Overview

overview

10

Static

static

10

c796fc66b6...f91276

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    2s
  • max time network
    131s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    10-04-2024 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276

  • Size

    22KB

  • MD5

    87223f2a9c3a65be7545f25f95e10ece

  • SHA1

    92439c3c736a0554883118ecfe082b27aa6c9143

  • SHA256

    c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276

  • SHA512

    eeeb9522294c9785074cd318118e43db13b165a242460bfeae34047b89eece3bf8cd128afb11c6440cb9d7845d6ba14c814bf9a477caffe7167d3a5c5e427c21

  • SSDEEP

    384:Vmdt5D0ogBSoafTZKuZkBAzspIbMCfZSDFM6HlYGxhq0iFEcTGWYSVs:VYt5D0ozZfIabDRSD2wlYgq0iFkSO

Score
10/10
bpfdoorbackdoor

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

    backdoorbpfdoor
  • BPFDoor payload 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276
    /tmp/c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276
    1⤵
      PID:1592
      • /bin/sh
        sh -c "/bin/rm -f /var/lock/kdumpflush;/bin/cp /tmp/c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276 /var/lock/kdumpflush && /bin/chmod 755 /var/lock/kdumpflush && /var/lock/kdumpflush --init"
        2⤵
          PID:1593
          • /bin/rm
            /bin/rm -f /var/lock/kdumpflush
            3⤵
              PID:1594
            • /bin/cp
              /bin/cp /tmp/c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276 /var/lock/kdumpflush
              3⤵
              • Reads runtime system information
              PID:1595
            • /bin/chmod
              /bin/chmod 755 /var/lock/kdumpflush
              3⤵
                PID:1596
              • /var/lock/kdumpflush
                /var/lock/kdumpflush --init
                3⤵
                  PID:1597

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /run/lock/kdumpflush
              Filesize

              22KB

              MD5

              87223f2a9c3a65be7545f25f95e10ece

              SHA1

              92439c3c736a0554883118ecfe082b27aa6c9143

              SHA256

              c796fc66b655f6107eacbe78a37f0e8a2926f01fecebd9e68a66f0e261f91276

              SHA512

              eeeb9522294c9785074cd318118e43db13b165a242460bfeae34047b89eece3bf8cd128afb11c6440cb9d7845d6ba14c814bf9a477caffe7167d3a5c5e427c21

              Download Submit