Analysis
-
max time kernel
150s -
max time network
158s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231215-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
20-12-2023 17:01
Behavioral task
behavioral1
Sample
f06120e951ac7b534a04f8637ad65f82
Resource
ubuntu1804-amd64-20231215-en
General
-
Target
f06120e951ac7b534a04f8637ad65f82
-
Size
8.2MB
-
MD5
f06120e951ac7b534a04f8637ad65f82
-
SHA1
85a030f4f3ebcfd100fcb687737adf50ac23f066
-
SHA256
dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
-
SHA512
c3c41fef917f50e47900420cde9bf79c5f8872e9bece902f0e9e5dd5eede3adcb8b8abab8ceae614a176ec0df3fec5fa9c2fc0427d9175db7d14f2ab3be90676
-
SSDEEP
49152:oiLFADAYRjNVSxL2uT+sl1Yot57L/7/FmHCPb9b/c1f77MzJ471ac1m4tazngbW5:aaxMutFL/BwabreC4z6hLF7RBxtqNOX
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
catcatdescription ioc process File opened for reading /proc/cpuinfo cat File opened for reading /proc/cpuinfo cat -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc process File opened for modification /var/spool/cron/crontabs/tmp.zkQgfC crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
Processes:
f06120e951ac7b534a04f8637ad65f82catf06120e951ac7b534a04f8637ad65f82catdescription ioc process File opened for reading /proc/sys/net/core/somaxconn f06120e951ac7b534a04f8637ad65f82 File opened for reading /proc/version cat File opened for reading /proc/sys/net/core/somaxconn f06120e951ac7b534a04f8637ad65f82 File opened for reading /proc/version cat -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes:
description ioc File opened for modification /tmp/.pid File opened for modification /tmp/nip9iNeiph5chee File opened for modification /tmp/[stealth].pid
Processes
-
/tmp/f06120e951ac7b534a04f8637ad65f82/tmp/f06120e951ac7b534a04f8637ad65f821⤵
- Reads runtime system information
-
/bin/catcat /proc/version1⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/f06120e951ac7b534a04f8637ad65f82"[stealth]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Checks CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Creates/modifies Cron job
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/nip9iNeiph5cheeFilesize
66B
MD5d3555e257cd2b0a15b03df0f20397868
SHA12c420dc001a4f2f9533d5c63c98a25b1c025fcc1
SHA25650214f751f8e625292cab8682fc1f3c4f43727992128df03c6a4008b67f54ebf
SHA5122ec574773d9b06d1dbca19aba17432c6cd507ef1d72202012a1f93e0e522dc349c10b999b7a6589a017d3e688116d63cdee9e444968de99789df4344ca93b7c9
-
/var/spool/cron/crontabs/tmp.zkQgfCFilesize
260B
MD58408c9942246664f2b4b80242f7c2a2d
SHA1c7cdbe42aa0db506f91369710398ad50806ad096
SHA256b7eab2907ebb0d04c7db8eab37bc72129e12a08cac60b792aa9849fbc2679fe2
SHA512889de8a6d0c892f936508dee4701a97348a2889326ad4bc0fc20dc71833f01640357b1874b402d8d3589ed2f6302555439ef674e634731758ae1b9f6ae633762