Analysis
-
max time kernel
51s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
14-03-2024 03:32
Behavioral task
behavioral1
Sample
2024-03-14_c20200ae3c8acb3aa23a9097b6099739_qnapcrypt
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
11 signatures
150 seconds
General
-
Target
2024-03-14_c20200ae3c8acb3aa23a9097b6099739_qnapcrypt
-
Size
4.7MB
-
MD5
c20200ae3c8acb3aa23a9097b6099739
-
SHA1
df920c349a310f6a1532ed05f524f400e85603b3
-
SHA256
55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
-
SHA512
340e157afe4f7b0800009bb220be56dcaffb0b41409935a4730fcfe6f4775960b1aaa0d804d0a0fbcfb47d451cf8c1b2c17cc2211c88046bc38295721c0c5b16
-
SSDEEP
49152:MRos/AVhzmQymwq+6r0BCU0hVba2j2O7LIyaXn6k6VjfbtvDGG0U:LIuGq+6r0BL0TM37
Score
9/10
Malware Config
Signatures
-
Renames multiple (27194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes log files 1 TTPs 6 IoCs
Deletes log files on the system.
description ioc File truncated /var/log/installer/cdebconf/templates.dat.encrypt File deleted /var/log/installer/cdebconf/templates.dat File truncated /var/log/installer/initial-status.gz.encrypt File deleted /var/log/installer/initial-status.gz File truncated /var/log/installer/cdebconf/questions.dat.encrypt File deleted /var/log/installer/cdebconf/questions.dat -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 20 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/smt File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/cpu0/cache/power File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/cpufreq -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc File opened for reading /sys/devices/virtual/dmi/id/power -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics File opened for reading /sys/devices/virtual/net/lo/queues File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 File opened for reading /sys/devices/virtual/net/lo/power File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 File opened for reading /sys/devices/virtual/net/lo/statistics -
Write file to user bin folder 1 TTPs 3 IoCs
description ioc File opened for modification /usr/bin/gettext.sh.encrypt File opened for modification /usr/bin/README_FOR_DECRYPT.txtt File opened for modification /usr/bin/amuFormat.sh.encrypt -
Writes file to system bin folder 1 TTPs 2 IoCs
description ioc File opened for modification /bin/README_FOR_DECRYPT.txtt File opened for modification /sbin/README_FOR_DECRYPT.txtt -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc File opened for reading /sys/block File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:09 File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/ep_81 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_allocate_inode File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_accept File opened for reading /sys/kernel/slab/:d-0000064/cgroup File opened for reading /sys/kernel/slab/kmem_cache File opened for reading /sys/devices/virtual/tty/tty37/power File opened for reading /sys/module/module/parameters File opened for reading /sys/devices/pci0000:00/0000:00:01.1/ata2/link2/ata_link/link2/power File opened for reading /sys/devices/virtual/vc/vcsa4/power File opened for reading /sys/kernel/debug/block/loop1/hctx0 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_timer_settime File opened for reading /sys/kernel/debug/tracing/events/xen/xen_mmu_ptep_modify_prot_commit File opened for reading /sys/fs/cgroup/unified/system.slice/cups.service File opened for reading /sys/kernel/debug/tracing/events/fs_dax File opened for reading /sys/kernel/irq/25 File opened for reading /sys/module/ata_piix/drivers File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_setuid File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/ata_port File opened for reading /sys/devices/virtual/bdi/7:4 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_linkat File opened for reading /sys/kernel/debug/tracing/events/writeback/writeback_dirty_inode File opened for reading /sys/kernel/security/apparmor/features/file File opened for reading /sys/module/pata_acpi/notes File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata3/host2/scsi_host/host2 File opened for reading /sys/devices/platform/serial8250/tty/ttyS17/power File opened for reading /sys/devices/virtual/tty/tty19 File opened for reading /sys/kernel/debug/tracing/events/clk/clk_set_parent File opened for reading /sys/kernel/debug/tracing/per_cpu File opened for reading /sys/module/nfnetlink/notes File opened for reading /sys/module/pcbc/holders File opened for reading /sys/bus/acpi/drivers/ac File opened for reading /sys/bus/pci/drivers/virtio-pci File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/call_function_entry File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_timer_getoverrun File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_access File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_getresuid File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sysfs File opened for reading /sys/module/psmouse/holders File opened for reading /sys/kernel/debug/tracing/events/task/task_newtask File opened for reading /sys/bus/spi File opened for reading /sys/kernel/debug/tracing/events/fs_dax/dax_writeback_range_done File opened for reading /sys/kernel/debug/tracing/events/xen File opened for reading /sys/bus/pci/slots/12 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_adjtimex File opened for reading /sys/devices/pci0000:00 File opened for reading /sys/devices/cpu/events File opened for reading /sys/devices/system/memory/memory3 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_getrusage File opened for reading /sys/kernel/slab/:0002048 File opened for reading /sys/fs/cgroup/pids File opened for reading /sys/devices/virtual/bdi/7:1 File opened for reading /sys/fs/cgroup/pids/system.slice/cups.service File opened for reading /sys/kernel/debug/tracing/events/huge_memory/mm_collapse_huge_page File opened for reading /sys/kernel/debug/tracing/events/wbt/wbt_timer File opened for reading /sys/module/watchdog File opened for reading /sys/module/acpi_cpufreq/parameters File opened for reading /sys/module/lp/holders File opened for reading /sys/kernel/slab/:0000040 File opened for reading /sys/devices/pci0000:00/0000:00:01.1/ata1/ata_port/ata1/power File opened for reading /sys/kernel/debug/tracing/events/bpf/bpf_map_lookup_elem File opened for reading /sys/kernel/debug/tracing/events/drm/drm_vblank_event_delivered File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_setresuid -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/1191/task/1230/attr/selinux File opened for reading /proc/132/task/132/fdinfo File opened for reading /proc/1296/task/1314/fdinfo File opened for reading /proc/585/task/590/net/dev_snmp6 File opened for reading /proc/1116/attr/apparmor File opened for reading /proc/171/task/171/attr File opened for reading /proc/1546/task/1546/net/dev_snmp6 File opened for reading /proc/169/ns File opened for reading /proc/475/task/477/ns File opened for reading /proc/535/task/554/ns File opened for reading /proc/1159/task/1166 File opened for reading /proc/1240/task/1243/net/netfilter File opened for reading /proc/165/net File opened for reading /proc/321/task/321/attr File opened for reading /proc/464/task/471/fdinfo File opened for reading /proc/8/net/dev_snmp6 File opened for reading /proc/1116/task/1121/net/stat File opened for reading /proc/1132/map_files File opened for reading /proc/179/ns File opened for reading /proc/414/task/414/ns File opened for reading /proc/662/task/684/attr/smack File opened for reading /proc/457/task/457/attr/apparmor File opened for reading /proc/1240/task/1240/attr File opened for reading /proc/1311/task/1311/net/stat File opened for reading /proc/1334/task/1338/net File opened for reading /proc/407/task/432/net/netfilter File opened for reading /proc/1546/task/1549/attr/selinux File opened for reading /proc/1550/net File opened for reading /proc/1018/task/1018/net/netfilter File opened for reading /proc/1023/task/1031/net/dev_snmp6 File opened for reading /proc/115/attr File opened for reading /proc/1194/task/1237/net/dev_snmp6 File opened for reading /proc/1171/task/1176/net/stat File opened for reading /proc/1200/task/1220/net File opened for reading /proc/1193/attr/smack File opened for reading /proc/958/task/958 File opened for reading /proc/1306/task/1307/fd File opened for reading /proc/1546/attr File opened for reading /proc/169/task/169/net File opened for reading /proc/897 File opened for reading /proc/1200/task/1229/fdinfo File opened for reading /proc/28/task/28/net File opened for reading /proc/5/task/5 File opened for reading /proc/661/task/661/net File opened for reading /proc/1180/task/1188/fdinfo File opened for reading /proc/1278/task/1278/attr/selinux File opened for reading /proc/675/attr/selinux File opened for reading /proc/1347/task/1349 File opened for reading /proc/535/task/551/net/dev_snmp6 File opened for reading /proc/539/task/542/attr/smack File opened for reading /proc/1037/task/1039/net/dev_snmp6 File opened for reading /proc/1117/task/1118/ns File opened for reading /proc/1124/task/1125/attr/smack File opened for reading /proc/1169/attr/smack File opened for reading /proc/710/net/netfilter File opened for reading /proc/1037/task/1062/ns File opened for reading /proc/1392/attr/selinux File opened for reading /proc/205/net/netfilter File opened for reading /proc/30/net File opened for reading /proc/1334/task/1338/ns File opened for reading /proc/724/task/1009/attr/selinux File opened for reading /proc/661/task/661/fdinfo File opened for reading /proc/677/task File opened for reading /proc/115/task/115/attr -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/2024-03-14_c20200ae3c8acb3aa23a9097b6099739_qnapcrypt.pid 2024-03-14_c20200ae3c8acb3aa23a9097b6099739_qnapcrypt
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312B
MD5bb882c233cad77744f80cbba3409b867
SHA148ff2e05620fb0170342a8fe9f1a2dbab6e96aad
SHA256d52aad657450026fd6f87a92f3e5b12d3c197e3eb4acec58661213af34671297
SHA5123572944f4342a617c7ce9f260602e8c25b85c7bc87f832598f581ee14f2984fa20ede073941ac700eaab9e39bbb175097f1d68e8ff36d5a6842bdf5c1ae07aa4