Analysis
-
max time kernel
2s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
10-04-2024 10:26
General
-
Target
3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155
-
Size
28KB
-
MD5
f8236fd4066e8bfea11d6a6420cfc16a
-
SHA1
01c895b0c46e77fa41e0033b3beaff0fc7a01562
-
SHA256
3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155
-
SHA512
4bd5571f8392d9ec27f94e5d041f749994a9848c2cfbc062b8cf167bbbb461624061aaf8ab28d74d537deaede398747b391cf60b6180015e12c26a553911dca4
-
SSDEEP
768:TYt/D0oDxSPRmqbDRSDIhpP30iFN2RDiPH:Ti0oDqRmq70iFN2RDW
Malware Config
Signatures
-
BPFDoor payload 1 IoCs
resource yara_rule behavioral1/files/fstream-1.dat family_bpfdoor_v1 -
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /sbin/auditd -n 1549 kdmtmpflush -
Creates Raw socket 1 IoCs
Creates a socket that captures raw packets at the device level
pid 1550 -
Executes dropped EXE 1 IoCs
ioc pid Process /dev/shm/kdmtmpflush 1549 kdmtmpflush -
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems cp -
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
description ioc Process File opened for modification /dev/shm/kdmtmpflush cp
Processes
-
/tmp/3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155/tmp/3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b1551⤵PID:1542
-
/bin/shsh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155 /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"2⤵PID:1543
-
/bin/rm/bin/rm -f /dev/shm/kdmtmpflush3⤵PID:1544
-
-
/bin/cp/bin/cp /tmp/3a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155 /dev/shm/kdmtmpflush3⤵
- Reads runtime system information
- Writes file to shm directory
PID:1547
-
-
/bin/chmod/bin/chmod 755 /dev/shm/kdmtmpflush3⤵PID:1548
-
-
/dev/shm/kdmtmpflush/dev/shm/kdmtmpflush --init3⤵
- Changes its process name
- Executes dropped EXE
PID:1549
-
-
/bin/rm/bin/rm -f /dev/shm/kdmtmpflush3⤵PID:1551
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5f8236fd4066e8bfea11d6a6420cfc16a
SHA101c895b0c46e77fa41e0033b3beaff0fc7a01562
SHA2563a1b174f0c19c28f71e1babde01982c56d38d3672ea14d47c35ae3062e49b155
SHA5124bd5571f8392d9ec27f94e5d041f749994a9848c2cfbc062b8cf167bbbb461624061aaf8ab28d74d537deaede398747b391cf60b6180015e12c26a553911dca4