Analysis
-
max time kernel
144s -
max time network
131s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
19-12-2023 22:56
Behavioral task
behavioral1
Sample
35943162dc45048aedc9abd9489f30c1
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
35943162dc45048aedc9abd9489f30c1
-
Size
7.0MB
-
MD5
35943162dc45048aedc9abd9489f30c1
-
SHA1
13628d4a8888083fcae937e02581ea66dc4c722b
-
SHA256
a3be16a735d17c0a1db9ff2a6a41b3d876f7b4ff43ba0421a329ad713b89ba02
-
SHA512
d99e2bde83bdc2b2aacd33760f35f045760b02816e6635dd9a148f8a8427be51219637ef5e44cceb9e9a6849aa8235282ed1163fc6ff67061e41df55f1083ea0
-
SSDEEP
98304:nv4QhyO0ohoxG6lp9y9G8R7E/zF913IX:v5hyBoGO3oL7t
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.HhDbYO crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
35943162dc45048aedc9abd9489f30c1cat35943162dc45048aedc9abd9489f30c1catdescription ioc process File opened for reading /proc/sys/net/core/somaxconn 35943162dc45048aedc9abd9489f30c1 File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn 35943162dc45048aedc9abd9489f30c1 File opened for reading /proc/version cat -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.pids File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stea].pid
Processes
-
/tmp/35943162dc45048aedc9abd9489f30c1/tmp/35943162dc45048aedc9abd9489f30c11⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/35943162dc45048aedc9abd9489f30c1"[stea]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.pidsFilesize
4B
MD5f337d999d9ad116a7b4f3d409fcc6480
SHA1a867de00c711504a6b5e881693b5c34e9f0599c5
SHA256194af3b3d7b007443c26af23c035430b0afb9abebf8c89432884147fc41af759
SHA5126bd97d4826f69e44ffb23fcaef7bc354c3f94270136b1ebdd9d94e5617843a4f5c7915da11f7e93ddbe6122c77c5f00e46a788fffed91c21b9b07310bdf626cd
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD5528c8c4acfd1e9cc43cb82f8cb3ec70a
SHA19ad45e1a2c184d6ecf83a9055c05a2fb92359f53
SHA256e2dc93a71e527ecda054bdfeb6db434548f2f4623f12454c2d8074d76fd6c955
SHA5122d630b11eceae953403eb7b419889345708572c2cb2d41312c5e81a68e9b73f4fe0514145317e52df29f93159b4120e1e8fc5bf920c618b8777faa3c672dc2c1
-
/var/spool/cron/crontabs/tmp.HhDbYOFilesize
260B
MD525bdafba799d8412d2ef2e283e20d450
SHA113885a7339104e6ab78eccb203777175b0556a2a
SHA25681161e81b587ecec47a90534d8649c46d02b6672009aa954081eeec540060ee1
SHA512e153981841abb6186256c78bb8a0a370efed964eb01734b9be1d2adc80df62736dc053dc800a6b1899762a9eeefcf40af708effa0a281a3fc069388492c0dc7b