cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186

Analysis

max time kernel
152s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8add7e7161460ea2b1970cf4ca535bf
Size

7.0MB
MD5

f8add7e7161460ea2b1970cf4ca535bf
SHA1

f383f4b6cb6778f05baf9713ce6661329da3ecd5
SHA256

cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186
SHA512

90d73c1eb79a55e25acf9c6ddc4620dfba8b7cdc09e93f53a3218e7b85e1b53df5d1fe9c979af48b7218709848ce63fdc7f927d72f93afd805cc3f4fe79d04c7
SSDEEP

98304:wuNe6mfQBtMdq+Khq+wfpL+Gd+r2R/i75LBJL7IX:dE6mYcdqhR7jJX

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.Dontsw	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/net/core/somaxconn	f8add7e7161460ea2b1970cf4ca535bf
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	f8add7e7161460ea2b1970cf4ca535bf
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/[stealth].pid
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee

/tmp/f8add7e7161460ea2b1970cf4ca535bf
/tmp/f8add7e7161460ea2b1970cf4ca535bf
1⤵
- Reads runtime system information
PID:1543

/bin/cat
cat /proc/version
1⤵
- Reads runtime system information
PID:1547

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1548

/bin/uname
uname -a
1⤵
PID:1550

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1551

/tmp/f8add7e7161460ea2b1970cf4ca535bf
"[stealth]"
1⤵
- Reads runtime system information
PID:1552
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:1558

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1559

/bin/uname
uname -a
1⤵
PID:1560

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1561

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1562

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
4B

MD5
351b33587c5fdd93bd42ef7ac9995a28

SHA1
440f13f2ffe7800ae87431f50edb70aa51e49fde

SHA256
51e6811411165c04f691eb5a38cf11a7316fdd776478b4fd222fd0107973c381

SHA512
d4c03bb876b38c94d99a022f56ae99cfa0b0aebe95723c0851d5d989ef2eb6924962d0d332abcae2b9cba6fc86a0d57c11a13d2ae94df169718ba45f2ef90565

Download Submit
/tmp/nip9iNeiph5chee

Filesize
66B

MD5
df01e114411f89be8b7d381cb37d373a

SHA1
02df9881d6e3aef926fa1cc5e4150a93ba2443a1

SHA256
2d38a8141cfb07a56a22425e7c44b71de59c09982e119fe9577c17e68d0cd044

SHA512
d4bbe2f9489c5d7ce5e429be5aa1e86f2f754206b5966ad05e87381ec352d5815190a65d79cf8ee6fe1363bb8f3d0e896d7c911832ef1d7b53d61539f942bbd0

Download Submit
/var/spool/cron/crontabs/tmp.Dontsw

Filesize
260B

MD5
a1eed0698084e2096f7de2a8895ee7f8

SHA1
c5de05829a148b7bbdc90ba1534a7034705ab08c

SHA256
fbd2efc872d109ca4e73fd6cd710ff55dff6fe8f4b448d5ec60f34d9078f2016

SHA512
f84d500691107d8981836556de4fcd97cbb4b0d7f6efd1906acfdf5bb3398d1e88ceca6ab236a1071bb9d942b3ec5e821a0faa67001ba4e402505f8d79cd4646

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads