dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8

Analysis

max time kernel
150s
max time network
158s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-12-2023 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f06120e951ac7b534a04f8637ad65f82
Size

8.2MB
MD5

f06120e951ac7b534a04f8637ad65f82
SHA1

85a030f4f3ebcfd100fcb687737adf50ac23f066
SHA256

dd7192e39a1b9bc7f81041b1af58775f649c9746ea3dca2ce2acdf4cf79a76e8
SHA512

c3c41fef917f50e47900420cde9bf79c5f8872e9bece902f0e9e5dd5eede3adcb8b8abab8ceae614a176ec0df3fec5fa9c2fc0427d9175db7d14f2ab3be90676
SSDEEP

49152:oiLFADAYRjNVSxL2uT+sl1Yot57L/7/FmHCPb9b/c1f77MzJ471ac1m4tazngbW5:aaxMutFL/BwabreC4z6hLF7RBxtqNOX

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.zkQgfC crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.zkQgfC	crontab

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

f06120e951ac7b534a04f8637ad65f82catf06120e951ac7b534a04f8637ad65f82cat

description	ioc	process
File opened for reading	/proc/sys/net/core/somaxconn	f06120e951ac7b534a04f8637ad65f82
File opened for reading	/proc/version	cat
File opened for reading	/proc/sys/net/core/somaxconn	f06120e951ac7b534a04f8637ad65f82
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

description ioc

File opened for modification /tmp/.pid
File opened for modification /tmp/nip9iNeiph5chee
File opened for modification /tmp/[stealth].pid

description	ioc
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid

/tmp/f06120e951ac7b534a04f8637ad65f82
/tmp/f06120e951ac7b534a04f8637ad65f82
1⤵
- Reads runtime system information
PID:1539

/bin/cat
cat /proc/version
1⤵
- Reads runtime system information
PID:1547

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1548

/bin/uname
uname -a
1⤵
PID:1549

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1550

/tmp/f06120e951ac7b534a04f8637ad65f82
"[stealth]"
1⤵
- Reads runtime system information
PID:1551

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:1555

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1557

/bin/uname
uname -a
1⤵
PID:1558

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1559

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/nip9iNeiph5chee
Filesize
66B

MD5
d3555e257cd2b0a15b03df0f20397868

SHA1
2c420dc001a4f2f9533d5c63c98a25b1c025fcc1

SHA256
50214f751f8e625292cab8682fc1f3c4f43727992128df03c6a4008b67f54ebf

SHA512
2ec574773d9b06d1dbca19aba17432c6cd507ef1d72202012a1f93e0e522dc349c10b999b7a6589a017d3e688116d63cdee9e444968de99789df4344ca93b7c9

Download Submit
/var/spool/cron/crontabs/tmp.zkQgfC
Filesize
260B

MD5
8408c9942246664f2b4b80242f7c2a2d

SHA1
c7cdbe42aa0db506f91369710398ad50806ad096

SHA256
b7eab2907ebb0d04c7db8eab37bc72129e12a08cac60b792aa9849fbc2679fe2

SHA512
889de8a6d0c892f936508dee4701a97348a2889326ad4bc0fc20dc71833f01640357b1874b402d8d3589ed2f6302555439ef674e634731758ae1b9f6ae633762

Download Submit