Analysis
-
max time kernel
146s -
max time network
156s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
20-12-2023 12:06
Behavioral task
behavioral1
Sample
b03f9f412d84aed845e392bd3f8786c8
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
b03f9f412d84aed845e392bd3f8786c8
-
Size
6.9MB
-
MD5
b03f9f412d84aed845e392bd3f8786c8
-
SHA1
1f6d2d6906bd804c61a174bbdd412bfabcd03d56
-
SHA256
371b3358967e1bd9bb939dc619357b99707ff28b2c3238f91afcf8dcadc51ab3
-
SHA512
2ca67aaf342e6f5138f1f0e5405f7b4889ef8a4c2b7eda46419b5cf4c5ea5df7da8fcf73de45d86b311f720583e039d57057e71d8209d52157b9aab05438720a
-
SSDEEP
98304:1baL6LZ8ybZeFAnTzPkV2MkFS9K5XIaPIX:R46LOieFeRSQ54U
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.3EeT8A crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
catb03f9f412d84aed845e392bd3f8786c8catb03f9f412d84aed845e392bd3f8786c8description ioc process File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn b03f9f412d84aed845e392bd3f8786c8 File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn b03f9f412d84aed845e392bd3f8786c8 -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
b03f9f412d84aed845e392bd3f8786c8description ioc File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stealth].pid File opened for modification /tmp/.pid b03f9f412d84aed845e392bd3f8786c8
Processes
-
/tmp/b03f9f412d84aed845e392bd3f8786c8/tmp/b03f9f412d84aed845e392bd3f8786c81⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1603 -
/bin/catcat /proc/version2⤵
- Reads runtime system information
PID:1606 -
/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
PID:1608 -
/bin/unameuname -a2⤵PID:1610
-
/usr/bin/getconfgetconf LONG_BIT2⤵PID:1614
-
/tmp/b03f9f412d84aed845e392bd3f8786c8"[stealth]"2⤵
- Reads runtime system information
PID:1615 -
/bin/catcat /proc/version3⤵
- Reads runtime system information
PID:1618
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
PID:1620
-
/bin/unameuname -a1⤵PID:1621
-
/usr/bin/getconfgetconf LONG_BIT1⤵PID:1622
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
PID:1623
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.pidFilesize
4B
MD571a58e8cb75904f24cde464161c3e766
SHA1d56081031c3ba10d08365e73aeb120b3e186291b
SHA256f68a11527b819bdf3658377dab1ea309bb5c6eefe69bb751e4b59b277cc29a7d
SHA512e463e680ac2e1b9539a7f1c8eae96748fb6f819e5bfb819ddec5079d6d6c24d69633dbf1052930114259a8144978940d2c1f29f746e1d993a77d0a2a79a80136
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD56c41bb8148ee1da4c9a0aee9dd1bcf76
SHA1248913e422a0e84e5602e98bd771aa6a79f1a325
SHA25677732560e38931895d3f2ec276b3da95a040da4117ec2bcfb4854cd013e4b6c5
SHA51214922659c33f5747d1366e220e34d8f8da12dcbd8968109e7758ea8920dbb794abafe02ab1e1c6bd11332c92b1834443349ca6e8b51cb913b84036c897cbce39
-
/var/spool/cron/crontabs/tmp.3EeT8AFilesize
260B
MD5d27822a451d9afc5f5905765a134676b
SHA13c46cceec52edd9820f2d6bb02ba89c79ec15fe2
SHA25676efc4a2300084c101942725e1f18bd8f8f1fe07b66c053faccd619c8dcb72ce
SHA5123d1c515b27f982fabe56575b0662b5d55f5ff7095bfb6f5b08ebdc02faa453fdbef504fa20000c931d0e018e067612f76bdcf123d85096b6145e3cf58702a0a4