Analysis
-
max time kernel
152s -
max time network
131s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
20-12-2023 12:00
Behavioral task
behavioral1
Sample
af7bee72c11cf18c92b171ff8494c652
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
af7bee72c11cf18c92b171ff8494c652
-
Size
8.2MB
-
MD5
af7bee72c11cf18c92b171ff8494c652
-
SHA1
e3316f59eb7de8a140b09a7a49d14e8a7ebfe0ac
-
SHA256
106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
-
SHA512
0f5c50f643c801186a71df6ff4114e666476c996f6211cd7f992e6116a1df8671d08c103468f5311b5be343f7ee8475b63ed0606d779b8413ff9ae2801c620a6
-
SSDEEP
49152:SCrFnDAYlIawNxM2uC2pKK4dTk6S2K/DQx1NZ7a/1Tx0MvJbO+y2w24mmBggbHoh:tWxQwkz2KLS+/x5h4G6hLL7xBxtqOOX
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.Em53cL crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
af7bee72c11cf18c92b171ff8494c652cataf7bee72c11cf18c92b171ff8494c652catdescription ioc process File opened for reading /proc/sys/net/core/somaxconn af7bee72c11cf18c92b171ff8494c652 File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn af7bee72c11cf18c92b171ff8494c652 File opened for reading /proc/version cat -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.pid File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stealth].pid
Processes
-
/tmp/af7bee72c11cf18c92b171ff8494c652/tmp/af7bee72c11cf18c92b171ff8494c6521⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/af7bee72c11cf18c92b171ff8494c652"[stealth]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.pidFilesize
4B
MD5351b33587c5fdd93bd42ef7ac9995a28
SHA1440f13f2ffe7800ae87431f50edb70aa51e49fde
SHA25651e6811411165c04f691eb5a38cf11a7316fdd776478b4fd222fd0107973c381
SHA512d4c03bb876b38c94d99a022f56ae99cfa0b0aebe95723c0851d5d989ef2eb6924962d0d332abcae2b9cba6fc86a0d57c11a13d2ae94df169718ba45f2ef90565
-
/var/spool/cron/crontabs/tmp.Em53cLFilesize
260B
MD5e4d075480f8805144729dc7405a620dc
SHA1a85c083eb11111563fa13a8112be01855a73eb7c
SHA2561b9bb129601508e81ad4f4dc105a3c3d6c1c3c791a2fb27259e449b09b1403e3
SHA512b6aab5e987472dcfe8489bb3fb3d829c1d0e03509aac0768c85979790a0597b2d0f62b7c18fa53ab88ec8189d1c312b4156924216493437f14e0fb821c171498