bpfdoor | 5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3

Analysis

max time kernel
2s
max time network
133s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
10-04-2024 11:23

Target

5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3
Size

24KB
MD5

3a270b673d47c0b69c3baf5d73010773
SHA1

057b1783e8829e34e0c544c770360215fb60b7bb
SHA256

5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3
SHA512

f398cc7024ba5212bd192dfbfd81d8a3ce1fb20faef1d63b046fc2619df17cc15c907347d5fae1dab0e86493a9a690dde774df74ffbdfff9667fdb3c7e76cb78
SSDEEP

384:ymdt7D0ogvSFafTZhePAp9phtIbMCfZSDFKteGGa0b0iFD8T5YYRqc2:yYt7D0oxPm7ubDRSDUeGgb0iF/ZB

Score

10^/10

bpfdoor backdoor

BPFDoor
BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.
backdoor bpfdoor

BPFDoor payload 1 IoCs

Processes:

resource	yara_rule
/dev/shm/kdmtmpflush	family_bpfdoor_v1

Changes its process name 1 IoCs

Processes:

kdmtmpflush

description ioc pid process

Changes the process name, possibly in an attempt to hide itself avahi-daemon: chroot helper 1484 kdmtmpflush
Creates Raw socket 1 IoCs
Creates a socket that captures raw packets at the device level

Processes:

pid

1485
Executes dropped EXE 1 IoCs

Processes:

kdmtmpflush

ioc pid process

/dev/shm/kdmtmpflush 1484 kdmtmpflush
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

cp

description ioc process

File opened for reading /proc/filesystems cp
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

cp

description ioc process

File opened for modification /dev/shm/kdmtmpflush cp

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	avahi-daemon: chroot helper	1484	kdmtmpflush

pid
1485

ioc	pid	process
/dev/shm/kdmtmpflush	1484	kdmtmpflush

description	ioc	process
File opened for reading	/proc/filesystems	cp

description	ioc	process
File opened for modification	/dev/shm/kdmtmpflush	cp

/tmp/5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3
/tmp/5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3
1⤵
PID:1476

/bin/sh
sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3 /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
2⤵
PID:1477

/dev/shm/kdmtmpflush
Filesize
24KB

MD5
3a270b673d47c0b69c3baf5d73010773

SHA1
057b1783e8829e34e0c544c770360215fb60b7bb

SHA256
5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3

SHA512
f398cc7024ba5212bd192dfbfd81d8a3ce1fb20faef1d63b046fc2619df17cc15c907347d5fae1dab0e86493a9a690dde774df74ffbdfff9667fdb3c7e76cb78

Download Submit