371b3358967e1bd9bb939dc619357b99707ff28b2c3238f91afcf8dcadc51ab3

Analysis

max time kernel
146s
max time network
156s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03f9f412d84aed845e392bd3f8786c8
Size

6.9MB
MD5

b03f9f412d84aed845e392bd3f8786c8
SHA1

1f6d2d6906bd804c61a174bbdd412bfabcd03d56
SHA256

371b3358967e1bd9bb939dc619357b99707ff28b2c3238f91afcf8dcadc51ab3
SHA512

2ca67aaf342e6f5138f1f0e5405f7b4889ef8a4c2b7eda46419b5cf4c5ea5df7da8fcf73de45d86b311f720583e039d57057e71d8209d52157b9aab05438720a
SSDEEP

98304:1baL6LZ8ybZeFAnTzPkV2MkFS9K5XIaPIX:R46LOieFeRSQ54U

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.3EeT8A crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.3EeT8A	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

catb03f9f412d84aed845e392bd3f8786c8catb03f9f412d84aed845e392bd3f8786c8

description	ioc	process
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	b03f9f412d84aed845e392bd3f8786c8
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	b03f9f412d84aed845e392bd3f8786c8

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

b03f9f412d84aed845e392bd3f8786c8

description	ioc
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid
File opened for modification	/tmp/.pid	b03f9f412d84aed845e392bd3f8786c8

/tmp/b03f9f412d84aed845e392bd3f8786c8
/tmp/b03f9f412d84aed845e392bd3f8786c8
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1603

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1606

/bin/cat
cat /proc/cpuinfo
2⤵
- Checks CPU configuration
PID:1608

/bin/uname
uname -a
2⤵
PID:1610

/usr/bin/getconf
getconf LONG_BIT
2⤵
PID:1614

/tmp/b03f9f412d84aed845e392bd3f8786c8
"[stealth]"
2⤵
- Reads runtime system information
PID:1615

/bin/cat
cat /proc/version
3⤵
- Reads runtime system information
PID:1618

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1620

/bin/uname
uname -a
1⤵
PID:1621

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1622

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1623

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid
Filesize
4B

MD5
71a58e8cb75904f24cde464161c3e766

SHA1
d56081031c3ba10d08365e73aeb120b3e186291b

SHA256
f68a11527b819bdf3658377dab1ea309bb5c6eefe69bb751e4b59b277cc29a7d

SHA512
e463e680ac2e1b9539a7f1c8eae96748fb6f819e5bfb819ddec5079d6d6c24d69633dbf1052930114259a8144978940d2c1f29f746e1d993a77d0a2a79a80136

Download Submit
/tmp/nip9iNeiph5chee
Filesize
66B

MD5
6c41bb8148ee1da4c9a0aee9dd1bcf76

SHA1
248913e422a0e84e5602e98bd771aa6a79f1a325

SHA256
77732560e38931895d3f2ec276b3da95a040da4117ec2bcfb4854cd013e4b6c5

SHA512
14922659c33f5747d1366e220e34d8f8da12dcbd8968109e7758ea8920dbb794abafe02ab1e1c6bd11332c92b1834443349ca6e8b51cb913b84036c897cbce39

Download Submit
/var/spool/cron/crontabs/tmp.3EeT8A
Filesize
260B

MD5
d27822a451d9afc5f5905765a134676b

SHA1
3c46cceec52edd9820f2d6bb02ba89c79ec15fe2

SHA256
76efc4a2300084c101942725e1f18bd8f8f1fe07b66c053faccd619c8dcb72ce

SHA512
3d1c515b27f982fabe56575b0662b5d55f5ff7095bfb6f5b08ebdc02faa453fdbef504fa20000c931d0e018e067612f76bdcf123d85096b6145e3cf58702a0a4

Download Submit