bpfdoor | d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291

Analysis

max time kernel
2s
max time network
133s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
10-04-2024 14:23

Target

d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291
Size

27KB
MD5

acea44892fc67223f43f4af2ec81aa83
SHA1

f79255a73611bca2e1ff159eb8be6b0aa68c2748
SHA256

d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291
SHA512

8291808ba9f796bf37c637a252897dda69d29c5087a277cbb4c5d4821d8953d9ebc05d5a3088a33d380ae55538d4c802cd73de5d3ee34b67ebcd236997698393
SSDEEP

768:sMUDrIR0pRIrPP6JxdSbDRSDIh7Lz0iFCDq4p:QrY0LQH+DS90iFCDp

Score

10^/10

bpfdoor backdoor

BPFDoor
BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.
backdoor bpfdoor

BPFDoor payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_bpfdoor_v1

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	/usr/lib/systemd/systemd-journald	1485	kdmtmpflush

Creates Raw socket 1 IoCs

Creates a socket that captures raw packets at the device level

pid
1486

Executes dropped EXE 1 IoCs

ioc	pid	Process
/dev/shm/kdmtmpflush	1485	kdmtmpflush

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	cp

Writes file to shm directory 1 IoCs

Malware can drop malicious files in the shm directory which will run directly from RAM.

description	ioc	Process
File opened for modification	/dev/shm/kdmtmpflush	cp

/tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291
/tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291
1⤵
PID:1476
- /bin/sh
  sh -c "/bin/rm -f /dev/shm/kdmtmpflush;/bin/cp /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291 /dev/shm/kdmtmpflush && /bin/chmod 755 /dev/shm/kdmtmpflush && /dev/shm/kdmtmpflush --init && /bin/rm -f /dev/shm/kdmtmpflush"
  2⤵
  PID:1477
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:1480
- - /bin/cp
    /bin/cp /tmp/d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291 /dev/shm/kdmtmpflush
    3⤵
    - Reads runtime system information
    - Writes file to shm directory
    PID:1482
- - /bin/chmod
    /bin/chmod 755 /dev/shm/kdmtmpflush
    3⤵
    PID:1484
- - /dev/shm/kdmtmpflush
    /dev/shm/kdmtmpflush --init
    3⤵
    - Changes its process name
    - Executes dropped EXE
    PID:1485
- - /bin/rm
    /bin/rm -f /dev/shm/kdmtmpflush
    3⤵
    PID:1487

/dev/shm/kdmtmpflush

Filesize
27KB

MD5
acea44892fc67223f43f4af2ec81aa83

SHA1
f79255a73611bca2e1ff159eb8be6b0aa68c2748

SHA256
d68948964905af7259bca015bd1d1ab0bb54334a6f08a87a40ed9d8cc966b291

SHA512
8291808ba9f796bf37c637a252897dda69d29c5087a277cbb4c5d4821d8953d9ebc05d5a3088a33d380ae55538d4c802cd73de5d3ee34b67ebcd236997698393

Download Submit