Analysis
-
max time kernel
144s -
max time network
154s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-12-2023 22:45
Behavioral task
behavioral1
Sample
24a77a79f3d38bd861b460e4f545b2f2
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
24a77a79f3d38bd861b460e4f545b2f2
-
Size
7.0MB
-
MD5
24a77a79f3d38bd861b460e4f545b2f2
-
SHA1
b5ac9ef4705488da27f63fa5554621cb1e24b578
-
SHA256
9d3cd867000e9885db703600c1b3f80e31fbdca8b42195fe3a0459fc78f7b40b
-
SHA512
77cba0896bada263953d2aa4bf8dfc6f356dac776cb407fd5f7e424cdf7d0c062b21007621a339a602a64f4edffc9196ad618f8bcb8aa0fb6926a5f05de4b67a
-
SSDEEP
98304:HeTKhZ9Dnw8r/MlwzBVw8Vt7Bxnam/3IX:++hZVnFO2F9N/
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.3GAh1O crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
24a77a79f3d38bd861b460e4f545b2f2cat24a77a79f3d38bd861b460e4f545b2f2catdescription ioc process File opened for reading /proc/sys/net/core/somaxconn 24a77a79f3d38bd861b460e4f545b2f2 File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn 24a77a79f3d38bd861b460e4f545b2f2 File opened for reading /proc/version cat -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.pids File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[steal].pid
Processes
-
/tmp/24a77a79f3d38bd861b460e4f545b2f2/tmp/24a77a79f3d38bd861b460e4f545b2f21⤵
- Reads runtime system information
PID:1550 -
/bin/catcat /proc/version2⤵
- Reads runtime system information
PID:1553
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
PID:1555
-
/bin/unameuname -a1⤵PID:1556
-
/usr/bin/getconfgetconf LONG_BIT1⤵PID:1557
-
/tmp/24a77a79f3d38bd861b460e4f545b2f2"[steal]"1⤵
- Reads runtime system information
PID:1558 -
/bin/catcat /proc/version2⤵
- Reads runtime system information
PID:1561
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
PID:1562
-
/bin/unameuname -a1⤵PID:1563
-
/usr/bin/getconfgetconf LONG_BIT1⤵PID:1564
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
PID:1570
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.pidsFilesize
4B
MD529921001f2f04bd3baee84a12e98098f
SHA1ca9e263d07340b8b04eea95e4172ccb3800e773a
SHA25667a375e4ddcdb509545a752ea82be28b546ded87431078fe6fc1ead202f5815c
SHA5128b08c53440133f5bc3800670ce2702484ae7d5d7bf82489e8239146997a48bbad165d6579beef8d2a0a30e7e008546e95179cd20a674292182922f66ff5cf2f0
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD5e62307ad5172e049862e11a37a7ee1ea
SHA1bcb0f0298cf5c68d68ebba025c2db08e40e70ac1
SHA25662f11fccf1038ff6f66cb37cb3e93bbf39dc819f0b7df62f22da02854586d81b
SHA512cacbf47dfbe1ede749bbfd62456d099dd7724b7b23fadfd45c406add6f53ede68204de94b7e226f61df266584eb57ea9c6657bcfcfcb90ff70ee864e8b44a3d2
-
/var/spool/cron/crontabs/tmp.3GAh1OFilesize
260B
MD53c5bb4275cea18c6e96597e983c253c1
SHA120bc87ef1bb134554059d553e59c1aa795de27d9
SHA25663db11cd60602b8ac24a806fa7d4970ee9432450e9141a533583a8587281bd78
SHA512e020f22326977c93b85bfc4acfddfb5232a7c239512d96eb5824330b679f27d8fe9867b16ce650ffffa04b108ef7b2880844f79746cd1c786b019a49c8c5256a