Analysis
-
max time kernel
150s -
max time network
160s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
20-12-2023 03:33
Behavioral task
behavioral1
Sample
812f7436fbcae860de341ddf36caed73
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
812f7436fbcae860de341ddf36caed73
-
Size
6.9MB
-
MD5
812f7436fbcae860de341ddf36caed73
-
SHA1
4d3181dca7723bb2e134128192767bde12766862
-
SHA256
4aebff8c2df4b2f276f3fd85e9abaf9c68bfe7bb42bc8f0c33c794721c70902e
-
SHA512
0d9a5525f3a69bc89448f5ba9debec16a6b13ad8564bb2bc6743c1205fe0257d15858a061769e9d81defa466f080dac952a9ced38e4d734f4008c395199e21ad
-
SSDEEP
98304:XbqAyMjk9vhqo3UMK24CpIsKr/eMj2WIX:LLyMw7qo9m7jf1
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.iD1iBG crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
812f7436fbcae860de341ddf36caed73cat812f7436fbcae860de341ddf36caed73catdescription ioc process File opened for reading /proc/sys/net/core/somaxconn 812f7436fbcae860de341ddf36caed73 File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn 812f7436fbcae860de341ddf36caed73 File opened for reading /proc/version cat -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.pid File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stealth].pid
Processes
-
/tmp/812f7436fbcae860de341ddf36caed73/tmp/812f7436fbcae860de341ddf36caed731⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/812f7436fbcae860de341ddf36caed73"[stealth]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.pidFilesize
4B
MD535464c848f410e55a13bb9d78e7fddd0
SHA1a575bcefdc7a11dec7302ce66652db242e7931ea
SHA25648f31b127dde9f650b07d6d68488d734ed95687cbcfb2d06867d21ad0997f438
SHA5121d0d7db8e07f74deab2c3b47c8bc683145a0a8ed486c65c19f0e43a62f283d69ff4ad586802d96b866ac836d0ff925b0e8de8e485c95473d044cec04edfede18
-
/tmp/nip9iNeiph5cheeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
/var/spool/cron/crontabs/tmp.iD1iBGFilesize
260B
MD53c6f86a8575fac00497dee31dbb2f046
SHA1732db9ba94bdea3fd1dd05dc7dca6651c6b70a49
SHA25634439d0325ad4112b1d69f1d5b3ca685eeffe811a8cc5eb970ccd1abf704d3fd
SHA5126abc0f46f1a0bea51e0528921273b340dc9f54a78cfbb2765d5facda81a755c813b82f6adbdc4b00b4cfce85be3e17ee5037cfa20014d66fc81e5468ac461212