Analysis

  • max time kernel
    151s
  • max time network
    133s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    19-12-2023 22:27

General

  • Target

    0adc73b8cf912d57e594bab3466860c6

  • Size

    7.0MB

  • MD5

    0adc73b8cf912d57e594bab3466860c6

  • SHA1

    65d1f9d28783f5ea5b23d96ce16bb661a5f9a3ce

  • SHA256

    d92587ee5e763f9d961fded9be3ba0a2fe95e311254c9d2c4135c7a1238672bf

  • SHA512

    3d4e52af9109ea2de90027e895d511685f9047cbbc6266a401e28835eb92de7766e48e9f62700de0bab365bff0286a24005d7bead63c4a8b2ea2a3c9b6b98f6d

  • SSDEEP

    98304:kuNe6mfQBtMdq+Khq+wfpL+Gd+r2R/v75LBJL7IX:pE6mYcdqhc7jJX

Score
6/10

Malware Config

Signatures

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/0adc73b8cf912d57e594bab3466860c6
    /tmp/0adc73b8cf912d57e594bab3466860c6
    1⤵
    • Reads runtime system information
    PID:1542
  • /bin/cat
    cat /proc/version
    1⤵
    • Reads runtime system information
    PID:1545
  • /bin/cat
    cat /proc/cpuinfo
    1⤵
    • Checks CPU configuration
    PID:1547
  • /bin/uname
    uname -a
    1⤵
      PID:1548
    • /usr/bin/getconf
      getconf LONG_BIT
      1⤵
        PID:1549
      • /tmp/0adc73b8cf912d57e594bab3466860c6
        "[stealth]"
        1⤵
        • Reads runtime system information
        PID:1551
        • /bin/cat
          cat /proc/version
          2⤵
          • Reads runtime system information
          PID:1556
      • /bin/cat
        cat /proc/cpuinfo
        1⤵
        • Checks CPU configuration
        PID:1558
      • /bin/uname
        uname -a
        1⤵
          PID:1559
        • /usr/bin/getconf
          getconf LONG_BIT
          1⤵
            PID:1560
          • /usr/bin/crontab
            /usr/bin/crontab /tmp/nip9iNeiph5chee
            1⤵
            • Creates/modifies Cron job
            PID:1561

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Scheduled Task/Job

          1
          T1053

          Persistence

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Virtualization/Sandbox Evasion

          1
          T1497

          Discovery

          Virtualization/Sandbox Evasion

          1
          T1497

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/.pid
            Filesize

            4B

            MD5

            4e6cd95227cb0c280e99a195be5f6615

            SHA1

            00b7858a85fe7328455145a1552e17378e980fe7

            SHA256

            1e61da9318ad5f39fa341ffa808659430fd708a76917b50851a1fbcf88375f1e

            SHA512

            05b75cc64fa98271a6f55bf355457eea5a2ac6ef5a340774c8cc55e7ce2f574d1b0aef783abb46975ed6b930c479762a2e89c487438a696722e4079c84b81490

          • /tmp/nip9iNeiph5chee
            Filesize

            66B

            MD5

            f2412ab082f5db5abf8045e1ef68e436

            SHA1

            2eeba5475e1a6c21e27c9e112c01049862efa8e6

            SHA256

            235d2818e649c9904fc0cc555cc969c12e8bdd56feb77e7092a1f925dde7f21a

            SHA512

            da58b86d7011cdb789da8f92232f669d5851cfb8e06436e754dbc2a2bb0d4e6b7527f69ecf5345af5d7582db6e93bae2f703e3f86faa2d93817c84939416e292

          • /var/spool/cron/crontabs/tmp.yABkpC
            Filesize

            260B

            MD5

            aa2598039b88b3e88e2f6daf7cc86158

            SHA1

            384bba1ca474a16da425c38a2038beb860ea9a6a

            SHA256

            eab882756898b24473a2fe5b0d43b33c24f17cc5835db51abca30da4801f65f9

            SHA512

            c1bcd60bb879b4cf43c824daee01c604ff42a0b717080efd069b65e101b7e6eacf1dd3ada5e9a118a7c5ee62b7c6b36e0385bcbb6afd8c2b70ee68b5a118d1c9