a673af17dc8d5767b44bc42574d7aefa399b0542428853beb6d0d9aefc2bab5e

Analysis

max time kernel
147s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20-12-2023 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0479928916703b30f8c6e3aca4f8c5e
Size

7.1MB
MD5

b0479928916703b30f8c6e3aca4f8c5e
SHA1

2f9735e35042e0c142a2054b81794360525c9ba1
SHA256

a673af17dc8d5767b44bc42574d7aefa399b0542428853beb6d0d9aefc2bab5e
SHA512

6de577b16c1f988dea952d91a6ef1a2b72b43311a460e05d20aaeeb903acf9424525682f8ef8999dce4581b875654f7e883ea87d38100ba3f41116d040978019
SSDEEP

49152:72QqTRKbP/d0yi152aBr2w8cQrSWW1dqcDiOztKpYSM2jef/1diI1BWUlMX:72pTRC0p152a+nSQujztkM2OdiWoX

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.vpjWvx crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.vpjWvx	crontab

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

Processes:

catb0479928916703b30f8c6e3aca4f8c5ecatcrontabb0479928916703b30f8c6e3aca4f8c5e

description	ioc	process
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	b0479928916703b30f8c6e3aca4f8c5e
File opened for reading	/proc/version	cat
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/sys/net/core/somaxconn	b0479928916703b30f8c6e3aca4f8c5e

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/.pid
File opened for modification /tmp/nip9iNeiph5chee
File opened for modification /tmp/[stealth].pid

description	ioc
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid

/tmp/b0479928916703b30f8c6e3aca4f8c5e
/tmp/b0479928916703b30f8c6e3aca4f8c5e
1⤵
- Reads runtime system information
PID:679

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:689

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:692

/bin/uname
uname -a
1⤵
PID:694

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:696

/tmp/b0479928916703b30f8c6e3aca4f8c5e
"[stealth]"
1⤵
- Reads runtime system information
PID:697

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:702

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:704

/bin/uname
uname -a
1⤵
PID:706

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:707

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid
Filesize
3B

MD5
8a0e1141fd37fa5b98d5bb769ba1a7cc

SHA1
ff5ae4a7485c5c734d9e9cd8a8d875bf5ebddf60

SHA256
d6723fa996ced47773f2dea29cce9b11f951e6dafe321a84ac7d32791c3b4660

SHA512
d0eaefac8ff319a9d584366f08fe45247d86f09f070b4513ac3b02f82f33541e16b8fcc4b16b1a7a683cf5fc6d4422fb04653a0644a1f706f5183535d2885162

Download Submit
/tmp/nip9iNeiph5chee
Filesize
66B

MD5
6b1db2124156d2e16c067b4265b914af

SHA1
62b04abcc49d91fd6dd5d25048c0d85aefc6f55a

SHA256
8c6fb65821c3aa096b03404de47483ff7f490b91ed2af0b4772786a92e6f7ef5

SHA512
822a1bbae0729422ce64367faaaf6c8d2a60e91e405a1163b7a335b436926db002d8de7f66f8bc49dd390c40a4b0184b2ff563d222b52a07e8b95c80862a3c73

Download Submit
/var/spool/cron/crontabs/tmp.vpjWvx
Filesize
260B

MD5
0291dca49f4b3076b2c10841355a0ec6

SHA1
28622f2730ec54ef8ff98415af7f8e875fa9b610

SHA256
603d85022e873e2b45f43f398d9017cf35ba1c11cb612d7a00f1be184c9ef418

SHA512
55565dc1c43be4afd16a31762b2b407b77c22dc7d35a673ff0dc651db1edf05d8716c88a7e531ded99688edc5ce4e43569ba96b2f9ffcf87ca2e15f9713f9114

Download Submit