1247a68b960aa81b7517c614c12c8b5d1921d1d2fdf17be636079ad94caf970f

Analysis

max time kernel
4s
max time network
134s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
03-01-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f328e68ed4d59973f9c5b4f36545ab0
Size

2.0MB
MD5

3f328e68ed4d59973f9c5b4f36545ab0
SHA1

f2724c0abb93b6a1d3f6fcb59b88c2aebbd76031
SHA256

1247a68b960aa81b7517c614c12c8b5d1921d1d2fdf17be636079ad94caf970f
SHA512

905834e82f0144db00dcb49078792beb7c595dd0fca1937aace49be430919f6a43b84f239c46f9e9bd5e494c49eb5f4e3c18ad494eb311c44e5704e715a0d10d
SSDEEP

49152:k5Wy/20shMXR8uUz9cBbLc/6LCM01iNFFB9nO:k5Wy//sO8uDq6

Score

10^/10

ransomware

Malware Config

Extracted

Path

/var/log/ReadMe.txt

Ransom Note

~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your linux hosts are encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV >> Warning! Recovery recommendations. Do not DELETE or MODIFY any files, it can lead to recovery problems!

URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Signatures

Deletes itself 1 IoCs

Processes:

pid

1548

pid
1548

Deletes log files 1 TTPs 4 IoCs

Deletes log files on the system.

Indicator Removal

T1070

Processes:

description	ioc
File truncated	/var/log/installer/.2146BC677F078171EFD9E535210536618953D86C250F460A
File truncated	/var/log/installer/ReadMe.txt
File truncated	/var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF
File truncated	/var/log/ReadMe.txt

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery
T1082

Processes:

description ioc

File opened for reading /sys/devices/system/cpu/online
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

description ioc

File opened for reading /proc/sys/vm/overcommit_memory

description	ioc
File opened for reading	/sys/devices/system/cpu/online

description	ioc
File opened for reading	/proc/sys/vm/overcommit_memory

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

Processes:

3f328e68ed4d59973f9c5b4f36545ab0

description	ioc	process
File opened for modification	/tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17	3f328e68ed4d59973f9c5b4f36545ab0
File opened for modification	/tmp/daemon_1704317677.log

/tmp/3f328e68ed4d59973f9c5b4f36545ab0
/tmp/3f328e68ed4d59973f9c5b4f36545ab0
1⤵
- Writes file to tmp directory
PID:1547

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17
Filesize
5B

MD5
7e6c36cd0eca5da79a64e13d02409a4f

SHA1
c66c08510ceb67495b8965c5c0fb8f2382e871e3

SHA256
30d7dbf153c6a3ead496dcd474ec2264244e5abfa52bfa44462092d0096e20a0

SHA512
0eceb1e0abd905063e37826058e878f01b1835df4bc29382abe31250e8ce8b44a86882146af3d059c88e377e539b08a0dc4ed4573b17e16f68e1eee6f637f8c2

Download Submit
/tmp/daemon_1704317677.log
Filesize
5KB

MD5
299c2fcb1715816db0e2e983671545a8

SHA1
c3aeeff831c27a3b114e924ce13a48b5fac7f990

SHA256
fef2bb94ecd3da208d5a923dd2790dddbffc8eb3f25d6c1fa930bbc5bb0e03d5

SHA512
c2457de3884a646135843a7da88cde4eedbf55159dbdca139d0bee1553e4038f404a6101ebbd524b3bcab0589d352dc09b0cc46ce9c14d50fbbefa2d326c176b

Download Submit
/var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF
Filesize
512B

MD5
c36ce3660ba8c23b8a3d5ec03bf8dde1

SHA1
323071155acd3c8c20b609fd585e6d6577aeb36b

SHA256
5a091703fed4af6f2a40da6d4b1a34e60ca2234dcc951ef7aef5fdde9ca95db7

SHA512
3c3d7ea4eee2d1e8609bd482e18004d1a07cb143a3978bee067802a390b46b95a18bb76ff08120b24200bbe1bd3dde00d908fed3b33cd42c2e934665f7220c0c

Download Submit
/var/log/ReadMe.txt
Filesize
1KB

MD5
9574a2575d6b362db1f9b78443a1336a

SHA1
f0e842916eb0d0efeb02f75e7c0335598a388a9e

SHA256
b012ea545aa829708146300bb07fbe92614cc6ea0cfdecd8743eeb5692220d85

SHA512
3eec9a12e372c5b66d403929d430d7923adaac31b71ccc3dd0da8a9e86f3ef10e9886531160a97d0d3c3c1dd0a49d248497f6210edac84670210a8c303adb959

Download Submit
/var/log/installer/.2146BC677F078171EFD9E535210536618953D86C250F460A
Filesize
512B

MD5
fbee03e0a21ac127b2d22007811a315e

SHA1
d116820314bf6de1358a66bfa2d60d893f862ec0

SHA256
e3b3c4913d579272e44a0b9c3d866745edcc47f458a4bf66994f2c328de71955

SHA512
8d5639d13b405a2aff960f957beba069434cbb95275055dffb894ac0e243ba4ec01c6759ef28e12a4caddab84973bb9a91f0f18b5c4fe3650beefbf412729525

Download Submit