a7c9f67a881aabc9f37b62bb44887abb5f1b27bb9345005de606885ef38b5a12

Analysis

max time kernel
59s
max time network
81s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
25-03-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
Size

4.7MB
MD5

c20200ae3c8acb3aa23a9097b6099739
SHA1

df920c349a310f6a1532ed05f524f400e85603b3
SHA256

55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
SHA512

340e157afe4f7b0800009bb220be56dcaffb0b41409935a4730fcfe6f4775960b1aaa0d804d0a0fbcfb47d451cf8c1b2c17cc2211c88046bc38295721c0c5b16
SSDEEP

49152:MRos/AVhzmQymwq+6r0BCU0hVba2j2O7LIyaXn6k6VjfbtvDGG0U:LIuGq+6r0BL0TM37

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Renames multiple (43000) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes journal logs 1 TTPs 2 IoCs

Deletes systemd journal logs. Likely to evade detection.

evasion

Indicator Removal

T1070

Processes:

description	ioc
File truncated	/var/log/journal/README_FOR_DECRYPT.txtt
File truncated	/var/log/journal/11c67417355f45d397f6be11f62e85a6/README_FOR_DECRYPT.txtt

Modifies Polkit authorization policy 1 IoCs
Modifies rule/ action files in Polkit, possibly to grant additional privileges.

Processes:

description ioc

File opened for modification /usr/share/polkit-1/actions/README_FOR_DECRYPT.txtt

description	ioc
File opened for modification	/usr/share/polkit-1/actions/README_FOR_DECRYPT.txtt

Creates/modifies Cron job 1 TTPs 4 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

description	ioc
File opened for modification	/var/spool/cron/README_FOR_DECRYPT.txtt
File opened for modification	/var/spool/cron/atjobs/README_FOR_DECRYPT.txtt
File opened for modification	/var/spool/cron/atspool/README_FOR_DECRYPT.txtt
File opened for modification	/var/spool/cron/crontabs/README_FOR_DECRYPT.txtt

Deletes log files 1 TTPs 17 IoCs

Deletes log files on the system.

Indicator Removal

T1070

Processes:

description	ioc
File deleted	/var/log/installer/cdebconf/questions.dat
File truncated	/var/log/README_FOR_DECRYPT.txtt
File truncated	/var/log/installer/cdebconf/README_FOR_DECRYPT.txtt
File truncated	/var/log/speech-dispatcher/README_FOR_DECRYPT.txtt
File truncated	/var/log/apt/README_FOR_DECRYPT.txtt
File truncated	/var/log/installer/README_FOR_DECRYPT.txtt
File truncated	/var/log/installer/initial-status.gz.encrypt
File truncated	/var/log/installer/cdebconf/templates.dat.encrypt
File deleted	/var/log/installer/cdebconf/templates.dat
File truncated	/var/log/gdm3/README_FOR_DECRYPT.txtt
File truncated	/var/log/unattended-upgrades/README_FOR_DECRYPT.txtt
File truncated	/var/log/installer/cdebconf/questions.dat.encrypt
File truncated	/var/log/hp/README_FOR_DECRYPT.txtt
File deleted	/var/log/installer/initial-status.gz
File truncated	/var/log/audit/README_FOR_DECRYPT.txtt
File truncated	/var/log/cups/README_FOR_DECRYPT.txtt
File truncated	/var/log/dist-upgrade/README_FOR_DECRYPT.txtt

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 20 IoCs

System Information Discovery

T1082

Processes:

description	ioc
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3
File opened for reading	/sys/devices/system/cpu/power
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1
File opened for reading	/sys/devices/system/cpu/cpu0/power
File opened for reading	/sys/devices/system/cpu/cpufreq
File opened for reading	/sys/devices/system/cpu/vulnerabilities
File opened for reading	/sys/devices/system/cpu/cpu0
File opened for reading	/sys/devices/system/cpu/cpu0/cache
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/power
File opened for reading	/sys/devices/system/cpu/cpuidle
File opened for reading	/sys/devices/system/cpu/hotplug
File opened for reading	/sys/devices/system/cpu/smt
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/power
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/power
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug
File opened for reading	/sys/devices/system/cpu/cpu0/topology
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/power
File opened for reading	/sys/devices/system/cpu/cpu0/cache/power

Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery
T1082

Processes:

description ioc

File opened for reading /sys/devices/virtual/dmi/id/power

description	ioc
File opened for reading	/sys/devices/virtual/dmi/id/power

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Processes:

description	ioc
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics
File opened for reading	/sys/devices/virtual/net/lo/queues
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits
File opened for reading	/sys/devices/virtual/net/lo/power
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0
File opened for reading	/sys/devices/virtual/net/lo/statistics

Write file to user bin folder 1 TTPs 6 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc
File opened for modification	/usr/bin/amuFormat.sh.encrypt
File opened for modification	/usr/bin/gettext.sh.encrypt
File opened for modification	/usr/bin/README_FOR_DECRYPT.txtt
File opened for modification	/usr/local/bin/README_FOR_DECRYPT.txtt
File opened for modification	/usr/local/sbin/README_FOR_DECRYPT.txtt
File opened for modification	/usr/sbin/README_FOR_DECRYPT.txtt

Writes file to system bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

description ioc

File opened for modification /sbin/README_FOR_DECRYPT.txtt
File opened for modification /bin/README_FOR_DECRYPT.txtt

description	ioc
File opened for modification	/sbin/README_FOR_DECRYPT.txtt
File opened for modification	/bin/README_FOR_DECRYPT.txtt

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

description	ioc
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getpgrp
File opened for reading	/sys/kernel/slab/bdev_cache
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_truncate
File opened for reading	/sys/kernel/debug/tracing/events/xdp/xdp_redirect_map_err
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS19/power
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_io_getevents
File opened for reading	/sys/kernel/debug/bdi/2:0
File opened for reading	/sys/kernel/debug/dri/0
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_setfsgid
File opened for reading	/sys/kernel/slab/:A-0000704/cgroup
File opened for reading	/sys/kernel/slab/iint_cache
File opened for reading	/sys/class/dmi
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS30
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_dup
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_add_watch
File opened for reading	/sys/devices/virtual/block/loop0/slaves
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_fadvise64
File opened for reading	/sys/devices/virtual/tty/ptmx/power
File opened for reading	/sys/firmware/memmap/3
File opened for reading	/sys/kernel/debug/tracing/events/spi/spi_controller_busy
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_clock_gettime
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_ring_expansion
File opened for reading	/sys/module/stahp/parameters
File opened for reading	/sys/bus/platform/drivers/virtio-mmio
File opened for reading	/sys/kernel/debug/tracing/events/block/block_bio_frontmerge
File opened for reading	/sys/kernel/debug/tracing/events/sched/sched_stat_sleep
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_execveat
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_dbg_reset_ep
File opened for reading	/sys/bus/platform/drivers/floppy
File opened for reading	/sys/devices/virtual/tty/tty50/power
File opened for reading	/sys/kernel/debug/tracing/events/ras/extlog_mem_event
File opened for reading	/sys/module/ppdev/notes
File opened for reading	/sys/kernel/debug/bdi/7:0
File opened for reading	/sys/kernel/slab/:a-0000016/cgroup
File opened for reading	/sys/bus/pci/slots/11
File opened for reading	/sys/devices/pnp0/00:04/tty/ttyS0/power
File opened for reading	/sys/devices/virtual/tty/tty6
File opened for reading	/sys/kernel/slab/squashfs_inode_cache
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0c
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata6
File opened for reading	/sys/kernel/slab/:d-0002048/cgroup
File opened for reading	/sys/kernel/debug/tracing/events/cpuhp/cpuhp_exit
File opened for reading	/sys/kernel/debug/tracing/events/sched/sched_process_wait
File opened for reading	/sys/kernel/debug/tracing/events/tcp/tcp_set_state
File opened for reading	/sys/fs/cgroup/unified/user.slice/user-0.slice/user@0.service/dbus.service
File opened for reading	/sys/kernel/debug/tracing/events/bpf/bpf_map_create
File opened for reading	/sys/class/rfkill
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS22/power
File opened for reading	/sys/kernel/slab/:A-0002112/cgroup
File opened for reading	/sys/devices/virtual/block/loop0/queue
File opened for reading	/sys/kernel/debug/tracing/events/irq_vectors/spurious_apic_entry
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mq_timedreceive
File opened for reading	/sys/devices/virtual/tty/tty39
File opened for reading	/sys/kernel/debug/block/loop1/hctx0
File opened for reading	/sys/devices/virtual/block/loop5
File opened for reading	/sys/fs/cgroup/pids/system.slice/anacron.service
File opened for reading	/sys/fs/cgroup/pids/user.slice/user-0.slice/user@0.service/gvfs-daemon.service
File opened for reading	/sys/kernel/debug/tracing/events/block/block_sleeprq
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_request_inode
File opened for reading	/sys/module/rcutree/parameters
File opened for reading	/sys/bus/pci/slots/31
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/usb1-port2/power
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_newstat
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_readv

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

description	ioc
File opened for reading	/proc/1046/task/1063/net/stat
File opened for reading	/proc/1046/task/1064/attr
File opened for reading	/proc/1248/task/1248/fd
File opened for reading	/proc/1389/task/1396/fdinfo
File opened for reading	/proc/176/task/176/net/netfilter
File opened for reading	/proc/1032/task/1038/attr
File opened for reading	/proc/1370/task/1372/net
File opened for reading	/proc/1171/task/1225/attr/smack
File opened for reading	/proc/529/task/529/attr/apparmor
File opened for reading	/proc/881/task/881/net/stat
File opened for reading	/proc/1027/task/1028/net
File opened for reading	/proc/sys/dev/cdrom
File opened for reading	/proc/1515/task/1519/net/netfilter
File opened for reading	/proc/1171/task/1192/fd
File opened for reading	/proc/1389/task/1389/ns
File opened for reading	/proc/1515/task/1518/attr
File opened for reading	/proc/483/attr/smack
File opened for reading	/proc/1168/attr
File opened for reading	/proc/1308/task/1309/attr/selinux
File opened for reading	/proc/1/task/1
File opened for reading	/proc/1193/task/1227/attr/selinux
File opened for reading	/proc/187/task
File opened for reading	/proc/323/task/323/ns
File opened for reading	/proc/1189/task/1204/ns
File opened for reading	/proc/1138/attr
File opened for reading	/proc/1193/task/1227
File opened for reading	/proc/1194/task/1194/fd
File opened for reading	/proc/1201/task/1201/ns
File opened for reading	/proc/1242/task/1242/net/dev_snmp6
File opened for reading	/proc/1308/task/1310/net
File opened for reading	/proc/1515/task/1522/net
File opened for reading	/proc/1126/task/1128
File opened for reading	/proc/1313/task
File opened for reading	/proc/1548/task/1550/ns
File opened for reading	/proc/4/task/4/fd
File opened for reading	/proc/419/task/713/attr/smack
File opened for reading	/proc/1248/task/1254/attr/apparmor
File opened for reading	/proc/1177/net/stat
File opened for reading	/proc/1544/task/1546/fd
File opened for reading	/proc/418/task/423
File opened for reading	/proc/1032/task/1032/fd
File opened for reading	/proc/6/attr/apparmor
File opened for reading	/proc/610/net/netfilter
File opened for reading	/proc/89/task/89/fdinfo
File opened for reading	/proc/564/task/567/net/dev_snmp6
File opened for reading	/proc/1515/task/1519/net
File opened for reading	/proc/1280/task/1282/net/stat
File opened for reading	/proc/25/net/stat
File opened for reading	/proc/1159/net/stat
File opened for reading	/proc/8/attr
File opened for reading	/proc/1071/task/1071/ns
File opened for reading	/proc/1130/task/1131/ns
File opened for reading	/proc/1299/attr/apparmor
File opened for reading	/proc/172/fd
File opened for reading	/proc/23/task/23
File opened for reading	/proc/649/task/649/attr/selinux
File opened for reading	/proc/1071
File opened for reading	/proc/1177/task/1180
File opened for reading	/proc/187/ns
File opened for reading	/proc/505/task/505/ns
File opened for reading	/proc/1147/task/1527/ns
File opened for reading	/proc/1348/task/1352/net
File opened for reading	/proc/1544/task/1547/net/stat
File opened for reading	/proc/85

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567

description	ioc	process
File opened for modification	/tmp/55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567.pid	55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567

/tmp/55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
/tmp/55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
1⤵
- Writes file to tmp directory
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Hijack Execution Flow

T1574

Privilege Escalation

Scheduled Task/Job

T1053

Hijack Execution Flow

T1574

Defense Evasion

Indicator Removal

T1070

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/README_FOR_DECRYPT.txtt
Filesize
312B

MD5
485f65b3be283be6a56bc114d9a8fed2

SHA1
6cfd95f1acd9885fc5d189bc66b9d864d6ca6827

SHA256
1c549df1fdd24b3f3ecc96c903c074c39da6e518b08ff5e1e469748fcbd5e87e

SHA512
84a73a6f2d89eaf0c81187174be953aabb67b00ce9a8a461aafe90e797d8cc20dddd698b7c5b83ba094a45f9d0a33776f9a50d092ce76301afbda8657e8e3799

Download Submit