Analysis
-
max time kernel
155s -
max time network
159s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-12-2023 22:31
Behavioral task
behavioral1
Sample
1094b5c3fcfeb6492e7d25bda6fe84cb
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
1094b5c3fcfeb6492e7d25bda6fe84cb
-
Size
6.9MB
-
MD5
1094b5c3fcfeb6492e7d25bda6fe84cb
-
SHA1
f49d37312e3002cb4dbe480e1fb7bfc7d50ea02b
-
SHA256
071129b4866da8cb786298d4e569126ff4b2216382357ae9d8af70a51cbe624a
-
SHA512
fbaecf93a8bd701aab1fc7859507f56a228eea6a232420cd3ce9c1045cb960a03fb7ea010ad14a4991b2b4ff90a131f8c2da7498922b40c95ba5be6898ecc026
-
SSDEEP
49152:SCs7sxgEAE4fTPqbO9BwalW5u0qBFEeaHTOAE6kEKy+XJw9ZEOr2JcZ51NPtvGxL:m2gRE4eCPW5uLBFWT7+3UPVGGmQWCIX
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.V5fHAN crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
1094b5c3fcfeb6492e7d25bda6fe84cbcat1094b5c3fcfeb6492e7d25bda6fe84cbcatdescription ioc process File opened for reading /proc/sys/net/core/somaxconn 1094b5c3fcfeb6492e7d25bda6fe84cb File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn 1094b5c3fcfeb6492e7d25bda6fe84cb File opened for reading /proc/version cat -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.pid File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stealth].pid
Processes
-
/tmp/1094b5c3fcfeb6492e7d25bda6fe84cb/tmp/1094b5c3fcfeb6492e7d25bda6fe84cb1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/1094b5c3fcfeb6492e7d25bda6fe84cb"[stealth]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.pidFilesize
4B
MD589ae0fe22c47d374bc9350ef99e01685
SHA1fc27fbae8511b00b820da34fd107d27b11a72855
SHA2568b1fbeee2ea27bf5b180d2c10372ad571a5233b0ba34f272a7bda75f93cbcb84
SHA512f1f8813569296ef5c373abcd5e901772d4ee10e196865acdb8231ab73f564257fc76057ba71d42c77ca195a6a70d2c24007b4e006387beccc2b1543faf6f9ca4
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD52149895cfafe059bb241bead33fa0db7
SHA1afd5e3a21b681aa833f3c42545ef20f2946c9933
SHA25604fb5b1211621afd1f881644f0aafeb27a1c120246305ec928f09cd78678bc9e
SHA5128778f048d22eef81ad54f231d4e2c172bf00110c4d67907b7f19e332bad6e0cc92836e7e580687dbedc6b71bcbbf2d416f3240af0c96b4317f48c25169bfcc99
-
/var/spool/cron/crontabs/tmp.V5fHANFilesize
260B
MD523ba5adeb5a38deb8b9c657ee453168d
SHA101985d130cca64d92070d15633731030e7c499df
SHA256611a68ef42c0d6d0d32597159728a3f0764dcae3ca397c82a0adb1298dc31d90
SHA512f9c9e62698167a55dde32c161b0ed7d3fc6fad1d3256d11d9f5f9a2398e0ad051c879882d317887e6cbd5bddb1c7862e368b906104c40b3e540de30f3a1460c7