Overview

overview

10

Static

static

10

5faab15939...0f3bb3

ubuntu-20.04-amd64

10

Analysis

  • max time kernel
    2s
  • max time network
    133s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    10-04-2024 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3

  • Size

    24KB

  • MD5

    3a270b673d47c0b69c3baf5d73010773

  • SHA1

    057b1783e8829e34e0c544c770360215fb60b7bb

  • SHA256

    5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3

  • SHA512

    f398cc7024ba5212bd192dfbfd81d8a3ce1fb20faef1d63b046fc2619df17cc15c907347d5fae1dab0e86493a9a690dde774df74ffbdfff9667fdb3c7e76cb78

  • SSDEEP

    384:ymdt7D0ogvSFafTZhePAp9phtIbMCfZSDFKteGGa0b0iFD8T5YYRqc2:yYt7D0oxPm7ubDRSDUeGgb0iF/ZB

Score
10/10
bpfdoorbackdoor

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

    backdoorbpfdoor
  • BPFDoor payload 1 IoCs
  • Changes its process name 1 IoCs
  • Creates Raw socket 1 IoCs

    Creates a socket that captures raw packets at the device level

  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes

  • /tmp/5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3
    /tmp/5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3
    1⤵
      PID:1476
      • /bin/sh
        sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3 /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
        2⤵
          PID:1477
          • /bin/rm
            /bin/rm -f /dev/shm/kdmtmpflush
            3⤵
              PID:1478
            • /bin/cp
              /bin/cp /tmp/5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3 /dev/shm/kdmtmpflush
              3⤵
              • Reads runtime system information
              • Writes file to shm directory
              PID:1480
            • /bin/chmod
              /bin/chmod 755 /dev/shm/kdmtmpflush
              3⤵
                PID:1482
              • /dev/shm/kdmtmpflush
                /dev/shm/kdmtmpflush --init
                3⤵
                • Changes its process name
                • Executes dropped EXE
                PID:1484
              • /bin/rm
                /bin/rm -f /dev/shm/kdmtmpflush
                3⤵
                  PID:1486

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /dev/shm/kdmtmpflush
              Filesize

              24KB

              MD5

              3a270b673d47c0b69c3baf5d73010773

              SHA1

              057b1783e8829e34e0c544c770360215fb60b7bb

              SHA256

              5faab159397964e630c4156f8852bcc6ee46df1cdd8be2a8d3f3d8e5980f3bb3

              SHA512

              f398cc7024ba5212bd192dfbfd81d8a3ce1fb20faef1d63b046fc2619df17cc15c907347d5fae1dab0e86493a9a690dde774df74ffbdfff9667fdb3c7e76cb78

              Download Submit