a3be16a735d17c0a1db9ff2a6a41b3d876f7b4ff43ba0421a329ad713b89ba02

Analysis

max time kernel
144s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35943162dc45048aedc9abd9489f30c1
Size

7.0MB
MD5

35943162dc45048aedc9abd9489f30c1
SHA1

13628d4a8888083fcae937e02581ea66dc4c722b
SHA256

a3be16a735d17c0a1db9ff2a6a41b3d876f7b4ff43ba0421a329ad713b89ba02
SHA512

d99e2bde83bdc2b2aacd33760f35f045760b02816e6635dd9a148f8a8427be51219637ef5e44cceb9e9a6849aa8235282ed1163fc6ff67061e41df55f1083ea0
SSDEEP

98304:nv4QhyO0ohoxG6lp9y9G8R7E/zF913IX:v5hyBoGO3oL7t

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.HhDbYO crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.HhDbYO	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

35943162dc45048aedc9abd9489f30c1cat35943162dc45048aedc9abd9489f30c1cat

description	ioc	process
File opened for reading	/proc/sys/net/core/somaxconn	35943162dc45048aedc9abd9489f30c1
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	35943162dc45048aedc9abd9489f30c1
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/.pids
File opened for modification /tmp/nip9iNeiph5chee
File opened for modification /tmp/[stea].pid

description	ioc
File opened for modification	/tmp/.pids
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stea].pid

/tmp/35943162dc45048aedc9abd9489f30c1
/tmp/35943162dc45048aedc9abd9489f30c1
1⤵
- Reads runtime system information
PID:1535

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1538

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1540

/bin/uname
uname -a
1⤵
PID:1542

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1543

/tmp/35943162dc45048aedc9abd9489f30c1
"[stea]"
1⤵
- Reads runtime system information
PID:1544

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1547

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1549

/bin/uname
uname -a
1⤵
PID:1550

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1551

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1566

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pids
Filesize
4B

MD5
f337d999d9ad116a7b4f3d409fcc6480

SHA1
a867de00c711504a6b5e881693b5c34e9f0599c5

SHA256
194af3b3d7b007443c26af23c035430b0afb9abebf8c89432884147fc41af759

SHA512
6bd97d4826f69e44ffb23fcaef7bc354c3f94270136b1ebdd9d94e5617843a4f5c7915da11f7e93ddbe6122c77c5f00e46a788fffed91c21b9b07310bdf626cd

Download Submit
/tmp/nip9iNeiph5chee
Filesize
66B

MD5
528c8c4acfd1e9cc43cb82f8cb3ec70a

SHA1
9ad45e1a2c184d6ecf83a9055c05a2fb92359f53

SHA256
e2dc93a71e527ecda054bdfeb6db434548f2f4623f12454c2d8074d76fd6c955

SHA512
2d630b11eceae953403eb7b419889345708572c2cb2d41312c5e81a68e9b73f4fe0514145317e52df29f93159b4120e1e8fc5bf920c618b8777faa3c672dc2c1

Download Submit
/var/spool/cron/crontabs/tmp.HhDbYO
Filesize
260B

MD5
25bdafba799d8412d2ef2e283e20d450

SHA1
13885a7339104e6ab78eccb203777175b0556a2a

SHA256
81161e81b587ecec47a90534d8649c46d02b6672009aa954081eeec540060ee1

SHA512
e153981841abb6186256c78bb8a0a370efed964eb01734b9be1d2adc80df62736dc053dc800a6b1899762a9eeefcf40af708effa0a281a3fc069388492c0dc7b

Download Submit