Overview

overview

10

Static

static

10

f47de978da...953d72

ubuntu-18.04-amd64

10

Analysis

  • max time kernel
    3s
  • max time network
    133s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240226-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    10-04-2024 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72

  • Size

    30KB

  • MD5

    915ca30a12f19152e6ee7fcd595b7b41

  • SHA1

    0e214a3bb9955b9b792d0ef785beee212a26c7fd

  • SHA256

    f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72

  • SHA512

    7d0a8c44e394355ebba40aeafbc9a36634be63ef386c9dc0c69c2af9dea47e611490e8a20415ec7c3aa9d1b5ffe0a9d43e9ab3f93b1b15762ed4b73c79e67377

  • SSDEEP

    384:Jq1PnO447Iu6PJOK8IkVaBSua3xkpVYGjk3MmBMyV4M3mY0iFL6nvIO5xflkYkeD:Jq1bSSoVn02gQMMMy10iFLBq5tD

Score
10/10
bpfdoorbackdoor

Malware Config

Signatures

  • BPFDoor

    BPFDoor is an evasive Linux backdoor attributed to a Chinese threat actor called Red Menshen.

    backdoorbpfdoor
  • BPFDoor payload 1 IoCs
  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72
    /tmp/f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72
    1⤵
      PID:1564
      • /bin/sh
        sh -c "/bin/rm -f /var/lock/kdumpdb;/bin/cp /tmp/f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72 /var/lock/kdumpdb && /bin/chmod 755 /var/lock/kdumpdb && /var/lock/kdumpdb --init"
        2⤵
          PID:1569
          • /bin/rm
            /bin/rm -f /var/lock/kdumpdb
            3⤵
              PID:1570
            • /bin/cp
              /bin/cp /tmp/f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72 /var/lock/kdumpdb
              3⤵
              • Reads runtime system information
              PID:1571
            • /bin/chmod
              /bin/chmod 755 /var/lock/kdumpdb
              3⤵
                PID:1572
              • /var/lock/kdumpdb
                /var/lock/kdumpdb --init
                3⤵
                  PID:1573

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /run/lock/kdumpdb
              Filesize

              30KB

              MD5

              915ca30a12f19152e6ee7fcd595b7b41

              SHA1

              0e214a3bb9955b9b792d0ef785beee212a26c7fd

              SHA256

              f47de978da1dbfc5e0f195745e3368d3ceef034e964817c66ba01396a1953d72

              SHA512

              7d0a8c44e394355ebba40aeafbc9a36634be63ef386c9dc0c69c2af9dea47e611490e8a20415ec7c3aa9d1b5ffe0a9d43e9ab3f93b1b15762ed4b73c79e67377

              Download Submit