bpfdoor | 97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc

Analysis

max time kernel
2s
max time network
132s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
10-04-2024 12:52

Target

97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
Size

28KB
MD5

5fda35bd30be1cc21f8e933e41a88d9b
SHA1

8535c3b18a10649b94531c6d9f79750324498e5c
SHA256

97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
SHA512

1a0f9a5a5a6d3cdf1b5d71dda8f111e8f6b6d4378d3e1fe4c7797bcea3642fced6dd7ec398b8fbe0a108a4d63d00191ff80893eeeeaebb7b637fb17e41220ec6
SSDEEP

384:kmdtqD0ogKS6afykzoSPAB5f0IbMCfZS3Fz8WdGnzv0iFXkTg3YUq8wz0H:kYtqD0ousSPSHbDRS3aWdgv0iFOUq8HH

Score

10^/10

bpfdoor backdoor

BPFDoor
BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.
backdoor bpfdoor

BPFDoor payload 1 IoCs

Processes:

resource	yara_rule
/dev/shm/kdmtmpflush	family_bpfdoor_v1

Changes its process name 1 IoCs

Processes:

kdmtmpflush

description ioc pid process

Changes the process name, possibly in an attempt to hide itself pickup -l -t fifo -u 1484 kdmtmpflush
Creates Raw socket 1 IoCs
Creates a socket that captures raw packets at the device level

Processes:

pid

1485
Executes dropped EXE 1 IoCs

Processes:

kdmtmpflush

ioc pid process

/dev/shm/kdmtmpflush 1484 kdmtmpflush
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

cp

description ioc process

File opened for reading /proc/filesystems cp
Writes file to shm directory 1 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

cp

description ioc process

File opened for modification /dev/shm/kdmtmpflush cp

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	pickup -l -t fifo -u	1484	kdmtmpflush

pid
1485

ioc	pid	process
/dev/shm/kdmtmpflush	1484	kdmtmpflush

description	ioc	process
File opened for reading	/proc/filesystems	cp

description	ioc	process
File opened for modification	/dev/shm/kdmtmpflush	cp

/tmp/97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
/tmp/97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
1⤵
PID:1479

/bin/sh
sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
2⤵
PID:1480

/dev/shm/kdmtmpflush
Filesize
28KB

MD5
5fda35bd30be1cc21f8e933e41a88d9b

SHA1
8535c3b18a10649b94531c6d9f79750324498e5c

SHA256
97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc

SHA512
1a0f9a5a5a6d3cdf1b5d71dda8f111e8f6b6d4378d3e1fe4c7797bcea3642fced6dd7ec398b8fbe0a108a4d63d00191ff80893eeeeaebb7b637fb17e41220ec6

Download Submit