106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104

Analysis

max time kernel
152s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af7bee72c11cf18c92b171ff8494c652
Size

8.2MB
MD5

af7bee72c11cf18c92b171ff8494c652
SHA1

e3316f59eb7de8a140b09a7a49d14e8a7ebfe0ac
SHA256

106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
SHA512

0f5c50f643c801186a71df6ff4114e666476c996f6211cd7f992e6116a1df8671d08c103468f5311b5be343f7ee8475b63ed0606d779b8413ff9ae2801c620a6
SSDEEP

49152:SCrFnDAYlIawNxM2uC2pKK4dTk6S2K/DQx1NZ7a/1Tx0MvJbO+y2w24mmBggbHoh:tWxQwkz2KLS+/x5h4G6hLL7xBxtqOOX

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.Em53cL crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.Em53cL	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

af7bee72c11cf18c92b171ff8494c652cataf7bee72c11cf18c92b171ff8494c652cat

description	ioc	process
File opened for reading	/proc/sys/net/core/somaxconn	af7bee72c11cf18c92b171ff8494c652
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	af7bee72c11cf18c92b171ff8494c652
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/.pid
File opened for modification /tmp/nip9iNeiph5chee
File opened for modification /tmp/[stealth].pid

description	ioc
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid

/tmp/af7bee72c11cf18c92b171ff8494c652
/tmp/af7bee72c11cf18c92b171ff8494c652
1⤵
- Reads runtime system information
PID:1539

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1547

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1549

/bin/uname
uname -a
1⤵
PID:1550

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1551

/tmp/af7bee72c11cf18c92b171ff8494c652
"[stealth]"
1⤵
- Reads runtime system information
PID:1552

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1556

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1557

/bin/uname
uname -a
1⤵
PID:1558

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1559

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1561

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid
Filesize
4B

MD5
351b33587c5fdd93bd42ef7ac9995a28

SHA1
440f13f2ffe7800ae87431f50edb70aa51e49fde

SHA256
51e6811411165c04f691eb5a38cf11a7316fdd776478b4fd222fd0107973c381

SHA512
d4c03bb876b38c94d99a022f56ae99cfa0b0aebe95723c0851d5d989ef2eb6924962d0d332abcae2b9cba6fc86a0d57c11a13d2ae94df169718ba45f2ef90565

Download Submit
/var/spool/cron/crontabs/tmp.Em53cL
Filesize
260B

MD5
e4d075480f8805144729dc7405a620dc

SHA1
a85c083eb11111563fa13a8112be01855a73eb7c

SHA256
1b9bb129601508e81ad4f4dc105a3c3d6c1c3c791a2fb27259e449b09b1403e3

SHA512
b6aab5e987472dcfe8489bb3fb3d829c1d0e03509aac0768c85979790a0597b2d0f62b7c18fa53ab88ec8189d1c312b4156924216493437f14e0fb821c171498

Download Submit