Overview

overview

10

Static

static

10

f47de978da...953d72

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    3s
  • max time network
    133s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    10/04/2024, 14:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72

  • Size

    30KB

  • MD5

    915ca30a12f19152e6ee7fcd595b7b41

  • SHA1

    0e214a3bb9955b9b792d0ef785beee212a26c7fd

  • SHA256

    f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72

  • SHA512

    7d0a8c44e394355ebba40aeafbc9a36634be63ef386c9dc0c69c2af9dea47e611490e8a20415ec7c3aa9d1b5ffe0a9d43e9ab3f93b1b15762ed4b73c79e67377

  • SSDEEP

    384:Jq1PnO447Iu6PJOK8IkVaBSua3xkpVYGjk3MmBMyV4M3mY0iFL6nvIO5xflkYkeD:Jq1bSSoVn02gQMMMy10iFLBq5tD

Score
10/10
bpfdoorbackdoor

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

    backdoorbpfdoor
  • BPFDoor payload 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72
    /tmp/f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72
    1⤵
      PID:1564
      • /bin/sh
        sh -c "/bin/rm -f /var/lock/kdumpdb;/bin/cp /tmp/f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72 /var/lock/kdumpdb && /bin/chmod 755 /var/lock/kdumpdb && /var/lock/kdumpdb --init"
        2⤵
          PID:1569
          • /bin/rm
            /bin/rm -f /var/lock/kdumpdb
            3⤵
              PID:1570
            • /bin/cp
              /bin/cp /tmp/f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72 /var/lock/kdumpdb
              3⤵
              • Reads runtime system information
              PID:1571
            • /bin/chmod
              /bin/chmod 755 /var/lock/kdumpdb
              3⤵
                PID:1572
              • /var/lock/kdumpdb
                /var/lock/kdumpdb --init
                3⤵
                  PID:1573

            Network

            • flag-us
              DNS
              cdn.fwupd.org
              Remote address:
              1.1.1.1:53
              Request
              cdn.fwupd.org
              IN A
              Response
              cdn.fwupd.org
              IN CNAME
              dualstack.p2.shared.global.fastly.net
              dualstack.p2.shared.global.fastly.net
              IN A
              151.101.2.49
              dualstack.p2.shared.global.fastly.net
              IN A
              151.101.66.49
              dualstack.p2.shared.global.fastly.net
              IN A
              151.101.130.49
              dualstack.p2.shared.global.fastly.net
              IN A
              151.101.194.49
            • flag-us
              DNS
              cdn.fwupd.org
              Remote address:
              1.1.1.1:53
              Request
              cdn.fwupd.org
              IN AAAA
              Response
              cdn.fwupd.org
              IN CNAME
              dualstack.p2.shared.global.fastly.net
              dualstack.p2.shared.global.fastly.net
              IN AAAA
              2a04:4e42::561
              dualstack.p2.shared.global.fastly.net
              IN AAAA
              2a04:4e42:600::561
              dualstack.p2.shared.global.fastly.net
              IN AAAA
              2a04:4e42:400::561
              dualstack.p2.shared.global.fastly.net
              IN AAAA
              2a04:4e42:200::561
            • flag-us
              DNS
              1527653184.rsc.cdn77.org
              Remote address:
              1.1.1.1:53
              Request
              1527653184.rsc.cdn77.org
              IN A
              Response
              1527653184.rsc.cdn77.org
              IN A
              89.187.167.2
              1527653184.rsc.cdn77.org
              IN A
              195.181.164.20
            • flag-us
              DNS
              1527653184.rsc.cdn77.org
              Remote address:
              1.1.1.1:53
              Request
              1527653184.rsc.cdn77.org
              IN AAAA
              Response
              1527653184.rsc.cdn77.org
              IN AAAA
              2a02:6ea0:ca00::4
              1527653184.rsc.cdn77.org
              IN AAAA
              2a02:6ea0:ca00::3
            • 151.101.194.49:443
              tls
              127 B
               40 B
               2
              1
            • 151.101.129.91:443
              tls
              127 B
               40 B
               2
              1
            • 195.181.164.19:443
              tls
              851 B
               11
            • 185.125.188.62:443
              tls
              135 B
               2
            • 185.125.188.62:443
              tls
              135 B
               2
            • 151.101.194.49:443
              cdn.fwupd.org
              tls
              7.5kB
               961.6kB
               129
              704
            • 151.101.129.91:443
              extensions.gnome.org
              tls
              7.1kB
               222.9kB
               109
              174
            • 89.187.167.2:443
              odrs.gnome.org
              tls
              17.3kB
               1.7MB
               304
              1205
            • 224.0.0.251:5353
              146 B
               2
            • 1.1.1.1:53
              cdn.fwupd.org
              dns
              70 B
               185 B
               1
              1

              DNS Request

              cdn.fwupd.org

              DNS Response

              151.101.2.49
              151.101.66.49
              151.101.130.49
              151.101.194.49

            • 1.1.1.1:53
              cdn.fwupd.org
              dns
              70 B
               233 B
               1
              1

              DNS Request

              cdn.fwupd.org

              DNS Response

              2a04:4e42::561
              2a04:4e42:600::561
              2a04:4e42:400::561
              2a04:4e42:200::561

            • 1.1.1.1:53
              1527653184.rsc.cdn77.org
              dns
              81 B
               113 B
               1
              1

              DNS Request

              1527653184.rsc.cdn77.org

              DNS Response

              89.187.167.2
              195.181.164.20

            • 1.1.1.1:53
              1527653184.rsc.cdn77.org
              dns
              81 B
               137 B
               1
              1

              DNS Request

              1527653184.rsc.cdn77.org

              DNS Response

              2a02:6ea0:ca00::4
              2a02:6ea0:ca00::3

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /run/lock/kdumpdb
              Filesize

              30KB

              MD5

              915ca30a12f19152e6ee7fcd595b7b41

              SHA1

              0e214a3bb9955b9b792d0ef785beee212a26c7fd

              SHA256

              f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72

              SHA512

              7d0a8c44e394355ebba40aeafbc9a36634be63ef386c9dc0c69c2af9dea47e611490e8a20415ec7c3aa9d1b5ffe0a9d43e9ab3f93b1b15762ed4b73c79e67377

              Download Submit

            We care about your privacy.

            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.