4aebff8c2df4b2f276f3fd85e9abaf9c68bfe7bb42bc8f0c33c794721c70902e

Analysis

max time kernel
150s
max time network
160s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

812f7436fbcae860de341ddf36caed73
Size

6.9MB
MD5

812f7436fbcae860de341ddf36caed73
SHA1

4d3181dca7723bb2e134128192767bde12766862
SHA256

4aebff8c2df4b2f276f3fd85e9abaf9c68bfe7bb42bc8f0c33c794721c70902e
SHA512

0d9a5525f3a69bc89448f5ba9debec16a6b13ad8564bb2bc6743c1205fe0257d15858a061769e9d81defa466f080dac952a9ced38e4d734f4008c395199e21ad
SSDEEP

98304:XbqAyMjk9vhqo3UMK24CpIsKr/eMj2WIX:LLyMw7qo9m7jf1

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.iD1iBG crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.iD1iBG	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

812f7436fbcae860de341ddf36caed73cat812f7436fbcae860de341ddf36caed73cat

description	ioc	process
File opened for reading	/proc/sys/net/core/somaxconn	812f7436fbcae860de341ddf36caed73
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	812f7436fbcae860de341ddf36caed73
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/.pid
File opened for modification /tmp/nip9iNeiph5chee
File opened for modification /tmp/[stealth].pid

description	ioc
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid

/tmp/812f7436fbcae860de341ddf36caed73
/tmp/812f7436fbcae860de341ddf36caed73
1⤵
- Reads runtime system information
PID:1539

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1542

/bin/cat
cat /proc/cpuinfo
2⤵
- Checks CPU configuration
PID:1544

/bin/uname
uname -a
1⤵
PID:1546

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1547

/tmp/812f7436fbcae860de341ddf36caed73
"[stealth]"
1⤵
- Reads runtime system information
PID:1548

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1554

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1555

/bin/uname
uname -a
1⤵
PID:1556

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1557

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1559

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid
Filesize
4B

MD5
35464c848f410e55a13bb9d78e7fddd0

SHA1
a575bcefdc7a11dec7302ce66652db242e7931ea

SHA256
48f31b127dde9f650b07d6d68488d734ed95687cbcfb2d06867d21ad0997f438

SHA512
1d0d7db8e07f74deab2c3b47c8bc683145a0a8ed486c65c19f0e43a62f283d69ff4ad586802d96b866ac836d0ff925b0e8de8e485c95473d044cec04edfede18

Download Submit
/tmp/nip9iNeiph5chee
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/var/spool/cron/crontabs/tmp.iD1iBG
Filesize
260B

MD5
3c6f86a8575fac00497dee31dbb2f046

SHA1
732db9ba94bdea3fd1dd05dc7dca6651c6b70a49

SHA256
34439d0325ad4112b1d69f1d5b3ca685eeffe811a8cc5eb970ccd1abf704d3fd

SHA512
6abc0f46f1a0bea51e0528921273b340dc9f54a78cfbb2765d5facda81a755c813b82f6adbdc4b00b4cfce85be3e17ee5037cfa20014d66fc81e5468ac461212

Download Submit