Analysis

  • max time kernel
    2s
  • max time network
    128s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    10-04-2024 10:26

General

  • Target

    3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155

  • Size

    28KB

  • MD5

    f8236fd4066e8bfea11d6a6420cfc16a

  • SHA1

    01c895b0c46e77fa41e0033b3beaff0fc7a01562

  • SHA256

    3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155

  • SHA512

    4bd5571f8392d9ec27f94e5d041f749994a9848c2cfbc062b8cf167bbbb461624061aaf8ab28d74d537deaede398747b391cf60b6180015e12c26a553911dca4

  • SSDEEP

    768:TYt/D0oDxSPRmqbDRSDIhpP30iFN2RDiPH:Ti0oDqRmq70iFN2RDW

Score
10/10

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

  • BPFDoor payload 1 IoCs
  • Changes its process name 1 IoCs
  • Creates Raw socket 1 IoCs

    Creates a socket that captures raw packets at the device level

  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155
    /tmp/3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155
    1⤵
      PID:1542
      • /bin/sh
        sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155 /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
        2⤵
          PID:1543
          • /bin/rm
            /bin/rm -f /dev/shm/kdmtmpflush
            3⤵
              PID:1544
            • /bin/cp
              /bin/cp /tmp/3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155 /dev/shm/kdmtmpflush
              3⤵
              • Reads runtime system information
              • Writes file to shm directory
              PID:1547
            • /bin/chmod
              /bin/chmod 755 /dev/shm/kdmtmpflush
              3⤵
                PID:1548
              • /dev/shm/kdmtmpflush
                /dev/shm/kdmtmpflush --init
                3⤵
                • Changes its process name
                • Executes dropped EXE
                PID:1549
              • /bin/rm
                /bin/rm -f /dev/shm/kdmtmpflush
                3⤵
                  PID:1551

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /dev/shm/kdmtmpflush

              Filesize

              28KB

              MD5

              f8236fd4066e8bfea11d6a6420cfc16a

              SHA1

              01c895b0c46e77fa41e0033b3beaff0fc7a01562

              SHA256

              3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155

              SHA512

              4bd5571f8392d9ec27f94e5d041f749994a9848c2cfbc062b8cf167bbbb461624061aaf8ab28d74d537deaede398747b391cf60b6180015e12c26a553911dca4