d92587ee5e763f9d961fded9be3ba0a2fe95e311254c9d2c4135c7a1238672bf

Analysis

max time kernel
151s
max time network
133s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0adc73b8cf912d57e594bab3466860c6
Size

7.0MB
MD5

0adc73b8cf912d57e594bab3466860c6
SHA1

65d1f9d28783f5ea5b23d96ce16bb661a5f9a3ce
SHA256

d92587ee5e763f9d961fded9be3ba0a2fe95e311254c9d2c4135c7a1238672bf
SHA512

3d4e52af9109ea2de90027e895d511685f9047cbbc6266a401e28835eb92de7766e48e9f62700de0bab365bff0286a24005d7bead63c4a8b2ea2a3c9b6b98f6d
SSDEEP

98304:kuNe6mfQBtMdq+Khq+wfpL+Gd+r2R/v75LBJL7IX:pE6mYcdqhc7jJX

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.yABkpC crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.yABkpC	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

0adc73b8cf912d57e594bab3466860c6cat0adc73b8cf912d57e594bab3466860c6cat

description	ioc	process
File opened for reading	/proc/sys/net/core/somaxconn	0adc73b8cf912d57e594bab3466860c6
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	0adc73b8cf912d57e594bab3466860c6
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/[stealth].pid
File opened for modification /tmp/.pid
File opened for modification /tmp/nip9iNeiph5chee

description	ioc
File opened for modification	/tmp/[stealth].pid
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee

/tmp/0adc73b8cf912d57e594bab3466860c6
/tmp/0adc73b8cf912d57e594bab3466860c6
1⤵
- Reads runtime system information
PID:1542

/bin/cat
cat /proc/version
1⤵
- Reads runtime system information
PID:1545

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1547

/bin/uname
uname -a
1⤵
PID:1548

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1549

/tmp/0adc73b8cf912d57e594bab3466860c6
"[stealth]"
1⤵
- Reads runtime system information
PID:1551

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1556

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1558

/bin/uname
uname -a
1⤵
PID:1559

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1560

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1561

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid
Filesize
4B

MD5
4e6cd95227cb0c280e99a195be5f6615

SHA1
00b7858a85fe7328455145a1552e17378e980fe7

SHA256
1e61da9318ad5f39fa341ffa808659430fd708a76917b50851a1fbcf88375f1e

SHA512
05b75cc64fa98271a6f55bf355457eea5a2ac6ef5a340774c8cc55e7ce2f574d1b0aef783abb46975ed6b930c479762a2e89c487438a696722e4079c84b81490

Download Submit
/tmp/nip9iNeiph5chee
Filesize
66B

MD5
f2412ab082f5db5abf8045e1ef68e436

SHA1
2eeba5475e1a6c21e27c9e112c01049862efa8e6

SHA256
235d2818e649c9904fc0cc555cc969c12e8bdd56feb77e7092a1f925dde7f21a

SHA512
da58b86d7011cdb789da8f92232f669d5851cfb8e06436e754dbc2a2bb0d4e6b7527f69ecf5345af5d7582db6e93bae2f703e3f86faa2d93817c84939416e292

Download Submit
/var/spool/cron/crontabs/tmp.yABkpC
Filesize
260B

MD5
aa2598039b88b3e88e2f6daf7cc86158

SHA1
384bba1ca474a16da425c38a2038beb860ea9a6a

SHA256
eab882756898b24473a2fe5b0d43b33c24f17cc5835db51abca30da4801f65f9

SHA512
c1bcd60bb879b4cf43c824daee01c604ff42a0b717080efd069b65e101b7e6eacf1dd3ada5e9a118a7c5ee62b7c6b36e0385bcbb6afd8c2b70ee68b5a118d1c9

Download Submit