Malware Analysis Report

2025-01-23 15:26

Sample ID 240417-lmntzscf9z
Target dpkg-apt
SHA256 1df3683afcdb6a6b201287490f3c859c0d687adbe1a5500bc140e7bd99be2eb0
Tags
upx antivm persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1df3683afcdb6a6b201287490f3c859c0d687adbe1a5500bc140e7bd99be2eb0

Threat Level: Shows suspicious behavior

The file dpkg-apt was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm persistence

UPX packed file

Deletes itself

Executes dropped EXE

Modifies init.d

Write file to user bin folder

Checks CPU configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 09:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 09:39

Reported

2024-04-17 09:41

Platform

ubuntu1804-amd64-20240226-en

Max time kernel

106s

Max time network

110s

Command Line

[/tmp/dpkg-apt]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A /tmp/dpkg-apt N/A
N/A N/A /var/tmp/atd N/A

Executes dropped EXE

Description Indicator Process Target
N/A /usr/bin/dpkg-apt /usr/bin/dpkg-apt N/A
N/A /var/tmp/atd /var/tmp/atd N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo N/A N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/dbus N/A N/A
File opened for modification /etc/init.d/avahi-daemon N/A N/A
File opened for modification /etc/init.d/irqbalance N/A N/A
File opened for modification /etc/init.d/cron N/A N/A
File opened for modification /etc/init.d/x11-common N/A N/A
File opened for modification /etc/init.d/spice-vdagent N/A N/A
File opened for modification /etc/init.d/uuidd N/A N/A
File opened for modification /etc/init.d/apport N/A N/A
File opened for modification /etc/init.d/apparmor N/A N/A
File opened for modification /etc/init.d/anacron N/A N/A
File opened for modification /etc/init.d/cups-browsed N/A N/A
File opened for modification /etc/init.d/console-setup.sh N/A N/A
File opened for modification /etc/init.d/networking N/A N/A
File opened for modification /etc/init.d/dns-clean N/A N/A
File opened for modification /etc/init.d/speech-dispatcher N/A N/A
File opened for modification /etc/init.d/unattended-upgrades N/A N/A
File opened for modification /etc/init.d/kmod N/A N/A
File opened for modification /etc/init.d/selinux-autorelabel N/A N/A
File opened for modification /etc/init.d/cups N/A N/A
File opened for modification /etc/init.d/rsync N/A N/A
File opened for modification /etc/init.d/gdm3 N/A N/A
File opened for modification /etc/init.d/grub-common N/A N/A
File opened for modification /etc/init.d/saned N/A N/A
File opened for modification /etc/init.d/auditd N/A N/A
File opened for modification /etc/init.d/hwclock.sh N/A N/A
File opened for modification /etc/init.d/plymouth N/A N/A
File opened for modification /etc/init.d/bluetooth N/A N/A
File opened for modification /etc/init.d/alsa-utils N/A N/A
File opened for modification /etc/init.d/pppd-dns N/A N/A
File opened for modification /etc/init.d/ssh N/A N/A
File opened for modification /etc/init.d/network-manager N/A N/A
File opened for modification /etc/init.d/kerneloops N/A N/A
File opened for modification /etc/init.d/plymouth-log N/A N/A
File opened for modification /etc/init.d/keyboard-setup.sh N/A N/A
File opened for modification /etc/init.d/atd N/A N/A
File opened for modification /etc/init.d/procps N/A N/A
File opened for modification /etc/init.d/ufw N/A N/A
File opened for modification /etc/init.d/udev N/A N/A
File opened for modification /etc/init.d/rsyslog N/A N/A
File opened for modification /etc/init.d/acpid N/A N/A

Write file to user bin folder

Description Indicator Process Target
File opened for modification /usr/bin/dpkg-apt /tmp/dpkg-apt N/A
File opened for modification /usr/bin/retatelog N/A N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/dpkg-apt N/A
File opened for reading /proc/self/exe /usr/bin/dpkg-apt N/A
File opened for reading /proc/self/exe /var/tmp/atd N/A
File opened for reading /proc/meminfo N/A N/A

Processes

/tmp/dpkg-apt

[/tmp/dpkg-apt]

/bin/sh

[/bin/sh -c /usr/bin/dpkg-apt]

/usr/bin/dpkg-apt

[/usr/bin/dpkg-apt]

/bin/sh

[/bin/sh -c /var/tmp/atd]

/var/tmp/atd

[/var/tmp/atd]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 vn.github.wiki udp
HK 47.242.188.35:443 vn.github.wiki tcp
US 8.8.8.8:53 vn.github.wiki udp
HK 47.242.188.35:443 vn.github.wiki tcp
US 8.8.8.8:53 vn.github.wiki udp
HK 47.242.188.35:443 vn.github.wiki tcp
US 151.101.130.49:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.66.49:443 cdn.fwupd.org tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
GB 195.181.164.14:443 tcp

Files

/usr/bin/dpkg-apt

MD5 868843cd62081472c2b8e5327fc0843f
SHA1 3936786654d717ae2a494666d143cbe40b105e12
SHA256 1df3683afcdb6a6b201287490f3c859c0d687adbe1a5500bc140e7bd99be2eb0
SHA512 0619055ef28ca8f30befa245ac4af83299c6d576e72f2378252035185ca53b496e75fd650ab56e7ba9186c32c0859247017be5fc1fc76b45bf9d0cf7daee465e

memory/1575-1-0x0000000008048000-0x000000000811df10-memory.dmp

/var/tmp/atd

MD5 e57f5302e9b9ab903b7e0da7c5039d2f
SHA1 461ae38621506b917552469563a68fe48d0bf642
SHA256 cdc4dc8bdc483313a25e571769f1583ac2ac41012175189f03743f8446362aa7
SHA512 2dcd6e375e9c81cdd03c61ceb83752660c0bf1cb74eaa901edcbd00224535a08268ff873715e6e5138fa4c82d85fe966b6915e0a2688f6c947dbffc3a90e0f07

memory/1578-2-0x0000000008048000-0x000000000811df10-memory.dmp

memory/1584-3-0x0000000008048000-0x000000000811df10-memory.dmp