Overview

overview

10

Static

static

10

5b2a079690...b28ee9

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    2s
  • max time network
    131s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    10-04-2024 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9

  • Size

    22KB

  • MD5

    3a2a08c0f98389d8def6fe82fcb3cc1b

  • SHA1

    e935bbdc493017ff6b427d194c81063125705259

  • SHA256

    5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9

  • SHA512

    0201fd2d00b4fb473f1fb258d684fb7f1efa0e562b25da6cedb0c41642e49b6ee046cb19cd3d516b345042c17b1ad5d2e42bf173d5f13c479dd9b9e31c46a0b7

  • SSDEEP

    384:ymdt7D0ogvSFafTZhePAp9phtIbMCfZSDFKteGGa0b0iFD8T5YYRqc2:yYt7D0oxPm7ubDRSDUeGgb0iF/ZB

Score
10/10
bpfdoorbackdoor

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

    backdoorbpfdoor
  • BPFDoor payload 1 IoCs
  • Changes its process name 1 IoCs
  • Creates Raw socket 1 IoCs

    Creates a socket that captures raw packets at the device level

  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9
    /tmp/5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9
    1⤵
      PID:1578
      • /bin/sh
        sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9 /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
        2⤵
          PID:1579
          • /bin/rm
            /bin/rm -f /dev/shm/kdmtmpflush
            3⤵
              PID:1580
            • /bin/cp
              /bin/cp /tmp/5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9 /dev/shm/kdmtmpflush
              3⤵
              • Reads runtime system information
              • Writes file to shm directory
              PID:1583
            • /bin/chmod
              /bin/chmod 755 /dev/shm/kdmtmpflush
              3⤵
                PID:1584
              • /dev/shm/kdmtmpflush
                /dev/shm/kdmtmpflush --init
                3⤵
                • Changes its process name
                • Executes dropped EXE
                PID:1585
              • /bin/rm
                /bin/rm -f /dev/shm/kdmtmpflush
                3⤵
                  PID:1587

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /dev/shm/kdmtmpflush
              Filesize

              22KB

              MD5

              3a2a08c0f98389d8def6fe82fcb3cc1b

              SHA1

              e935bbdc493017ff6b427d194c81063125705259

              SHA256

              5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9

              SHA512

              0201fd2d00b4fb473f1fb258d684fb7f1efa0e562b25da6cedb0c41642e49b6ee046cb19cd3d516b345042c17b1ad5d2e42bf173d5f13c479dd9b9e31c46a0b7

              Download Submit