f2b23838546f8a6aa59546939f3d96c049015c1924efcdcc3cec19e772568342

Analysis

max time kernel
153s
max time network
158s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa60e0718cb40848d292bfc36b559dd3
Size

7.0MB
MD5

fa60e0718cb40848d292bfc36b559dd3
SHA1

9f2bc0fb16c07deb196a6f463ec8664926d0d3f4
SHA256

f2b23838546f8a6aa59546939f3d96c049015c1924efcdcc3cec19e772568342
SHA512

ba3fef499e17c396eba043b2d4e8af1b83db122e5cfacadd95bea68e0b2855dc09450b5a65744d0759400979b7dce2c3b86475bef6827fd63c12bddfd3f00075
SSDEEP

98304:K4qmZmgSoh0iDxpRqVlaCMzieYCXfhxIX:1hZml0Dx3e2ipCXZx

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.B1LChM	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	fa60e0718cb40848d292bfc36b559dd3
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	fa60e0718cb40848d292bfc36b559dd3

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid

/tmp/fa60e0718cb40848d292bfc36b559dd3
/tmp/fa60e0718cb40848d292bfc36b559dd3
1⤵
- Reads runtime system information
PID:1538
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:1543

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1545

/bin/uname
uname -a
1⤵
PID:1546

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1548

/tmp/fa60e0718cb40848d292bfc36b559dd3
"[stealth]"
1⤵
- Reads runtime system information
PID:1549
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:1555

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1556

/bin/uname
uname -a
1⤵
PID:1557

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1558

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
4B

MD5
c88d8d0a6097754525e02c2246d8d27f

SHA1
41e842e76e8ea73f910aac95ea1ac9f0707643b2

SHA256
75abf1771c0d9038e45203aa603758410f2418fd29b3fe0c25534009c579bb8e

SHA512
1d6570970732ea371630b3616c00b9d65ff964eb564ac6858c4991e4d85fadc1082669fc0fd28af501cf6d08d9a253d46c1487abbbadce26c8d4934f26949f6b

Download Submit
/tmp/nip9iNeiph5chee

Filesize
66B

MD5
e00f53a116652536a83ffba7ca3c6605

SHA1
6a94ff5ced23325ba81d188a78cbffdc51ed21bc

SHA256
06d67f3a80f25421586e2e64b7283ad1e6fe7b86a99fd8d424137ef9a46a90eb

SHA512
450b48240efa39df7cd44bb4299ff14faec7f3f0a12176738ef03b3cdaca3cf759a3524f6f972780a078a4d17088cdf8079bb9e66f67c1ae5ba908864b4de41d

Download Submit
/var/spool/cron/crontabs/tmp.B1LChM

Filesize
260B

MD5
767eb45e8ee693e421988fe32b24af29

SHA1
c66c9192fe063b3330e476854b1217743f7231f4

SHA256
32c152c906b5155421d2bcaaeaf5775ad7a4f32497a9977acff103adf603842d

SHA512
dd9b9b9ec1c9289afe3362bcf3b8ce003e65bdfe7691f908ded462e851fc1d4094b81df319aaa9f8289fce3e8e4393adb5d0e211c527209313b52e13d6aae3c9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads