bpfdoor | 97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc

Analysis

max time kernel
2s
max time network
132s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
10-04-2024 12:52

Target

97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
Size

28KB
MD5

5fda35bd30be1cc21f8e933e41a88d9b
SHA1

8535c3b18a10649b94531c6d9f79750324498e5c
SHA256

97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
SHA512

1a0f9a5a5a6d3cdf1b5d71dda8f111e8f6b6d4378d3e1fe4c7797bcea3642fced6dd7ec398b8fbe0a108a4d63d00191ff80893eeeeaebb7b637fb17e41220ec6
SSDEEP

384:kmdtqD0ogKS6afykzoSPAB5f0IbMCfZS3Fz8WdGnzv0iFXkTg3YUq8wz0H:kYtqD0ousSPSHbDRS3aWdgv0iFOUq8HH

Score

10^/10

bpfdoor backdoor

BPFDoor
BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.
backdoor bpfdoor

BPFDoor payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_bpfdoor_v1

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	pickup -l -t fifo -u	1484	kdmtmpflush

Creates Raw socket 1 IoCs

Creates a socket that captures raw packets at the device level

pid
1485

Executes dropped EXE 1 IoCs

ioc	pid	Process
/dev/shm/kdmtmpflush	1484	kdmtmpflush

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	cp

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/kdmtmpflush	cp

/tmp/97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
/tmp/97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc
1⤵
PID:1479
- /bin/sh
  sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
  2⤵
  PID:1480
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:1481
- - /bin/cp
    /bin/cp /tmp/97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc /dev/shm/kdmtmpflush
    3⤵
    - Reads runtime system information
    - Writes file to shm directory
    PID:1482
- - /bin/chmod
    /bin/chmod 755 /dev/shm/kdmtmpflush
    3⤵
    PID:1483
- - /dev/shm/kdmtmpflush
    /dev/shm/kdmtmpflush --init
    3⤵
    - Changes its process name
    - Executes dropped EXE
    PID:1484
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:1486

/dev/shm/kdmtmpflush

Filesize
28KB

MD5
5fda35bd30be1cc21f8e933e41a88d9b

SHA1
8535c3b18a10649b94531c6d9f79750324498e5c

SHA256
97a546c7d08ad34dfab74c9c8a96986c54768c592a8dae521ddcf612a84fb8cc

SHA512
1a0f9a5a5a6d3cdf1b5d71dda8f111e8f6b6d4378d3e1fe4c7797bcea3642fced6dd7ec398b8fbe0a108a4d63d00191ff80893eeeeaebb7b637fb17e41220ec6

Download Submit