940ea36c95934bc5293f43894ff5af8cd4c35c15dcf2f4032a9bf87050678406

Analysis

max time kernel
206s
max time network
208s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
24-04-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Linux_x86
Size

2.1MB
MD5

e27f183578d17738b5fab27fa1f7b207
SHA1

2da956bfa7db43218ba0b4469acf4a3f67a9da3a
SHA256

940ea36c95934bc5293f43894ff5af8cd4c35c15dcf2f4032a9bf87050678406
SHA512

e69e7a0fcb5ca93647bc999f93d43462b4c16fd7a7f9b098f1562003cab45e99eb429248bd1944517022d8aaa37d91d01d3b752ab4109de0204fa4feee8223fd
SSDEEP

49152:rdfjEIRbloS+0dpxtdDNqJ4I5y4CIuuzz:rNjEIxiSbpxteJ4Q7LuI

Score

6^/10

antivm persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.08MShx	crontab

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/exe	Linux_x86
File opened for reading	/proc/sys/net/core/somaxconn	Linux_x86
File opened for reading	/proc/version	cat
File opened for reading	/proc/self/exe	Linux_x86
File opened for reading	/proc/sys/net/core/somaxconn	Linux_x86
File opened for reading	/proc/version	cat

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/[stealth].pid	Linux_x86
File opened for modification	/tmp/.pid	Linux_x86
File opened for modification	/tmp/nip9iNeiph5chee	Linux_x86

/tmp/Linux_x86
/tmp/Linux_x86
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1551
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:1560
- /bin/cat
  cat /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:1562
- /bin/uname
  uname -a
  2⤵
  PID:1564
- /usr/bin/getconf
  getconf LONG_BIT
  2⤵
  PID:1565
- /tmp/Linux_x86
  "[stealth]"
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1566
- - /bin/cat
    cat /proc/version
    3⤵
    - Reads runtime system information
    PID:1569
- - /bin/cat
    cat /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:1571
- - /bin/uname
    uname -a
    3⤵
    PID:1572
- - /usr/bin/getconf
    getconf LONG_BIT
    3⤵
    PID:1574
- - /usr/bin/crontab
    /usr/bin/crontab /tmp/nip9iNeiph5chee
    3⤵
    - Creates/modifies Cron job
    PID:1575

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
4B

MD5
be53ee61104935234b174e62a07e53cf

SHA1
150afba2f606bf3e450d7dbfba16c6673580cb77

SHA256
a9ffbdf317b2dabf198f59653da551149ad51173b2014ae1df5d183c2ddfcf26

SHA512
be6aab77ff13b95b184c78f1e5fd75e661c1d5817b96d9c914f32e016ce9de260423934e48ec592bc8a0caf5f39e79fb584be0f779fe51c4b991afde8b623428

Download Submit
/tmp/nip9iNeiph5chee

Filesize
43B

MD5
c387b6269be7ee4b2134407edb3593f8

SHA1
e5a12b35b87f690903867658acea42a3adf7e9dd

SHA256
eaf4d9d29df3e56e2d1a07c6b6d70eac5120e53eaecc372e8eb59dd25f0beb5d

SHA512
bede8eb40768728cbf23a40de85c3a2e38200702cb8303202c6ea2af5a13d41a2bda195d619acb75855b89611672f5eff63de1d9a1411b04afaf336a6bdfa552

Download Submit
/var/spool/cron/crontabs/tmp.08MShx

Filesize
237B

MD5
d684cf19977bf77c2400934a3419f88f

SHA1
9abaa29775f11c9ce79e57d22e44540a3280f32c

SHA256
c8d3144b7a58ba165e57919cd378fb0f0318bc3f65b6929aa5701c550445c80e

SHA512
98c81530ac1717d3a1ca717c6770b02d8cc35cdd2192ab92f0c2b3658e751c4d24f946bbb5787d8fb24c916a57415e68c234d3bfa176ff1b3c636b34033d059f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads