bpfdoor | 5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9

Analysis

max time kernel
2s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
10-04-2024 11:11

Target

5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9
Size

22KB
MD5

3a2a08c0f98389d8def6fe82fcb3cc1b
SHA1

e935bbdc493017ff6b427d194c81063125705259
SHA256

5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9
SHA512

0201fd2d00b4fb473f1fb258d684fb7f1efa0e562b25da6cedb0c41642e49b6ee046cb19cd3d516b345042c17b1ad5d2e42bf173d5f13c479dd9b9e31c46a0b7
SSDEEP

384:ymdt7D0ogvSFafTZhePAp9phtIbMCfZSDFKteGGa0b0iFD8T5YYRqc2:yYt7D0oxPm7ubDRSDUeGgb0iF/ZB

Score

10^/10

bpfdoor backdoor

BPFDoor
BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.
backdoor bpfdoor

BPFDoor payload 1 IoCs

Processes:

resource	yara_rule
/dev/shm/kdmtmpflush	family_bpfdoor_v1

Changes its process name 1 IoCs

Processes:

kdmtmpflush

description ioc pid process

Changes the process name, possibly in an attempt to hide itself hald-runner 1585 kdmtmpflush
Creates Raw socket 1 IoCs
Creates a socket that captures raw packets at the device level

Processes:

pid

1586
Executes dropped EXE 1 IoCs

Processes:

kdmtmpflush

ioc pid process

/dev/shm/kdmtmpflush 1585 kdmtmpflush
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

cp

description ioc process

File opened for reading /proc/filesystems cp
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

cp

description ioc process

File opened for modification /dev/shm/kdmtmpflush cp

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	hald-runner	1585	kdmtmpflush

pid
1586

ioc	pid	process
/dev/shm/kdmtmpflush	1585	kdmtmpflush

description	ioc	process
File opened for reading	/proc/filesystems	cp

description	ioc	process
File opened for modification	/dev/shm/kdmtmpflush	cp

/tmp/5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9
/tmp/5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9
1⤵
PID:1578
- /bin/sh
  sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9 /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
  2⤵
  PID:1579
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:1580
- - /bin/cp
    /bin/cp /tmp/5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9 /dev/shm/kdmtmpflush
    3⤵
    - Reads runtime system information
    - Writes file to shm directory
    PID:1583
- - /bin/chmod
    /bin/chmod 755 /dev/shm/kdmtmpflush
    3⤵
    PID:1584
- - /dev/shm/kdmtmpflush
    /dev/shm/kdmtmpflush --init
    3⤵
    - Changes its process name
    - Executes dropped EXE
    PID:1585
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:1587

/dev/shm/kdmtmpflush

Filesize
22KB

MD5
3a2a08c0f98389d8def6fe82fcb3cc1b

SHA1
e935bbdc493017ff6b427d194c81063125705259

SHA256
5b2a079690efb5f4e0944353dd883303ffd6bab4aad1f0c88b49a76ddcb28ee9

SHA512
0201fd2d00b4fb473f1fb258d684fb7f1efa0e562b25da6cedb0c41642e49b6ee046cb19cd3d516b345042c17b1ad5d2e42bf173d5f13c479dd9b9e31c46a0b7

Download Submit