886cd26fa4660884d84c43109c8ef94050d46bea1cf86b74b9783a2910882544

Analysis

max time kernel
147s
max time network
162s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
19-12-2023 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6331e67f7b65d3b9c5b73d0b2adbc8a5
Size

7.0MB
MD5

6331e67f7b65d3b9c5b73d0b2adbc8a5
SHA1

14886a4f5bdf7bd20f4bb1bcd20c7383d5040f46
SHA256

886cd26fa4660884d84c43109c8ef94050d46bea1cf86b74b9783a2910882544
SHA512

e3893ca72095b487d8c8b3267b834d6c7e22847a1a26c0d4f081998d987bbd83a9bab7d2245fc6fbf8aa960819456493bbb1c53ec4a9ab64b8f8642dbc83e039
SSDEEP

49152:ylSH1/kSHac5itA5XKLjrI66LkBePELYHYrfkBJ8Gdd6FoxVGlEten5WED+GBi6P:GWRHX5iPrJOaHYTBmGdW5WSFlhxaIX

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.PNHuDO crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.PNHuDO	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

6331e67f7b65d3b9c5b73d0b2adbc8a5cat6331e67f7b65d3b9c5b73d0b2adbc8a5cat

description	ioc	process
File opened for reading	/proc/sys/net/core/somaxconn	6331e67f7b65d3b9c5b73d0b2adbc8a5
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	6331e67f7b65d3b9c5b73d0b2adbc8a5
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/.pids
File opened for modification /tmp/nip9iNeiph5chee
File opened for modification /tmp/[steal].pid

description	ioc
File opened for modification	/tmp/.pids
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[steal].pid

/tmp/6331e67f7b65d3b9c5b73d0b2adbc8a5
/tmp/6331e67f7b65d3b9c5b73d0b2adbc8a5
1⤵
- Reads runtime system information
PID:1533
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:1539

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1541

/bin/uname
uname -a
1⤵
PID:1543

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1544

/tmp/6331e67f7b65d3b9c5b73d0b2adbc8a5
"[steal]"
1⤵
- Reads runtime system information
PID:1545
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:1551

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1553

/bin/uname
uname -a
1⤵
PID:1554

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1555

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1557

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pids

Filesize
4B

MD5
89ae0fe22c47d374bc9350ef99e01685

SHA1
fc27fbae8511b00b820da34fd107d27b11a72855

SHA256
8b1fbeee2ea27bf5b180d2c10372ad571a5233b0ba34f272a7bda75f93cbcb84

SHA512
f1f8813569296ef5c373abcd5e901772d4ee10e196865acdb8231ab73f564257fc76057ba71d42c77ca195a6a70d2c24007b4e006387beccc2b1543faf6f9ca4

Download Submit
/tmp/nip9iNeiph5chee

Filesize
66B

MD5
355743cbd3bac6befd460ffcb3d2d8ce

SHA1
5dfc8c624c55f2c62c116bd9170385beb74ba88c

SHA256
111984bc7fefa64a7ee2d79096ffe13bf248a9f7c406c59fd28f60d5f668f8f3

SHA512
ca215c375343a4e4baf411e16104b9e1974b2e356928d2f782618c9c127f3c8919794f18b10b5e7d61fcf97ef85775676f94179f7a3ec87792c39f0cf370d735

Download Submit
/var/spool/cron/crontabs/tmp.PNHuDO

Filesize
260B

MD5
8b85c7daa57c83dc95ac0e0b46e883d4

SHA1
6f350500c26159deb048db4c0c062b2fcca5fc1d

SHA256
098fec03c78c11ee6a98235f97dd959d5b8d616dff3cd98fd28e839b66f96352

SHA512
7159461425f3c95b5590e0447abfc09d38e63a58934cf99e990d2390b90ce8189b743868f091d048db9eb5c45ca0dcf0f6248e4e34b8b42299d2be8dfd9aac02

Download Submit