bpfdoor | 2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb

Analysis

max time kernel
2s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
10-04-2024 10:09

Target

2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb
Size

30KB
MD5

a4bbcbdb2d65d1b966943f6955c05048
SHA1

68af74718f5eeb824258e69af5a23a3c0f6fb54d
SHA256

2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb
SHA512

4b5d69f3ceb9e2a9311bf08bc3b853dcddf2f33228e31dfaa3c6484dfc4057ba210c1995833bbd26eeea15496623a13e1c895e71e8094707c78ed4b6738274a6
SSDEEP

384:fna1+r7+bTJta9vZxofpCjR1g/CNXyCEAFp0MyV4Eh6kSE0wyktwBZFAND7foVlX:SEPigZxiEXbFyMycctw5AIzrLFo

Score

10^/10

bpfdoor backdoor

BPFDoor
BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.
backdoor bpfdoor

BPFDoor payload 1 IoCs

Processes:

resource	yara_rule
/dev/shm/kdmtmpflush	family_bpfdoor_v1

Changes its process name 1 IoCs

Processes:

kdmtmpflush

description ioc pid process

Changes the process name, possibly in an attempt to hide itself /usr/lib/systemd/systemd-journald 1565 kdmtmpflush
Creates Raw socket 1 IoCs
Creates a socket that captures raw packets at the device level

Processes:

pid

1566
Executes dropped EXE 1 IoCs

Processes:

kdmtmpflush

ioc pid process

/dev/shm/kdmtmpflush 1565 kdmtmpflush
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

cp

description ioc process

File opened for reading /proc/filesystems cp
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

cp

description ioc process

File opened for modification /dev/shm/kdmtmpflush cp

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	/usr/lib/systemd/systemd-journald	1565	kdmtmpflush

pid
1566

ioc	pid	process
/dev/shm/kdmtmpflush	1565	kdmtmpflush

description	ioc	process
File opened for reading	/proc/filesystems	cp

description	ioc	process
File opened for modification	/dev/shm/kdmtmpflush	cp

/tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb
/tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb
1⤵
PID:1560
- /bin/sh
  sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
  2⤵
  PID:1561
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:1562
- - /bin/cp
    /bin/cp /tmp/2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb /dev/shm/kdmtmpflush
    3⤵
    - Reads runtime system information
    - Writes file to shm directory
    PID:1563
- - /bin/chmod
    /bin/chmod 755 /dev/shm/kdmtmpflush
    3⤵
    PID:1564
- - /dev/shm/kdmtmpflush
    /dev/shm/kdmtmpflush --init
    3⤵
    - Changes its process name
    - Executes dropped EXE
    PID:1565
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:1567

/dev/shm/kdmtmpflush

Filesize
30KB

MD5
a4bbcbdb2d65d1b966943f6955c05048

SHA1
68af74718f5eeb824258e69af5a23a3c0f6fb54d

SHA256
2e0aa3da45a0360d051359e1a038beff8551b957698f21756cfc6ed5539e4bdb

SHA512
4b5d69f3ceb9e2a9311bf08bc3b853dcddf2f33228e31dfaa3c6484dfc4057ba210c1995833bbd26eeea15496623a13e1c895e71e8094707c78ed4b6738274a6

Download Submit