Analysis
-
max time kernel
59s -
max time network
81s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
25-03-2024 13:08
Behavioral task
behavioral1
Sample
55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
Resource
ubuntu1804-amd64-20240226-en
General
-
Target
55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
-
Size
4.7MB
-
MD5
c20200ae3c8acb3aa23a9097b6099739
-
SHA1
df920c349a310f6a1532ed05f524f400e85603b3
-
SHA256
55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
-
SHA512
340e157afe4f7b0800009bb220be56dcaffb0b41409935a4730fcfe6f4775960b1aaa0d804d0a0fbcfb47d451cf8c1b2c17cc2211c88046bc38295721c0c5b16
-
SSDEEP
49152:MRos/AVhzmQymwq+6r0BCU0hVba2j2O7LIyaXn6k6VjfbtvDGG0U:LIuGq+6r0BL0TM37
Malware Config
Signatures
-
Renames multiple (43000) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
description ioc File truncated /var/log/journal/README_FOR_DECRYPT.txtt File truncated /var/log/journal/11c67417355f45d397f6be11f62e85a6/README_FOR_DECRYPT.txtt -
Modifies Polkit authorization policy 1 IoCs
Modifies rule/ action files in Polkit, possibly to grant additional privileges.
description ioc File opened for modification /usr/share/polkit-1/actions/README_FOR_DECRYPT.txtt -
Creates/modifies Cron job 1 TTPs 4 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc File opened for modification /var/spool/cron/README_FOR_DECRYPT.txtt File opened for modification /var/spool/cron/atjobs/README_FOR_DECRYPT.txtt File opened for modification /var/spool/cron/atspool/README_FOR_DECRYPT.txtt File opened for modification /var/spool/cron/crontabs/README_FOR_DECRYPT.txtt -
Deletes log files 1 TTPs 17 IoCs
Deletes log files on the system.
description ioc File deleted /var/log/installer/cdebconf/questions.dat File truncated /var/log/README_FOR_DECRYPT.txtt File truncated /var/log/installer/cdebconf/README_FOR_DECRYPT.txtt File truncated /var/log/speech-dispatcher/README_FOR_DECRYPT.txtt File truncated /var/log/apt/README_FOR_DECRYPT.txtt File truncated /var/log/installer/README_FOR_DECRYPT.txtt File truncated /var/log/installer/initial-status.gz.encrypt File truncated /var/log/installer/cdebconf/templates.dat.encrypt File deleted /var/log/installer/cdebconf/templates.dat File truncated /var/log/gdm3/README_FOR_DECRYPT.txtt File truncated /var/log/unattended-upgrades/README_FOR_DECRYPT.txtt File truncated /var/log/installer/cdebconf/questions.dat.encrypt File truncated /var/log/hp/README_FOR_DECRYPT.txtt File deleted /var/log/installer/initial-status.gz File truncated /var/log/audit/README_FOR_DECRYPT.txtt File truncated /var/log/cups/README_FOR_DECRYPT.txtt File truncated /var/log/dist-upgrade/README_FOR_DECRYPT.txtt -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 20 IoCs
description ioc File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 File opened for reading /sys/devices/system/cpu/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 File opened for reading /sys/devices/system/cpu/cpu0/power File opened for reading /sys/devices/system/cpu/cpufreq File opened for reading /sys/devices/system/cpu/vulnerabilities File opened for reading /sys/devices/system/cpu/cpu0 File opened for reading /sys/devices/system/cpu/cpu0/cache File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/power File opened for reading /sys/devices/system/cpu/cpuidle File opened for reading /sys/devices/system/cpu/hotplug File opened for reading /sys/devices/system/cpu/smt File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/power File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/power File opened for reading /sys/devices/system/cpu/cpu0/hotplug File opened for reading /sys/devices/system/cpu/cpu0/topology File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/power File opened for reading /sys/devices/system/cpu/cpu0/cache/power -
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc File opened for reading /sys/devices/virtual/dmi/id/power -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics File opened for reading /sys/devices/virtual/net/lo/queues File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits File opened for reading /sys/devices/virtual/net/lo/power File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 File opened for reading /sys/devices/virtual/net/lo/statistics -
Write file to user bin folder 1 TTPs 6 IoCs
description ioc File opened for modification /usr/bin/amuFormat.sh.encrypt File opened for modification /usr/bin/gettext.sh.encrypt File opened for modification /usr/bin/README_FOR_DECRYPT.txtt File opened for modification /usr/local/bin/README_FOR_DECRYPT.txtt File opened for modification /usr/local/sbin/README_FOR_DECRYPT.txtt File opened for modification /usr/sbin/README_FOR_DECRYPT.txtt -
Writes file to system bin folder 1 TTPs 2 IoCs
description ioc File opened for modification /sbin/README_FOR_DECRYPT.txtt File opened for modification /bin/README_FOR_DECRYPT.txtt -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_getpgrp File opened for reading /sys/kernel/slab/bdev_cache File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_truncate File opened for reading /sys/kernel/debug/tracing/events/xdp/xdp_redirect_map_err File opened for reading /sys/devices/platform/serial8250/tty/ttyS19/power File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_io_getevents File opened for reading /sys/kernel/debug/bdi/2:0 File opened for reading /sys/kernel/debug/dri/0 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_setfsgid File opened for reading /sys/kernel/slab/:A-0000704/cgroup File opened for reading /sys/kernel/slab/iint_cache File opened for reading /sys/class/dmi File opened for reading /sys/devices/platform/serial8250/tty/ttyS30 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_dup File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_add_watch File opened for reading /sys/devices/virtual/block/loop0/slaves File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_fadvise64 File opened for reading /sys/devices/virtual/tty/ptmx/power File opened for reading /sys/firmware/memmap/3 File opened for reading /sys/kernel/debug/tracing/events/spi/spi_controller_busy File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_clock_gettime File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_ring_expansion File opened for reading /sys/module/stahp/parameters File opened for reading /sys/bus/platform/drivers/virtio-mmio File opened for reading /sys/kernel/debug/tracing/events/block/block_bio_frontmerge File opened for reading /sys/kernel/debug/tracing/events/sched/sched_stat_sleep File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_execveat File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_dbg_reset_ep File opened for reading /sys/bus/platform/drivers/floppy File opened for reading /sys/devices/virtual/tty/tty50/power File opened for reading /sys/kernel/debug/tracing/events/ras/extlog_mem_event File opened for reading /sys/module/ppdev/notes File opened for reading /sys/kernel/debug/bdi/7:0 File opened for reading /sys/kernel/slab/:a-0000016/cgroup File opened for reading /sys/bus/pci/slots/11 File opened for reading /sys/devices/pnp0/00:04/tty/ttyS0/power File opened for reading /sys/devices/virtual/tty/tty6 File opened for reading /sys/kernel/slab/squashfs_inode_cache File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0c File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata6 File opened for reading /sys/kernel/slab/:d-0002048/cgroup File opened for reading /sys/kernel/debug/tracing/events/cpuhp/cpuhp_exit File opened for reading /sys/kernel/debug/tracing/events/sched/sched_process_wait File opened for reading /sys/kernel/debug/tracing/events/tcp/tcp_set_state File opened for reading /sys/fs/cgroup/unified/user.slice/user-0.slice/[email protected]/dbus.service File opened for reading /sys/kernel/debug/tracing/events/bpf/bpf_map_create File opened for reading /sys/class/rfkill File opened for reading /sys/devices/platform/serial8250/tty/ttyS22/power File opened for reading /sys/kernel/slab/:A-0002112/cgroup File opened for reading /sys/devices/virtual/block/loop0/queue File opened for reading /sys/kernel/debug/tracing/events/irq_vectors/spurious_apic_entry File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_mq_timedreceive File opened for reading /sys/devices/virtual/tty/tty39 File opened for reading /sys/kernel/debug/block/loop1/hctx0 File opened for reading /sys/devices/virtual/block/loop5 File opened for reading /sys/fs/cgroup/pids/system.slice/anacron.service File opened for reading /sys/fs/cgroup/pids/user.slice/user-0.slice/[email protected]/gvfs-daemon.service File opened for reading /sys/kernel/debug/tracing/events/block/block_sleeprq File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_request_inode File opened for reading /sys/module/rcutree/parameters File opened for reading /sys/bus/pci/slots/31 File opened for reading /sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/usb1-port2/power File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_newstat File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_readv -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc File opened for reading /proc/1046/task/1063/net/stat File opened for reading /proc/1046/task/1064/attr File opened for reading /proc/1248/task/1248/fd File opened for reading /proc/1389/task/1396/fdinfo File opened for reading /proc/176/task/176/net/netfilter File opened for reading /proc/1032/task/1038/attr File opened for reading /proc/1370/task/1372/net File opened for reading /proc/1171/task/1225/attr/smack File opened for reading /proc/529/task/529/attr/apparmor File opened for reading /proc/881/task/881/net/stat File opened for reading /proc/1027/task/1028/net File opened for reading /proc/sys/dev/cdrom File opened for reading /proc/1515/task/1519/net/netfilter File opened for reading /proc/1171/task/1192/fd File opened for reading /proc/1389/task/1389/ns File opened for reading /proc/1515/task/1518/attr File opened for reading /proc/483/attr/smack File opened for reading /proc/1168/attr File opened for reading /proc/1308/task/1309/attr/selinux File opened for reading /proc/1/task/1 File opened for reading /proc/1193/task/1227/attr/selinux File opened for reading /proc/187/task File opened for reading /proc/323/task/323/ns File opened for reading /proc/1189/task/1204/ns File opened for reading /proc/1138/attr File opened for reading /proc/1193/task/1227 File opened for reading /proc/1194/task/1194/fd File opened for reading /proc/1201/task/1201/ns File opened for reading /proc/1242/task/1242/net/dev_snmp6 File opened for reading /proc/1308/task/1310/net File opened for reading /proc/1515/task/1522/net File opened for reading /proc/1126/task/1128 File opened for reading /proc/1313/task File opened for reading /proc/1548/task/1550/ns File opened for reading /proc/4/task/4/fd File opened for reading /proc/419/task/713/attr/smack File opened for reading /proc/1248/task/1254/attr/apparmor File opened for reading /proc/1177/net/stat File opened for reading /proc/1544/task/1546/fd File opened for reading /proc/418/task/423 File opened for reading /proc/1032/task/1032/fd File opened for reading /proc/6/attr/apparmor File opened for reading /proc/610/net/netfilter File opened for reading /proc/89/task/89/fdinfo File opened for reading /proc/564/task/567/net/dev_snmp6 File opened for reading /proc/1515/task/1519/net File opened for reading /proc/1280/task/1282/net/stat File opened for reading /proc/25/net/stat File opened for reading /proc/1159/net/stat File opened for reading /proc/8/attr File opened for reading /proc/1071/task/1071/ns File opened for reading /proc/1130/task/1131/ns File opened for reading /proc/1299/attr/apparmor File opened for reading /proc/172/fd File opened for reading /proc/23/task/23 File opened for reading /proc/649/task/649/attr/selinux File opened for reading /proc/1071 File opened for reading /proc/1177/task/1180 File opened for reading /proc/187/ns File opened for reading /proc/505/task/505/ns File opened for reading /proc/1147/task/1527/ns File opened for reading /proc/1348/task/1352/net File opened for reading /proc/1544/task/1547/net/stat File opened for reading /proc/85 -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567.pid 55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312B
MD5485f65b3be283be6a56bc114d9a8fed2
SHA16cfd95f1acd9885fc5d189bc66b9d864d6ca6827
SHA2561c549df1fdd24b3f3ecc96c903c074c39da6e518b08ff5e1e469748fcbd5e87e
SHA51284a73a6f2d89eaf0c81187174be953aabb67b00ce9a8a461aafe90e797d8cc20dddd698b7c5b83ba094a45f9d0a33776f9a50d092ce76301afbda8657e8e3799