNeiph5chee
File opened for modification /tmp/[stealth].pid

description	ioc
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid

/tmp/47d704b79364e2ab333e614c166d0b7d
/tmp/47d704b79364e2ab333e614c166d0b7d
1⤵
- Reads runtime system information
PID:1534

/bin/cat
cat /proc/version
1⤵
- Reads runtime system information
PID:1538

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1539

/bin/uname
uname -a
1⤵
PID:1541

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1542

/tmp/47d704b79364e2ab333e614c166d0b7d
"[stealth]"
1⤵
- Reads runtime system information
PID:1543

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1549

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1550

/bin/uname
uname -a
1⤵
PID:1551

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1552

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1553

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid
Filesize
4B

MD5
819c9fbfb075d62a16393b9fe4fcbaa5

SHA1
8959169251e7394bcf4b9004326f83e266a06bfb

SHA256
50a0a04f2d67b4a26d3aaa163fa2fb0d80a5457716579587cc45ce5bc89d8fce

SHA512
1a2836932a771fac43e720d14d8df08c3e32ca5d6d335ae38788fa774e05568c6c05a7c5531ab745b8ec7a9d410f7460ea86c3f5fb6fc097a991170cf26feb57

Download Submit
/tmp/nip9iNeiph5chee
Filesize
66B

MD5
b6b967ae2f83d3acd9cc0b1875cbd52d

SHA1
3cf14be897ad13088a62c726b2d68d15f39eb676

SHA256
655bfb4796f01ed1882df41880b6d8f5b76a39c82edd2912e3343b25240f4844

SHA512
be48670696bd35587db80971d814360e3c49af2d244feac9cb9e6d59eb35aa1e363b591e162ddfae0d70355d3f307442eaf4e49900891dc82c375fa086701815

Download Submit
/var/spool/cron/crontabs/tmp.jgOHVp
Filesize
260B

MD5
bdad7c934de0b4bb22ef1071cfa8481d

SHA1
c2b0f08bec4d91d9235b6a388c3bdd68ead7aeba

SHA256
93334fb86e282443e8e7b8e818cdc544ed23f89f430c45c37aad47bb1388be51

SHA512
9e85b3d3bd5b595f873095b469b0bfd7a5e391d5ec2616166537dce23dd3b7ebcdbce26791e6296fbfffadf070aee4c5206acbb409a759cb8c2bd05edebf3510

Download Submit