Analysis Overview
SHA256
1df3683afcdb6a6b201287490f3c859c0d687adbe1a5500bc140e7bd99be2eb0
Threat Level: Shows suspicious behavior
The file dpkg-apt was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Deletes itself
Executes dropped EXE
Modifies init.d
Write file to user bin folder
Checks CPU configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-17 09:39
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-17 09:39
Reported
2024-04-17 09:41
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
106s
Max time network
110s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/dpkg-apt | N/A |
| N/A | N/A | /var/tmp/atd | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /usr/bin/dpkg-apt | /usr/bin/dpkg-apt | N/A |
| N/A | /var/tmp/atd | /var/tmp/atd | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | N/A | N/A |
Modifies init.d
| Description | Indicator | Process | Target |
| File opened for modification | /etc/init.d/dbus | N/A | N/A |
| File opened for modification | /etc/init.d/avahi-daemon | N/A | N/A |
| File opened for modification | /etc/init.d/irqbalance | N/A | N/A |
| File opened for modification | /etc/init.d/cron | N/A | N/A |
| File opened for modification | /etc/init.d/x11-common | N/A | N/A |
| File opened for modification | /etc/init.d/spice-vdagent | N/A | N/A |
| File opened for modification | /etc/init.d/uuidd | N/A | N/A |
| File opened for modification | /etc/init.d/apport | N/A | N/A |
| File opened for modification | /etc/init.d/apparmor | N/A | N/A |
| File opened for modification | /etc/init.d/anacron | N/A | N/A |
| File opened for modification | /etc/init.d/cups-browsed | N/A | N/A |
| File opened for modification | /etc/init.d/console-setup.sh | N/A | N/A |
| File opened for modification | /etc/init.d/networking | N/A | N/A |
| File opened for modification | /etc/init.d/dns-clean | N/A | N/A |
| File opened for modification | /etc/init.d/speech-dispatcher | N/A | N/A |
| File opened for modification | /etc/init.d/unattended-upgrades | N/A | N/A |
| File opened for modification | /etc/init.d/kmod | N/A | N/A |
| File opened for modification | /etc/init.d/selinux-autorelabel | N/A | N/A |
| File opened for modification | /etc/init.d/cups | N/A | N/A |
| File opened for modification | /etc/init.d/rsync | N/A | N/A |
| File opened for modification | /etc/init.d/gdm3 | N/A | N/A |
| File opened for modification | /etc/init.d/grub-common | N/A | N/A |
| File opened for modification | /etc/init.d/saned | N/A | N/A |
| File opened for modification | /etc/init.d/auditd | N/A | N/A |
| File opened for modification | /etc/init.d/hwclock.sh | N/A | N/A |
| File opened for modification | /etc/init.d/plymouth | N/A | N/A |
| File opened for modification | /etc/init.d/bluetooth | N/A | N/A |
| File opened for modification | /etc/init.d/alsa-utils | N/A | N/A |
| File opened for modification | /etc/init.d/pppd-dns | N/A | N/A |
| File opened for modification | /etc/init.d/ssh | N/A | N/A |
| File opened for modification | /etc/init.d/network-manager | N/A | N/A |
| File opened for modification | /etc/init.d/kerneloops | N/A | N/A |
| File opened for modification | /etc/init.d/plymouth-log | N/A | N/A |
| File opened for modification | /etc/init.d/keyboard-setup.sh | N/A | N/A |
| File opened for modification | /etc/init.d/atd | N/A | N/A |
| File opened for modification | /etc/init.d/procps | N/A | N/A |
| File opened for modification | /etc/init.d/ufw | N/A | N/A |
| File opened for modification | /etc/init.d/udev | N/A | N/A |
| File opened for modification | /etc/init.d/rsyslog | N/A | N/A |
| File opened for modification | /etc/init.d/acpid | N/A | N/A |
Write file to user bin folder
| Description | Indicator | Process | Target |
| File opened for modification | /usr/bin/dpkg-apt | /tmp/dpkg-apt | N/A |
| File opened for modification | /usr/bin/retatelog | N/A | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/exe | /tmp/dpkg-apt | N/A |
| File opened for reading | /proc/self/exe | /usr/bin/dpkg-apt | N/A |
| File opened for reading | /proc/self/exe | /var/tmp/atd | N/A |
| File opened for reading | /proc/meminfo | N/A | N/A |
Processes
/tmp/dpkg-apt
[/tmp/dpkg-apt]
/bin/sh
[/bin/sh -c /usr/bin/dpkg-apt]
/usr/bin/dpkg-apt
[/usr/bin/dpkg-apt]
/bin/sh
[/bin/sh -c /var/tmp/atd]
/var/tmp/atd
[/var/tmp/atd]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | vn.github.wiki | udp |
| HK | 47.242.188.35:443 | vn.github.wiki | tcp |
| US | 8.8.8.8:53 | vn.github.wiki | udp |
| HK | 47.242.188.35:443 | vn.github.wiki | tcp |
| US | 8.8.8.8:53 | vn.github.wiki | udp |
| HK | 47.242.188.35:443 | vn.github.wiki | tcp |
| US | 151.101.130.49:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.66.49:443 | cdn.fwupd.org | tcp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp |
Files
/usr/bin/dpkg-apt
| MD5 | 868843cd62081472c2b8e5327fc0843f |
| SHA1 | 3936786654d717ae2a494666d143cbe40b105e12 |
| SHA256 | 1df3683afcdb6a6b201287490f3c859c0d687adbe1a5500bc140e7bd99be2eb0 |
| SHA512 | 0619055ef28ca8f30befa245ac4af83299c6d576e72f2378252035185ca53b496e75fd650ab56e7ba9186c32c0859247017be5fc1fc76b45bf9d0cf7daee465e |
memory/1575-1-0x0000000008048000-0x000000000811df10-memory.dmp
/var/tmp/atd
| MD5 | e57f5302e9b9ab903b7e0da7c5039d2f |
| SHA1 | 461ae38621506b917552469563a68fe48d0bf642 |
| SHA256 | cdc4dc8bdc483313a25e571769f1583ac2ac41012175189f03743f8446362aa7 |
| SHA512 | 2dcd6e375e9c81cdd03c61ceb83752660c0bf1cb74eaa901edcbd00224535a08268ff873715e6e5138fa4c82d85fe966b6915e0a2688f6c947dbffc3a90e0f07 |
memory/1578-2-0x0000000008048000-0x000000000811df10-memory.dmp
memory/1584-3-0x0000000008048000-0x000000000811df10-memory.dmp