Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20231215-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    20-12-2023 03:33

General

  • Target

    812f7436fbcae860de341ddf36caed73

  • Size

    6.9MB

  • MD5

    812f7436fbcae860de341ddf36caed73

  • SHA1

    4d3181dca7723bb2e134128192767bde12766862

  • SHA256

    4aebff8c2df4b2f276f3fd85e9abaf9c68bfe7bb42bc8f0c33c794721c70902e

  • SHA512

    0d9a5525f3a69bc89448f5ba9debec16a6b13ad8564bb2bc6743c1205fe0257d15858a061769e9d81defa466f080dac952a9ced38e4d734f4008c395199e21ad

  • SSDEEP

    98304:XbqAyMjk9vhqo3UMK24CpIsKr/eMj2WIX:LLyMw7qo9m7jf1

Score
6/10

Malware Config

Signatures

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/812f7436fbcae860de341ddf36caed73
    /tmp/812f7436fbcae860de341ddf36caed73
    1⤵
    • Reads runtime system information
    PID:1539
    • /bin/cat
      cat /proc/version
      2⤵
      • Reads runtime system information
      PID:1542
    • /bin/cat
      cat /proc/cpuinfo
      2⤵
      • Checks CPU configuration
      PID:1544
  • /bin/uname
    uname -a
    1⤵
      PID:1546
    • /usr/bin/getconf
      getconf LONG_BIT
      1⤵
        PID:1547
      • /tmp/812f7436fbcae860de341ddf36caed73
        "[stealth]"
        1⤵
        • Reads runtime system information
        PID:1548
        • /bin/cat
          cat /proc/version
          2⤵
          • Reads runtime system information
          PID:1554
      • /bin/cat
        cat /proc/cpuinfo
        1⤵
        • Checks CPU configuration
        PID:1555
      • /bin/uname
        uname -a
        1⤵
          PID:1556
        • /usr/bin/getconf
          getconf LONG_BIT
          1⤵
            PID:1557
          • /usr/bin/crontab
            /usr/bin/crontab /tmp/nip9iNeiph5chee
            1⤵
            • Creates/modifies Cron job
            PID:1559

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Scheduled Task/Job

          1
          T1053

          Persistence

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Virtualization/Sandbox Evasion

          1
          T1497

          Discovery

          Virtualization/Sandbox Evasion

          1
          T1497

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/.pid
            Filesize

            4B

            MD5

            35464c848f410e55a13bb9d78e7fddd0

            SHA1

            a575bcefdc7a11dec7302ce66652db242e7931ea

            SHA256

            48f31b127dde9f650b07d6d68488d734ed95687cbcfb2d06867d21ad0997f438

            SHA512

            1d0d7db8e07f74deab2c3b47c8bc683145a0a8ed486c65c19f0e43a62f283d69ff4ad586802d96b866ac836d0ff925b0e8de8e485c95473d044cec04edfede18

          • /tmp/nip9iNeiph5chee
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • /var/spool/cron/crontabs/tmp.iD1iBG
            Filesize

            260B

            MD5

            3c6f86a8575fac00497dee31dbb2f046

            SHA1

            732db9ba94bdea3fd1dd05dc7dca6651c6b70a49

            SHA256

            34439d0325ad4112b1d69f1d5b3ca685eeffe811a8cc5eb970ccd1abf704d3fd

            SHA512

            6abc0f46f1a0bea51e0528921273b340dc9f54a78cfbb2765d5facda81a755c813b82f6adbdc4b00b4cfce85be3e17ee5037cfa20014d66fc81e5468ac461212