Overview

overview

10

Static

static

10

c80bd1c4a7...79b09c

ubuntu-20.04-amd64

10

Analysis

  • max time kernel
    2s
  • max time network
    135s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    10-04-2024 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c

  • Size

    30KB

  • MD5

    b65d8705c8d30ccc855e0dc48f093591

  • SHA1

    27fc5359c0200cb33b328048d317605c255db6ea

  • SHA256

    c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c

  • SHA512

    feb559ae57b67858b3a98a5e71fe04a4dd18881043ac291263ad6513d542b7c02a307fdcb0d6fd50eaddb34356ac02f346d2c0f19fe39364f239ae4e84236345

  • SSDEEP

    384:lL1X7ng7ou6PJOK8Ik93KRqPuaXhUp/GDUIMmoMyV4Mnmo0iFZZ6nvpm2HQF8YA7:lLtb6yo93Xk/gvMNMy10iFZZAmJBA7

Score
10/10
bpfdoorbackdoor

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

    backdoorbpfdoor
  • BPFDoor payload 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c
    /tmp/c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c
    1⤵
      PID:1435
      • /bin/sh
        sh -c "/bin/rm -f /var/lock/kdumpflush;/bin/cp /tmp/c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c /var/lock/kdumpflush && /bin/chmod 755 /var/lock/kdumpflush && /var/lock/kdumpflush --init"
        2⤵
          PID:1436
          • /bin/rm
            /bin/rm -f /var/lock/kdumpflush
            3⤵
              PID:1443
            • /bin/cp
              /bin/cp /tmp/c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c /var/lock/kdumpflush
              3⤵
              • Reads runtime system information
              PID:1449
            • /bin/chmod
              /bin/chmod 755 /var/lock/kdumpflush
              3⤵
                PID:1455
              • /var/lock/kdumpflush
                /var/lock/kdumpflush --init
                3⤵
                  PID:1459

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /run/lock/kdumpflush
              Filesize

              30KB

              MD5

              b65d8705c8d30ccc855e0dc48f093591

              SHA1

              27fc5359c0200cb33b328048d317605c255db6ea

              SHA256

              c80bd1c4a796b4d3944a097e96f384c85687daeedcdcf05cc885c8c9b279b09c

              SHA512

              feb559ae57b67858b3a98a5e71fe04a4dd18881043ac291263ad6513d542b7c02a307fdcb0d6fd50eaddb34356ac02f346d2c0f19fe39364f239ae4e84236345

              Download Submit