Resubmissions

06-12-2024 09:16

241206-k8sjmawmck 10

25-03-2024 13:08

240325-qdebeagf98 10

Analysis

  • max time kernel
    59s
  • max time network
    81s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    25-03-2024 13:08

General

  • Target

    55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567

  • Size

    4.7MB

  • MD5

    c20200ae3c8acb3aa23a9097b6099739

  • SHA1

    df920c349a310f6a1532ed05f524f400e85603b3

  • SHA256

    55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567

  • SHA512

    340e157afe4f7b0800009bb220be56dcaffb0b41409935a4730fcfe6f4775960b1aaa0d804d0a0fbcfb47d451cf8c1b2c17cc2211c88046bc38295721c0c5b16

  • SSDEEP

    49152:MRos/AVhzmQymwq+6r0BCU0hVba2j2O7LIyaXn6k6VjfbtvDGG0U:LIuGq+6r0BL0TM37

Malware Config

Signatures

  • Renames multiple (43000) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes journal logs 1 TTPs 2 IoCs

    Deletes systemd journal logs. Likely to evade detection.

  • Modifies Polkit authorization policy 1 IoCs

    Modifies rule/ action files in Polkit, possibly to grant additional privileges.

  • Creates/modifies Cron job 1 TTPs 4 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Deletes log files 1 TTPs 17 IoCs

    Deletes log files on the system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 20 IoCs
  • Reads hardware information 1 TTPs 1 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads network interface configuration 2 TTPs 12 IoCs

    Fetches information about one or more active network interfaces.

  • Write file to user bin folder 1 TTPs 6 IoCs
  • Writes file to system bin folder 1 TTPs 2 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
    /tmp/55845e687ddcd2c133d6e30802be2dcc54f27fb8abb894229f76b0767ce56567
    1⤵
    • Writes file to tmp directory
    PID:1544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /README_FOR_DECRYPT.txtt

    Filesize

    312B

    MD5

    485f65b3be283be6a56bc114d9a8fed2

    SHA1

    6cfd95f1acd9885fc5d189bc66b9d864d6ca6827

    SHA256

    1c549df1fdd24b3f3ecc96c903c074c39da6e518b08ff5e1e469748fcbd5e87e

    SHA512

    84a73a6f2d89eaf0c81187174be953aabb67b00ce9a8a461aafe90e797d8cc20dddd698b7c5b83ba094a45f9d0a33776f9a50d092ce76301afbda8657e8e3799