Analysis
-
max time kernel
144s -
max time network
154s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
20-12-2023 12:22
Behavioral task
behavioral1
Sample
b271ed4ba259d8d2ee39c19137e81dfa
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
b271ed4ba259d8d2ee39c19137e81dfa
-
Size
7.0MB
-
MD5
b271ed4ba259d8d2ee39c19137e81dfa
-
SHA1
b7068e69a09d3038dcf7db4ffd88bfd34b935cc2
-
SHA256
7afab295aea22a7661d3f0916e0eae4ff162c8779e0b2eb72123b20399b8ad67
-
SHA512
f8193a6e23f0b21bcaf717cf1b35404365c75b815aca2ff0bd52cf1e8fe370fd614dd63fc9f330cdfd76da405457276f76b5973ef801cb47809ea4caf929e1fd
-
SSDEEP
98304:1v4QhyO0ohoxG6lp9y9G8u7E/zF913IX:l5hyBoGO0oL7t
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.A8AE8K crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
b271ed4ba259d8d2ee39c19137e81dfacatb271ed4ba259d8d2ee39c19137e81dfacatdescription ioc process File opened for reading /proc/sys/net/core/somaxconn b271ed4ba259d8d2ee39c19137e81dfa File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn b271ed4ba259d8d2ee39c19137e81dfa File opened for reading /proc/version cat -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.pids File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stea].pid
Processes
-
/tmp/b271ed4ba259d8d2ee39c19137e81dfa/tmp/b271ed4ba259d8d2ee39c19137e81dfa1⤵
- Reads runtime system information
PID:1537 -
/bin/catcat /proc/version2⤵
- Reads runtime system information
PID:1540
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
PID:1542
-
/bin/unameuname -a1⤵PID:1544
-
/usr/bin/getconfgetconf LONG_BIT1⤵PID:1545
-
/tmp/b271ed4ba259d8d2ee39c19137e81dfa"[stea]"1⤵
- Reads runtime system information
PID:1546 -
/bin/catcat /proc/version2⤵
- Reads runtime system information
PID:1549
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
PID:1551
-
/bin/unameuname -a1⤵PID:1552
-
/usr/bin/getconfgetconf LONG_BIT1⤵PID:1553
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
PID:1554
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/.pidsFilesize
4B
MD5aff0a6a4521232970b2c1cf539ad0a19
SHA1bcceeba1e77189d6a3938f29437de543a18024fb
SHA256495afe547befeedeef191264812945e2c199da63da0e8dfde79bee7dbecb210f
SHA5128938b57c391e57720fe6e2ad915e3e1252bbfd30e3c0d72e2c98f83723364da32ee8c7e71eef0d386bd14bf210568a32bda74a74748ff8338d794c8de2210656
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD514a91cc64527a2146ba8c3ce5371be33
SHA171c941921fcd2df17ee99d79ff057cbd98a4cfb1
SHA25693062fc4f6b6e2a6aee21bdf9678153c64465a545cf214a815a4960d48979e03
SHA512fe47640b6a48bc506640d0fb75a6ea48d76675da19b7af0ba62cbe6019db8acf78fb757af5ef87733f9258fe8570cc30e81d6971f97ff8977f98544559c1afba
-
/var/spool/cron/crontabs/tmp.A8AE8KFilesize
260B
MD58894b43399b8ffe27a06acd406fb559a
SHA11055cf48454b431422e281faef1c23bc2e09c9fb
SHA256f3fcb2f19913799dded7c1ac94bc722e02f36bb84b65a25bd0f549a3b386b4fb
SHA5125b83a360e9016d78ecd6aa787c6749625addeb91f0631769a19d7e8649fb9955be8e6e5df0d3c9381227327dfd48fec170f93e162e3ced9a40d26f897f32ae2e