Malware Analysis Report

2024-10-16 03:21

Sample ID 240104-ccdrlaegdp
Target 3f9a28e8c057e7ea7ccf15a4db81f362
SHA256 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
Tags
bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502

Threat Level: Known bad

The file 3f9a28e8c057e7ea7ccf15a4db81f362 was found to be: Known bad.

Malicious Activity Summary

bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter ransomware

Blackmatter family

Deletes itself

Reads CPU attributes

Deletes log files

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 01:55

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 01:55

Reported

2024-01-04 01:58

Platform

ubuntu1804-amd64-20231215-en

Max time kernel

5s

Max time network

135s

Command Line

[/tmp/3f9a28e8c057e7ea7ccf15a4db81f362]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

Description Indicator Process Target
File truncated /var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF N/A N/A
File truncated /var/log/ReadMe.txt N/A N/A
File truncated /var/log/installer/.2146BC677F078171EFD9E535210536618953D86C250F460A N/A N/A
File truncated /var/log/installer/ReadMe.txt N/A N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/vm/overcommit_memory N/A N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/main.log N/A N/A
File opened for modification /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 /tmp/3f9a28e8c057e7ea7ccf15a4db81f362 N/A

Processes

/tmp/3f9a28e8c057e7ea7ccf15a4db81f362

[/tmp/3f9a28e8c057e7ea7ccf15a4db81f362]

Network

Country Destination Domain Proto
US 151.101.2.49:443 tcp
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 1.1.1.1:53 mojobiden.com udp
US 3.33.130.190:80 mojobiden.com tcp
US 1.1.1.1:53 paymenthacks.com udp
US 204.11.56.48:80 paymenthacks.com tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.194.49:443 cdn.fwupd.org tcp
US 151.101.193.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 89.187.167.5:443 1527653184.rsc.cdn77.org tcp

Files

/tmp/main.log

MD5 52a14648c0b290b5042dd43a2b254702
SHA1 2107ad29777f5db94e8997c0fc0dca4a3410a741
SHA256 7a49b4529ef14b0a03c309effd59fcf25fb81e1a4214af5522c52f50133878fd
SHA512 7451d30756557fe38320c92f71215402f2730fcc89dc465528768ef59473af5e8b632008d5a7bcc82e5cafa66f7796f85c11837c8e2eb17accfdc26564356aca

/var/log/ReadMe.txt

MD5 a5d1d021df6f81a4137d7b58f2c94f33
SHA1 e5d2cd2451e8464bafb63cc6f6df74f7dc3ca4c1
SHA256 005191d057f679970d95c15e553229f82d66c5b1f08d5aecbd4ce4c9dc27856e
SHA512 d5f6f53cc7f18585214883a9de312c677e7adcc8956a01ae5583e859d730ea2be88f0ff8c297c9f1235b8695191758712845d1d6e801e5cef7979209868643c0

/var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF

MD5 9961bb4ccf4efe57cc43f27ebeba3ccf
SHA1 48dc5c7b9fa60003631edee499f894e7ee0bcd8c
SHA256 ca0992ab2fdba5f0c70b764cce1bd26352528cc9a1f81cddfc5871d12ac0ef55
SHA512 5b1aba8971a5251c8b75bf6734d9ca40433efa5e64dbd23f1c51a752d9ef37a323a931cdc74297c38e102e5aeeab45b52d8d95119dbee41cce10366edca37996

/var/log/installer/.2146BC677F078171EFD9E535210536618953D86C250F460A

MD5 b0543e7af30aa7101e1c063835932689
SHA1 23ba4a8ac8ad9e3349fe7e175e320c99395c21d0
SHA256 931fcc252a3b13f10bb4fe70e131e9d5dd8e543dff0221ee8c2fe0160b130321
SHA512 aa31eca98ff735f1a953235ccea4379e7328dcca507c5461397354d1660d02ab4c5c964544825f119179052152d79a8b2b6c91dabc0a355efd910e7fb7e604a6