Analysis Overview
SHA256
6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
Threat Level: Known bad
The file 3f9a28e8c057e7ea7ccf15a4db81f362 was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Deletes itself
Reads CPU attributes
Deletes log files
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-04 01:55
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-04 01:55
Reported
2024-01-04 01:58
Platform
ubuntu1804-amd64-20231215-en
Max time kernel
5s
Max time network
135s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File truncated | /var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF | N/A | N/A |
| File truncated | /var/log/ReadMe.txt | N/A | N/A |
| File truncated | /var/log/installer/.2146BC677F078171EFD9E535210536618953D86C250F460A | N/A | N/A |
| File truncated | /var/log/installer/ReadMe.txt | N/A | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/vm/overcommit_memory | N/A | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/main.log | N/A | N/A |
| File opened for modification | /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 | /tmp/3f9a28e8c057e7ea7ccf15a4db81f362 | N/A |
Processes
/tmp/3f9a28e8c057e7ea7ccf15a4db81f362
[/tmp/3f9a28e8c057e7ea7ccf15a4db81f362]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.2.49:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 1.1.1.1:53 | mojobiden.com | udp |
| US | 3.33.130.190:80 | mojobiden.com | tcp |
| US | 1.1.1.1:53 | paymenthacks.com | udp |
| US | 204.11.56.48:80 | paymenthacks.com | tcp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| US | 151.101.193.91:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.5:443 | 1527653184.rsc.cdn77.org | tcp |
Files
/tmp/main.log
| MD5 | 52a14648c0b290b5042dd43a2b254702 |
| SHA1 | 2107ad29777f5db94e8997c0fc0dca4a3410a741 |
| SHA256 | 7a49b4529ef14b0a03c309effd59fcf25fb81e1a4214af5522c52f50133878fd |
| SHA512 | 7451d30756557fe38320c92f71215402f2730fcc89dc465528768ef59473af5e8b632008d5a7bcc82e5cafa66f7796f85c11837c8e2eb17accfdc26564356aca |
/var/log/ReadMe.txt
| MD5 | a5d1d021df6f81a4137d7b58f2c94f33 |
| SHA1 | e5d2cd2451e8464bafb63cc6f6df74f7dc3ca4c1 |
| SHA256 | 005191d057f679970d95c15e553229f82d66c5b1f08d5aecbd4ce4c9dc27856e |
| SHA512 | d5f6f53cc7f18585214883a9de312c677e7adcc8956a01ae5583e859d730ea2be88f0ff8c297c9f1235b8695191758712845d1d6e801e5cef7979209868643c0 |
/var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF
| MD5 | 9961bb4ccf4efe57cc43f27ebeba3ccf |
| SHA1 | 48dc5c7b9fa60003631edee499f894e7ee0bcd8c |
| SHA256 | ca0992ab2fdba5f0c70b764cce1bd26352528cc9a1f81cddfc5871d12ac0ef55 |
| SHA512 | 5b1aba8971a5251c8b75bf6734d9ca40433efa5e64dbd23f1c51a752d9ef37a323a931cdc74297c38e102e5aeeab45b52d8d95119dbee41cce10366edca37996 |
/var/log/installer/.2146BC677F078171EFD9E535210536618953D86C250F460A
| MD5 | b0543e7af30aa7101e1c063835932689 |
| SHA1 | 23ba4a8ac8ad9e3349fe7e175e320c99395c21d0 |
| SHA256 | 931fcc252a3b13f10bb4fe70e131e9d5dd8e543dff0221ee8c2fe0160b130321 |
| SHA512 | aa31eca98ff735f1a953235ccea4379e7328dcca507c5461397354d1660d02ab4c5c964544825f119179052152d79a8b2b6c91dabc0a355efd910e7fb7e604a6 |