Analysis
-
max time kernel
147s -
max time network
154s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
20-12-2023 12:07
Behavioral task
behavioral1
Sample
b0479928916703b30f8c6e3aca4f8c5e
Resource
debian9-armhf-20231215-en
General
-
Target
b0479928916703b30f8c6e3aca4f8c5e
-
Size
7.1MB
-
MD5
b0479928916703b30f8c6e3aca4f8c5e
-
SHA1
2f9735e35042e0c142a2054b81794360525c9ba1
-
SHA256
a673af17dc8d5767b44bc42574d7aefa399b0542428853beb6d0d9aefc2bab5e
-
SHA512
6de577b16c1f988dea952d91a6ef1a2b72b43311a460e05d20aaeeb903acf9424525682f8ef8999dce4581b875654f7e883ea87d38100ba3f41116d040978019
-
SSDEEP
49152:72QqTRKbP/d0yi152aBr2w8cQrSWW1dqcDiOztKpYSM2jef/1diI1BWUlMX:72pTRC0p152a+nSQujztkM2OdiWoX
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.vpjWvx crontab -
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
Processes:
catb0479928916703b30f8c6e3aca4f8c5ecatcrontabb0479928916703b30f8c6e3aca4f8c5edescription ioc process File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn b0479928916703b30f8c6e3aca4f8c5e File opened for reading /proc/version cat File opened for reading /proc/filesystems crontab File opened for reading /proc/sys/net/core/somaxconn b0479928916703b30f8c6e3aca4f8c5e -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.pid File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stealth].pid
Processes
-
/tmp/b0479928916703b30f8c6e3aca4f8c5e/tmp/b0479928916703b30f8c6e3aca4f8c5e1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/b0479928916703b30f8c6e3aca4f8c5e"[stealth]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
- Reads runtime system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.pidFilesize
3B
MD58a0e1141fd37fa5b98d5bb769ba1a7cc
SHA1ff5ae4a7485c5c734d9e9cd8a8d875bf5ebddf60
SHA256d6723fa996ced47773f2dea29cce9b11f951e6dafe321a84ac7d32791c3b4660
SHA512d0eaefac8ff319a9d584366f08fe45247d86f09f070b4513ac3b02f82f33541e16b8fcc4b16b1a7a683cf5fc6d4422fb04653a0644a1f706f5183535d2885162
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD56b1db2124156d2e16c067b4265b914af
SHA162b04abcc49d91fd6dd5d25048c0d85aefc6f55a
SHA2568c6fb65821c3aa096b03404de47483ff7f490b91ed2af0b4772786a92e6f7ef5
SHA512822a1bbae0729422ce64367faaaf6c8d2a60e91e405a1163b7a335b436926db002d8de7f66f8bc49dd390c40a4b0184b2ff563d222b52a07e8b95c80862a3c73
-
/var/spool/cron/crontabs/tmp.vpjWvxFilesize
260B
MD50291dca49f4b3076b2c10841355a0ec6
SHA128622f2730ec54ef8ff98415af7f8e875fa9b610
SHA256603d85022e873e2b45f43f398d9017cf35ba1c11cb612d7a00f1be184c9ef418
SHA51255565dc1c43be4afd16a31762b2b407b77c22dc7d35a673ff0dc651db1edf05d8716c88a7e531ded99688edc5ce4e43569ba96b2f9ffcf87ca2e15f9713f9114