Analysis
-
max time kernel
25s -
max time network
24s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
03-03-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
linux_hive.elf
Resource
ubuntu2004-amd64-20240221-en
General
-
Target
linux_hive.elf
-
Size
2.3MB
-
MD5
56075e7c63b3f9f612cde6187d4a7877
-
SHA1
1bcfa979b7b9044ba5ce5c006bd26b0bdbeb8464
-
SHA256
12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185
-
SHA512
7df68e37b3c2e7ce197f0d8736d06adf808343fe2d638bcd3e0f285968e1365c06b33157c6e5816b9fa9362e6adc262d3d2da45d3d1a38efb7e2ce980fce8b80
-
SSDEEP
49152:TzVcrxrb/TGvO90dL3BmAFd4A64nsfJbJ5PhTZDknzImQXNqw0Xfgg778lwQJKTS:TcbP/kB30JKT
Malware Config
Extracted
/FVUV_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
Deletes itself 1 IoCs
pid Process 1475 linux_hive.elf -
description ioc File truncated /var/log/journal/4816dd152e8c48ff97e9117d197c13d8/FVUV_HOW_TO_DECRYPT.txt -
Creates/modifies Cron job 1 TTPs 2 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc File opened for modification /var/spool/cron/atjobs/.SEQ.rfvV41WlcD8IlkpyQwV_g7lHdYfo0xNJM5hWbHI_KAz_Lbx8HNRm5oQ0.mrvk3 File opened for modification /var/spool/cron/atjobs/FVUV_HOW_TO_DECRYPT.txt -
Deletes log files 1 TTPs 7 IoCs
Deletes log files on the system.
description ioc File truncated /var/log/cups/FVUV_HOW_TO_DECRYPT.txt File truncated /var/log/installer/cdebconf/FVUV_HOW_TO_DECRYPT.txt File truncated /var/log/installer/FVUV_HOW_TO_DECRYPT.txt File truncated /var/log/unattended-upgrades/FVUV_HOW_TO_DECRYPT.txt File truncated /var/log/FVUV_HOW_TO_DECRYPT.txt File truncated /var/log/apt/FVUV_HOW_TO_DECRYPT.txt File truncated /var/log/audit/FVUV_HOW_TO_DECRYPT.txt -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 15 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/smt File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc File opened for reading /sys/devices/virtual/dmi/id/power -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics File opened for reading /sys/devices/virtual/net/lo/queues File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 File opened for reading /sys/devices/virtual/net/lo/power File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/virtual/net/lo/statistics File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc File opened for reading /sys/devices/system/container/power File opened for reading /sys/kernel/tracing/events/ext4/ext4_request_inode File opened for reading /sys/kernel/tracing/events/power/clock_disable File opened for reading /sys/kernel/tracing/events/regmap/regmap_async_complete_done File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_sched_getparam File opened for reading /sys/devices/platform/serial8250/tty/ttyS29/power File opened for reading /sys/bus/serio/drivers/psmouse File opened for reading /sys/kernel/debug/tracing/events/rtc File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_get_priority_min File opened for reading /sys/kernel/slab/:A-0000256/cgroup/filp(1187:rsyslog.service) File opened for reading /sys/kernel/slab/dentry/cgroup/dentry(465:e2scrub_reap.service) File opened for reading /sys/bus/pci/slots/11 File opened for reading /sys/kernel/debug/tracing/events/vmscan/mm_vmscan_lru_isolate File opened for reading /sys/kernel/slab/kmalloc-1k/cgroup/kmalloc-1k(1377:systemd-localed.service) File opened for reading /sys/devices/virtual/vc/vcsa1 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getattr File opened for reading /sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(441:dbus.service) File opened for reading /sys/kernel/slab/sock_inode_cache/cgroup/sock_inode_cache(59:dev-hugepages.mount) File opened for reading /sys/firmware/acpi/tables File opened for reading /sys/devices/pnp0/00:04/tty/ttyS0 File opened for reading /sys/kernel/tracing/events/drm/drm_vblank_event File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_getsockopt File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_mq_timedreceive File opened for reading /sys/kernel/tracing/events/workqueue File opened for reading /sys/module/glue_helper/holders File opened for reading /sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(625:systemd-hostnamed.service) File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_time File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata8/host7/scsi_host/host7/power File opened for reading /sys/devices/virtual/tty/tty8 File opened for reading /sys/kernel/slab/:A-0000128/cgroup File opened for reading /sys/kernel/slab/dentry/cgroup/dentry(505:ondemand.service) File opened for reading /sys/kernel/tracing/events/alarmtimer/alarmtimer_cancel File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/link4/dev4.0/ata_device/dev4.0/power File opened for reading /sys/kernel/debug/block/loop0 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_keyctl File opened for reading /sys/module/fb/parameters File opened for reading /sys/devices/virtual/misc/snapshot File opened for reading /sys/kernel/debug/tracing/events/clk/clk_set_phase File opened for reading /sys/kernel/slab/:0000208/cgroup File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:03/wakeup File opened for reading /sys/kernel/slab/:0000080/cgroup File opened for reading /sys/kernel/slab/dentry/cgroup/dentry(289:boot-efi.mount) File opened for reading /sys/kernel/slab/kmalloc-rcl-64/cgroup File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_execveat File opened for reading /sys/kernel/tracing/events/ext4/ext4_da_write_pages File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_getrlimit File opened for reading /sys/module/libahci/notes File opened for reading /sys/kernel/slab/dentry/cgroup/dentry(1393:packagekit.service) File opened for reading /sys/kernel/slab/kmalloc-1k/cgroup/kmalloc-1k(1217:systemd-logind.service) File opened for reading /sys/kernel/security/apparmor/features File opened for reading /sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(345:systemd-update-utmp.service) File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_truncate File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_preadv2 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_timer_delete File opened for reading /sys/kernel/slab/:A-0000192/cgroup/cred_jar(617:ssh.service) File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_personality File opened for reading /sys/devices/pci0000:00/0000:00:02.0/virtio0/graphics/fb0 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_pread64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sigaltstack File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_get_port_status File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/call_function_single_entry File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_syncfs File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_accept4 File opened for reading /sys/devices/platform/serial8250/tty/ttyS20/power -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/1418/attr/smack linux_hive.elf File opened for reading /proc/1475/task/1956/attr Process not Found File opened for reading /proc/1757/task/1757/attr/apparmor Process not Found File opened for reading /proc/2097/task/2141/fd Process not Found File opened for reading /proc/23/attr/apparmor linux_hive.elf File opened for reading /proc/780/task/782/fd linux_hive.elf File opened for reading /proc/992/task/994/fd linux_hive.elf File opened for reading /proc/1475/task/1867/fd Process not Found File opened for reading /proc/1475/task/1889/net/dev_snmp6 Process not Found File opened for reading /proc/1480/net/netfilter Process not Found File opened for reading /proc/1590/task/1591/attr/apparmor Process not Found File opened for reading /proc/72/task/72/attr linux_hive.elf File opened for reading /proc/1475/task/1976/fd Process not Found File opened for reading /proc/1480/task/1482/ns Process not Found File opened for reading /proc/1475/task/1913 Process not Found File opened for reading /proc/960/net/stat Process not Found File opened for reading /proc/73/task/73/attr/smack linux_hive.elf File opened for reading /proc/1850/task/1850 Process not Found File opened for reading /proc/1415/task/1415/attr/smack Process not Found File opened for reading /proc/1475/task/1967/net/stat Process not Found File opened for reading /proc/173/net/stat Process not Found File opened for reading /proc/301/net/netfilter Process not Found File opened for reading /proc/12/net/dev_snmp6 linux_hive.elf File opened for reading /proc/960/task/961 linux_hive.elf File opened for reading /proc/1475/task/1917/net/netfilter Process not Found File opened for reading /proc/1475/task/1987/ns Process not Found File opened for reading /proc/242/task/242/net Process not Found File opened for reading /proc/75/task/75 Process not Found File opened for reading /proc/1645/task/1747/attr/smack Process not Found File opened for reading /proc/2093/net/netfilter Process not Found File opened for reading /proc/614/fd Process not Found File opened for reading /proc/1041/task/1042/net/dev_snmp6 linux_hive.elf File opened for reading /proc/2081/task/2150/ns Process not Found File opened for reading /proc/2089/task/2160 Process not Found File opened for reading /proc/1475/task/1892/net/netfilter Process not Found File opened for reading /proc/1560/fd Process not Found File opened for reading /proc/85/task/85/fd Process not Found File opened for reading /proc/201/task/201/attr linux_hive.elf File opened for reading /proc/1033/task/1033/attr/apparmor Process not Found File opened for reading /proc/1475/task/1994/net Process not Found File opened for reading /proc/785 linux_hive.elf File opened for reading /proc/1475/task/1952 Process not Found File opened for reading /proc/1475/task/2041/attr/apparmor Process not Found File opened for reading /proc/1413/attr/apparmor Process not Found File opened for reading /proc/1708/task/1708/net/stat Process not Found File opened for reading /proc/2102/task/2137/attr/apparmor Process not Found File opened for reading /proc/74/task/74 linux_hive.elf File opened for reading /proc/1594/task/1597/attr/apparmor Process not Found File opened for reading /proc/1475/task/1983/net/dev_snmp6 Process not Found File opened for reading /proc/1475/task/1987/net Process not Found File opened for reading /proc/1475/task/2015/ns Process not Found File opened for reading /proc/1645/task/1750/attr/smack Process not Found File opened for reading /proc/1846 Process not Found File opened for reading /proc/301/net Process not Found File opened for reading /proc/77/task/77/attr/apparmor Process not Found File opened for reading /proc/118/attr/apparmor Process not Found File opened for reading /proc/15/task/15/attr/apparmor linux_hive.elf File opened for reading /proc/242/task/242/net/dev_snmp6 linux_hive.elf File opened for reading /proc/1716/task/1716/attr Process not Found File opened for reading /proc/79/task/79/net/netfilter linux_hive.elf File opened for reading /proc/11/attr Process not Found File opened for reading /proc/1475/task/1935/net Process not Found File opened for reading /proc/16/net/stat Process not Found File opened for reading /proc/86/net Process not Found -
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
description ioc File opened for modification /dev/shm/temp1.swap.mrvk3 -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
description ioc File opened for modification /tmp/config-err-9BSDzf.rfvV41WlcD8IlkpyQwV_g7lHdYfo0xNJM5hWbHI_KAz_TIjQsx_o1Kw0.mrvk3 File opened for modification /tmp/FVUV_HOW_TO_DECRYPT.txt
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD588cb43b9893d9559fcd7c2ff92198346
SHA110f5b6704bf62d54b6928456dfd5127fcb16a936
SHA25636b00b82b942515e84d145a88bc7bbe9f59773bd8e3c4d9639dd2e3ffc4bb2e6
SHA51248f7b52fa640ac38a8a0e2216c0cfd848ef704c23cd59723b7fb0f5e83da455ff75701a40e8ede99156cdfc8aef0ec6246de0d4afd7fdbe21051bef1eed63224
-
Filesize
75.0MB
MD57ec1f6f05777fa2d63cfe264b7b79017
SHA126751b8150ab993a98a9282c14a8cbe6cce7b99d
SHA2560fd3bd9a18469b1b45a5d5f89503ebdf1a9db3a5bc3317a5d322f58a968fba14
SHA512ca839f952e39e6603021959072358ce9a261a3f69294dcc418b39d9113a374f9fa6f12af2297e070f179d38cdfd922ca75cd51721591efd60ba0d3d429d93e5f
-
Filesize
345.0MB
MD5fc32c65f5278f3b073aa39006c68a35e
SHA1846ec1ef1e3cb218007f30119b36fac4d256cf28
SHA256e03b3bd2c242797549ea9996729d024376dad2ce42c47f8efe3f5e393e3f4361
SHA512cc378f21389423c07ab78ba1ecbc98ee095b9842142e0ddeef45e4dbc4f4f8cc8151c5e8db116f287e43839828bacd6673a13de20f679704121cd2c29600f1be
-
Filesize
1KB
MD5b492b14845d83f7a8d43b13a3adb9a7c
SHA165c273544d3ef5326a74bfc1e8a282909338851b
SHA256efe04a8a7d831a65c2f1ff8b0e3e382fc44c2e874ec9fda1c1c6dde675934112
SHA5129f6d2e2e9457d06d14c09541ace5e47216baf88476cf2dda412841580d571495313912dc202805b90f8416511ead42f19621713c194c5581452553f870623a1b
-
Filesize
1.2MB
MD5c44c0a5fff813585dc610461db7df836
SHA19ff90b2233aa71d0c8203be538acf59bcddee39e
SHA256428d90e2ea179ccdc15ce03ba0649f50ddb9f25e663db47aac7ad692d2e5cbca
SHA51216df97fa20c84006f9c4bba2a62c73e7d60d140cf3764ba5916a4904c7a3444cdacb2e944c57ebd2ccad5f2ea57e2aa37544a221e32b3d25722bb0c2a42b8344
-
Filesize
4.0MB
MD5e76491b1a3333e70e56c460ad862852d
SHA1fa17be978cd83032f2e023877e829f6c0c840222
SHA256f1fc4a498ae9ff76c9fa1bcbbfee12172818284da51db458dc0a3e2d7d135ea7
SHA512d4d02bfe519d9151730fbbc586e4ecea397ffd68c2b21ce5220f49215317a9a4d11c20eb5da8aea8dc436ad6871202cf69f780b417db905c53d4581b9887cab7
-
Filesize
1024KB
MD5333ddc4c91b7bef1f97463a527ce8924
SHA1e78f07d9637fa7c2cd1c49dd0cc8101545e51d06
SHA256ff19976ea801e6cf0efff2cc17a440d4cc5dfd69e86bb4edc6545e241c4c2b60
SHA512216a8ff92ed09c163471c8394dd59756cf25f6121c9aff9f77f30e8780c1c17036c94c95b40d497b71e705463c73a9d34cbeda9d46866dff46d4157be9729803
-
Filesize
21.0MB
MD50cc1122c0445785d3f548fd0f27a545c
SHA18488590a17db7e02429975d0a0176a747c3dbfa2
SHA256ac8c9f8eeddb3e373d8d779f019096c338fb413d751e5fe5a0a6493d6351ba88
SHA51222b5f1d9c1c5cbc9ebe5448b55c99a97fe91ecec96dfb3f7bfd70e5d87d3d79a85dcef0b0f445350034616fc4bb0d128fbd9e1aeff718a73c08731d4aebf8f98
-
Filesize
490.0MB
MD59479d4971f59b156fd6ac4ca9ad8f5c9
SHA1eebaf31f0e05bf73a55ee3d6141a2839d8520cf6
SHA256e8b041c2cf08366bc343335ed0ff3fde4c51e572c9ae3b97997e965e5d89ca3c
SHA512f57a644e9bb42d5ddde7d10f19200aba501d3b4a349275f80ab80fe4935eafe7478c8a39cbaa60f7d702c679839965b82b17cd6194148fc9c591e890231f5487
-
Filesize
1007.0MB
MD5da389542b88f7b8e642440bf0745b1da
SHA1b9356e1d08115b0614afde904da235ccdc3cafad
SHA256250968df4a346c00525ffc482acee7f26e2bc694d8d3b6f655db679352e2f611
SHA512fdb89233485d696a373a0efad7c5f3aef4030e3e7a180498e7bd7328b411b11687fbb1e4a24544cef6bec0b4d9cdc8b5bb57629eb419328e7f692f6d8cdf4cdb
-
Filesize
1014.0MB
MD568f1c45fcb462f10b173d00337c1eb12
SHA1d5b49ab20fba23e7e5991f91aecc2b9028a97d4f
SHA2566220ffbb780f536e118ab55a271827fcef271b63159cb734a274b8c1edba8fe5
SHA5127753118948b4dd8238a1272b03e746c67718b0e4a40071b3eb05399c5d5a6f7db77485b4532e1a5039e7f49407c3bd298f5da30dc24f711d1ae4c312d2a8525c
-
Filesize
892.7MB
MD5f13a698ba3dc1bc65cb18ab6652ddb1e
SHA1c744ca5066c53b0d2c50ee6e83a09ffbfe34616e
SHA256f261da4e0ddcba59b8c9b157f755a3e1c0b8b05a4f2a7b0108fd9d433c5932be
SHA5125db3911864b67d07aab872f277b012bd6a79b908cd430604c9b66f39a7a633727a254f5379f8220e9868125d41d97bc734bd94ecabe30a31fb2936ff2188f7a4