8bd88403df2e2f4d76d691c836de77fc2dc17d683ff393d17ac9fd30725ca25e

Analysis

max time kernel
156s
max time network
160s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/12/2023, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88663bf600675f94721ace878ea8fc2d
Size

2.3MB
MD5

88663bf600675f94721ace878ea8fc2d
SHA1

92d6a505918e76a6a746cd44219204aa99ef2522
SHA256

8bd88403df2e2f4d76d691c836de77fc2dc17d683ff393d17ac9fd30725ca25e
SHA512

02674fcefe3f1efff2f931587e7ce51f6d1fe531f037e3040dd110c76c48d4c4364f31343ec4b21275e049e7c1fc509d5ecf5290af52a8d59135077598467987
SSDEEP

49152:FcXS0KUlIx32lkpQmQkpfb4Zs7SLGHrWu9Paue/Tr/S+iGonw3Eb0Q4eHJHme6V4:FcXS1UlIx32lk7pfb4Zs7SL7J1f/SMo9

Score

7^/10

antivm

Malware Config

Signatures

Deletes itself 2 IoCs

pid	Process
1545	freeBSD
1551	88663bf600675f94721ace878ea8fc2da

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/freeBSD	1545	freeBSD
/tmp/88663bf600675f94721ace878ea8fc2da	1551	88663bf600675f94721ace878ea8fc2da
/tmp/88663bf600675f94721ace878ea8fc2d	1552	88663bf600675f94721ace878ea8fc2d

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/dev

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/88663bf600675f94721ace878ea8fc2da	cp
File opened for modification	/tmp/88663bf600675f94721ace878ea8fc2d	88663bf600675f94721ace878ea8fc2da
File opened for modification	/tmp/fake.cfg	Process not Found
File opened for modification	/tmp/88663bf600675f94721ace878ea8fc2d	cp
File opened for modification	/tmp/freeBSD	cp

/tmp/88663bf600675f94721ace878ea8fc2d
/tmp/88663bf600675f94721ace878ea8fc2d
1⤵
PID:1542
- /bin/sh
  sh -c "cp /tmp/88663bf600675f94721ace878ea8fc2d /tmp/freeBSD"
  2⤵
  PID:1543
- - /bin/cp
    cp /tmp/88663bf600675f94721ace878ea8fc2d /tmp/freeBSD
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1544
- /bin/sh
  sh -c "cp /tmp/88663bf600675f94721ace878ea8fc2d /tmp/88663bf600675f94721ace878ea8fc2da"
  2⤵
  PID:1546
- - /bin/cp
    cp /tmp/88663bf600675f94721ace878ea8fc2d /tmp/88663bf600675f94721ace878ea8fc2da
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1547
- /tmp/freeBSD
  /tmp/freeBSD /tmp/freeBSD 1
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1545

/tmp/88663bf600675f94721ace878ea8fc2da
/tmp/88663bf600675f94721ace878ea8fc2da /tmp/88663bf600675f94721ace878ea8fc2d
1⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1551
- /tmp/88663bf600675f94721ace878ea8fc2d
  2⤵
  - Executes dropped EXE
  PID:1552
- /bin/sh
  sh -c "cp /tmp/88663bf600675f94721ace878ea8fc2da /tmp/88663bf600675f94721ace878ea8fc2d"
  2⤵
  PID:1556
- - /bin/cp
    cp /tmp/88663bf600675f94721ace878ea8fc2da /tmp/88663bf600675f94721ace878ea8fc2d
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1557

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/88663bf600675f94721ace878ea8fc2d

Filesize
1.3MB

MD5
cb8907209654960b42324acee6af2e3c

SHA1
3d74c3840178bf9ed9a7627014db33dbd9f8c761

SHA256
cc49bbdb1a9232a2694f31159d65197367f8ee28255c7c8995afa25e9dbe3a72

SHA512
09dc16e75c46087fc7b6f517c91cab25104302eb039b0a33ac4f8bd048541603c8c951456d15c356e2a2307c46eed40eb9ab3b52a7fc5e91e734b266ca3fa5e8

Download Submit
/tmp/88663bf600675f94721ace878ea8fc2d

Filesize
2.1MB

MD5
8d17ad5dadb6397c38d16f8edd11cdab

SHA1
bd585a436dde25dd965353eb57c6d7450e60e93d

SHA256
b35386e83fdc7c687884e45a4fd2bd7363decb3ee9522b15c3c138c3603bea3c

SHA512
6e5b296a08e4ac2ed0b3ba49433bc57583ff9fb73be618cb03f974e949ffecc4c3ecb0496afe1de38d6bfe21ed48b311f082d860c49a8fec00588a825262785b

Download Submit
/tmp/freeBSD

Filesize
2.3MB

MD5
88663bf600675f94721ace878ea8fc2d

SHA1
92d6a505918e76a6a746cd44219204aa99ef2522

SHA256
8bd88403df2e2f4d76d691c836de77fc2dc17d683ff393d17ac9fd30725ca25e

SHA512
02674fcefe3f1efff2f931587e7ce51f6d1fe531f037e3040dd110c76c48d4c4364f31343ec4b21275e049e7c1fc509d5ecf5290af52a8d59135077598467987

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads