Resubmissions

01-03-2024 16:38

240301-t5g36aaa21 10

01-03-2024 16:27

240301-tyf8aahg81 10

01-03-2024 16:19

240301-tsy6xahg2x 10

01-03-2024 16:12

240301-tnrw2aaa52 10

01-03-2024 16:00

240301-tfr7tshe41 10

01-03-2024 15:58

240301-tevlkahe3s 10

06-05-2023 12:30

230506-ppsgqsbd5x 10

Analysis

  • max time kernel
    24s
  • max time network
    128s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    01-03-2024 16:38

General

  • Target

    06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725.elf

  • Size

    2.4MB

  • MD5

    87adb14271dc49e6b0f2eb4b03f4bbe7

  • SHA1

    76215e7047773dd05b8af8e96689b2fe7e7b2ffc

  • SHA256

    06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725

  • SHA512

    7c91f20bb3f9535db2bb381a2ca05f3d600941efd2c581b7c69a7e998405782bbcf1aacc6459987c72dc3ab422aefb4ecd89f661cf353fa298ed2aad8153ae60

  • SSDEEP

    49152:2bjPXEinhLENX/bX40MA4sDM9RIfiv2eZRBqnlptIU6iQnkgWbwL/KIRpvg9Suj:4YinhLEBo0MA4sDoIqv2eZOnlw+QnHp8

Score
9/10

Malware Config

Signatures

  • Renames multiple (9483) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Manipulates ESXi 1 IoCs

    Manipulates ESXi.

  • Modifies Polkit authorization policy 1 IoCs

    Modifies rule/ action files in Polkit, possibly to grant additional privileges.

  • Reads CPU attributes 1 TTPs 1 IoCs
  • Write file to user bin folder 1 TTPs 2 IoCs
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725.elf
    /tmp/06abc46d5dbd012b170c97d142c6b679183159197e9d3f6a76ba5e5abf999725.elf /usr -id 021452sdfght45ngfhgr842065ertghn -stopvm
    1⤵
    • Modifies Polkit authorization policy
    • Reads CPU attributes
    • Write file to user bin folder
    PID:1478
    • /bin/sh
      /bin/sh -c "esxcli vm process list > list"
      2⤵
      • Manipulates ESXi
      • Writes file to tmp directory
      PID:1479

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /usr/readme

    Filesize

    1KB

    MD5

    96242291a7da70eb0b5ef015b93d02fd

    SHA1

    eaab077deb4d973965fe244abe9241f26510f7b9

    SHA256

    540bd89b4845e62111f7738e88c8db3c666bcd62ebf1407b85d98771871e9696

    SHA512

    a3bb1cbe129709624fdb8ad7ebcafb4e07695253146c28f34f709e6ba34248b39657ee535a936480e49f10180c68b93b35ff38f53b4e39d198d570b1dcce43d5