0ab177a27a5d7b5a81cb9031b89412ba992895fe817749ed3fa1c6401c14dd6a

Analysis

max time kernel
155s
max time network
160s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae6e53c1d137a3c2885110c72c9d829e
Size

1.1MB
MD5

ae6e53c1d137a3c2885110c72c9d829e
SHA1

7a2bc5e31de1085bb9aea6f4257bde7582ba28d2
SHA256

0ab177a27a5d7b5a81cb9031b89412ba992895fe817749ed3fa1c6401c14dd6a
SHA512

69bf932dd9c2259224dcdb8edfd06b9702b62327caf13a60217f03dcd12511b84ac1ec7ff59a93fe36801aca0eed074396bb6b6167920bd29f1614a0d2ffe435
SSDEEP

24576:B56n8IpJUmVrCF0lSIxCWy68eNAhKyx3rqywOExbsEgeBy+AmBoUUhKEhxX:ByqmC0ljCresKeJExIE9v7wRz

Score

7^/10

antivm upx

Malware Config

Signatures

Deletes itself 2 IoCs

pid	Process
1543	1
1547	ae6e53c1d137a3c2885110c72c9d829ea

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/1	1543	1
/tmp/ae6e53c1d137a3c2885110c72c9d829ea	1547	ae6e53c1d137a3c2885110c72c9d829ea
/tmp/ae6e53c1d137a3c2885110c72c9d829e	1550	ae6e53c1d137a3c2885110c72c9d829e
/tmp/1	1598	1

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc
File opened for reading	/proc/cpuinfo

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc
File opened for reading	/proc/net/dev

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/stat	Process not Found
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fake.cfg	Process not Found
File opened for modification	/tmp/ae6e53c1d137a3c2885110c72c9d829e	cp
File opened for modification	/tmp/1	1
File opened for modification	/tmp/1	cp
File opened for modification	/tmp/ae6e53c1d137a3c2885110c72c9d829ea	cp
File opened for modification	/tmp/ae6e53c1d137a3c2885110c72c9d829e	ae6e53c1d137a3c2885110c72c9d829ea

/tmp/ae6e53c1d137a3c2885110c72c9d829e
/tmp/ae6e53c1d137a3c2885110c72c9d829e
1⤵
PID:1540
- /bin/sh
  sh -c "cp /tmp/ae6e53c1d137a3c2885110c72c9d829e /tmp/1"
  2⤵
  PID:1541
- - /bin/cp
    cp /tmp/ae6e53c1d137a3c2885110c72c9d829e /tmp/1
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1542
- /bin/sh
  sh -c "cp /tmp/ae6e53c1d137a3c2885110c72c9d829e /tmp/ae6e53c1d137a3c2885110c72c9d829ea"
  2⤵
  PID:1544
- - /bin/cp
    cp /tmp/ae6e53c1d137a3c2885110c72c9d829e /tmp/ae6e53c1d137a3c2885110c72c9d829ea
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1545
- /tmp/1
  /tmp/1 /tmp/1 1
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Writes file to tmp directory
  PID:1543
- - /tmp/1
    3⤵
    - Executes dropped EXE
    PID:1598

/tmp/ae6e53c1d137a3c2885110c72c9d829ea
/tmp/ae6e53c1d137a3c2885110c72c9d829ea /tmp/ae6e53c1d137a3c2885110c72c9d829e
1⤵
- Deletes itself
- Executes dropped EXE
- Writes file to tmp directory
PID:1547
- /tmp/ae6e53c1d137a3c2885110c72c9d829e
  2⤵
  - Executes dropped EXE
  PID:1550
- /bin/sh
  sh -c "cp /tmp/ae6e53c1d137a3c2885110c72c9d829ea /tmp/ae6e53c1d137a3c2885110c72c9d829e"
  2⤵
  PID:1552
- - /bin/cp
    cp /tmp/ae6e53c1d137a3c2885110c72c9d829ea /tmp/ae6e53c1d137a3c2885110c72c9d829e
    3⤵
    - Reads runtime system information
    - Writes file to tmp directory
    PID:1554

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/1

Filesize
1.1MB

MD5
ae6e53c1d137a3c2885110c72c9d829e

SHA1
7a2bc5e31de1085bb9aea6f4257bde7582ba28d2

SHA256
0ab177a27a5d7b5a81cb9031b89412ba992895fe817749ed3fa1c6401c14dd6a

SHA512
69bf932dd9c2259224dcdb8edfd06b9702b62327caf13a60217f03dcd12511b84ac1ec7ff59a93fe36801aca0eed074396bb6b6167920bd29f1614a0d2ffe435

Download Submit
/tmp/1

Filesize
1.4MB

MD5
4dd6289ae802ca3968ee3c7726286cc8

SHA1
e4ddd09a65256f19ef03c82f62dfc2dc33ab7b23

SHA256
a4f9f879fe9fc2b8b7da19d42616e1700f65077ae491a8cddf73848af90521cc

SHA512
147230676708b6268ffe95ca71b586e542f01dfc0c0dd49d8fda0516a77f4892ec23429dbf180c712f185f2686e3848c8c1c88d4333a283a68b71d87864d5d37

Download Submit
/tmp/ae6e53c1d137a3c2885110c72c9d829e

Filesize
1.4MB

MD5
015659e21dc2ff7f4f47c7184bf67d4e

SHA1
ec8792a4158e74034b5e52d411b6e486c7406457

SHA256
768b87a2e60cdbdd252c909e91dbb09c6f1afa7f23efdc95cd01b7615ba91c24

SHA512
a76e71c746071ab3d3ecb793c27d75934d884fcdd3bb1f86e07aab83cf8fc212979c25371ef18c7a46b8a32366d158bf7fb51d75138097c4769be569d6774d34

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads