Overview

overview

10

Static

static

1

totally re...ck.elf

ubuntu-18.04-amd64

10

totally re...ck.elf

ubuntu-20.04-amd64

10

Analysis

  • max time kernel
    44s
  • max time network
    60s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240418-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240418-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28-04-2024 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    totally real crack.elf

  • Size

    2.2MB

  • MD5

    c41d9625ccd175647ffa10484ab2556d

  • SHA1

    77d7614156607b68265b122fb35a1d408625cb96

  • SHA256

    6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0

  • SHA512

    7036bbdd7079b560abcfe3aac1b5951571c318708d48fea340e82185e351c3853091900b31ef0d790ca3309943318620e00f9567440693e89a259b56fc09c9b2

  • SSDEEP

    49152:kOAAzrb/TYvO90dL3BmAFd4A64nsfJiTZxwuXf9nTCqw0Xfgg778laMex5D1:k1Dw+b3+

Score
10/10
hiveevasionpersistenceransomware

Malware Config

Extracted

Path

/4oEi_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: xUvZHAXDfpoW Password: xvsX47VFucuDKUw4i77C To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.21k5p files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Deletes itself 1 IoCs
  • Deletes journal logs 1 TTPs 1 IoCs

    Deletes systemd journal logs. Likely to evade detection.

    evasion
  • Creates/modifies Cron job 1 TTPs 2 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    persistence
  • Deletes log files 1 TTPs 7 IoCs

    Deletes log files on the system.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads hardware information 1 TTPs 1 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads network interface configuration 2 TTPs 12 IoCs

    Fetches information about one or more active network interfaces.

  • Reads CPU attributes 1 TTPs 20 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/totally real crack.elf
    "/tmp/totally real crack.elf"
    1⤵
    • Deletes itself
    • Deletes journal logs
    • Creates/modifies Cron job
    • Deletes log files
    • Reads hardware information
    • Reads network interface configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    • Writes file to shm directory
    • Writes file to tmp directory
    PID:1539

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /4oEi_HOW_TO_DECRYPT.txt
    Filesize

    1KB

    MD5

    9932bbfea02ad4bb0c43b36fddd98a7a

    SHA1

    1faee3c9dbb5f005769c8123387b45cf545cac89

    SHA256

    13f91b1c2c02259660f4d83dd7383b5bbc4f04be98331fbbcf92f1e56f8557a4

    SHA512

    cad236319f2bc80d4223aca681e1adc446ae72dd46530e00aa9887c331b94ac95c9b23c55c3d98c4615cb05da689d68006d75c3f0d213c6f9303ee04f2d4f7ab

    Download Submit

  • /dev/shm/temp1.swap.21k5p
    Filesize

    890.0MB

    MD5

    349029a207623b59d2746aead722bb24

    SHA1

    daf8d924abec5cfb348dee7fc5fe4abef060c6a0

    SHA256

    10bbb0578e16c126141130fb5f14bc77399b91046bb95168693e3478177860a8

    SHA512

    e37e0b5c66865aeb14bbbdd95be0919951a82616bdc51d04bb8f6996b7a1d8c48fc417857d491f779690989c8ef922933e91c1b3877f95c751c3cb57c3a2d431

    Download Submit

  • /etc/motd
    Filesize

    1KB

    MD5

    ff20e9231f075f2da48939e1404433e6

    SHA1

    b6b095abd7636ff094dc9560ae19b4902268ffb3

    SHA256

    60195e714782a8b8ab7dab911f6f855ab9160776dca1dbc04c18c045768dbd97

    SHA512

    e5576b08a067daa56778b614a3c58d0af923c4e4888c512daa456182c3e1c5f65aaa90dbf43d79752394d9cfc5d968f6a0b80a54517a0c468be5aabd38c282cd

    Download Submit

  • /qk_FvaBvPGD8-YDOZox1HDY4QSYRZWXiaTu2hCjr42X_.key.21k5p
    Filesize

    1.1MB

    MD5

    627110ddfed6bf76bfb5a72723fd231d

    SHA1

    885ece3a7c64d71776918a83bdbeed4e853c424e

    SHA256

    cb3b6180283eae85d47b7dab3d8b6d363a13e649374172e907d1d4f5fa92afb4

    SHA512

    bd42c5311fd6adaa6d10988f30e623b23c24238f3208267f94d2274f2a64123ebe90d538b65d23f2c0b3250cc047c7453abe4644269e9e33ae3b2dde456bda12

    Download Submit

  • /run/lock/temp1.swap.21k5p
    Filesize

    6.0MB

    MD5

    e888cc97e2bd50e067f8bdb257a0e72e

    SHA1

    a166a1a986c95efa62f2859bd0003928d9ebfb33

    SHA256

    c083b56ebeb34f6c893aaa4f0e8e21b20ee54132c44478b735bcd964fb4d803a

    SHA512

    5be5607aa33643fd20968580c0b1fdf5e7e4fc9cb21b87b1124db64e5c5fd2994c2331777eb9ef31fbfd0c32e97820b9486b0a859b77d9af891baf1eef7b991a

    Download Submit

  • /run/temp1.swap.21k5p
    Filesize

    37.0MB

    MD5

    966320cd50ea2cdd6ce89f33599977de

    SHA1

    d5ee8ed678994698c3db06f65059c27ff0fa4ae8

    SHA256

    fdb60776b0d090fedac0aaf39e85f51d0d8848bf4feae4ca848b0106217351ee

    SHA512

    f8cd32122c3800414671f2a5d81c36bb98c459a101d2b47502fd4cdcf9f8cb0ab294604999401a8a11c9f31ac4cd36b2697c5bf51f9f2902a3809bdb47361b90

    Download Submit

  • /run/user/0/temp1.swap.21k5p
    Filesize

    36.0MB

    MD5

    e146bf4d430629ee177f0cf2aab0db7b

    SHA1

    81bb467abde27a551529a29f36b2a7a3398b345b

    SHA256

    3858092c6e145504439b2c0de41af2b6a397feb16790376b7a9d18a7583c6499

    SHA512

    85bdf2d78c4eb14cc28e67287ea3b542fd6597b7a02177ddb3a960b0a8219d43fba591c22c37831f32e15eaab7d44a89ea0ec3ea46d636fef2d75ea40f5f4881

    Download Submit

  • /run/user/121/temp1.swap.21k5p
    Filesize

    45.0MB

    MD5

    c8d237318e2592e8d1d5820ade1db5a5

    SHA1

    d02abdd62d86720f775ea84dec5025275d6da421

    SHA256

    df5d56c8782a66ed320ec37b092f765aa9d5aebd7d4a841e83e334d38ffcb233

    SHA512

    2c9a174a337c2b33bcd5486557abe0bebe8990842d99a0d458b432d38814275252008fe355d662c82b7860dbcd3aa54b862df8eb5d4edfd312ee46ec450fe8d3

    Download Submit

  • /temp1.swap.21k5p
    Filesize

    210.0MB

    MD5

    6ad83ba02995bc0e43f3e50b4af01a55

    SHA1

    ad788867194a5c1d98d499d83751acfb306841a3

    SHA256

    64642239327907721dba50f970cb655201f7603ba6adf0d7e1d0b30474d7a26a

    SHA512

    e02b216a1699b2347648e1d7efa49631b0992a9764f0f917ea512365891599d8be4d238de9c322f2ef976868337f5a3423c20464a93330f9734e0187ab3de0a7

    Download Submit

  • /temp10.swap.21k5p
    Filesize

    1020.0MB

    MD5

    56754b72fea85e5d57d68d88c74a1fa6

    SHA1

    51602c4d1de3995f93bf3f33a20d570224e34175

    SHA256

    4a297138ad9ec651b0bfa9eb2349a68deb1453788c4348b7351994f0755b0fca

    SHA512

    fd57a7897f6de0c58da75fcaf7dbcd8d34707d9f7965a9670b8cc71b2d392b64682e39cd41c6a541733f5a309c9e3a904e69cc602a2ef6e4749e334b6ddd49c1

    Download Submit

  • /temp11.swap.21k5p
    Filesize

    383.0MB

    MD5

    c98f0da79f9abe390bb0f6c4c064707d

    SHA1

    87d97cdaa7b2ddaae05c852f10d7be0e5ec59abe

    SHA256

    9fe46e5d09feece60555141e0bbcfa1c4980d22e0d41cd8d445ed8d75083252c

    SHA512

    bf54ca88484ba33a0c176bab46bea36123135d4183c8aed978888c646d98a4b6608283f62b5616dfee1b15ede95d957f9b820a9bb6a65d0efa78670071154686

    Download Submit

  • /temp2.swap.21k5p
    Filesize

    1024.0MB

    MD5

    92e17efcc72608410e4901fa16a7e895

    SHA1

    9f8e364728a1216fbaf18282fe00b5808ae1d30f

    SHA256

    bacd1072564aa67c20b5ffa165e0a35d4e702514ed0d57c3d06a953cf0021de6

    SHA512

    32d18c42780516e251642d104b9c76623f459d33a50c4eacd5aa48b48a12a93bcea8a6d6f7eb1d36165310528fc2a54df51bd04825bfe6adc4e562effcc6d87a

    Download Submit

  • /temp3.swap.21k5p
    Filesize

    1024.0MB

    MD5

    8464fc795b24bf1df7a607d080fe3edb

    SHA1

    e407d09bf1a15b8d68429dea794c8965454df79e

    SHA256

    3e15da1c51f4575629ac1507f76a0afe5220b653158c6a71785f646208a15b5c

    SHA512

    391ff030a4d8ad6818ef13f58940316eb8431710cc3e1c0254ba836b4a57ac75dbfef84cca343356ec63d2d386836af6fed639bcd738871f064de4f98dc49d76

    Download Submit

  • /temp4.swap.21k5p
    Filesize

    1021.0MB

    MD5

    e8f71d98bf40000913a29c08c41cd8ab

    SHA1

    0d4796a5df6996459a30aaf0a1e2b4bddfa24196

    SHA256

    6ffe001ae3346b8739d55e8404c0f3f8d388ba86c02c521d33b47807e3cae264

    SHA512

    b085377b6fdc26e8a1c419649933be92501649e86804b5458ad26dd5c924d62f3232b3f52648e184fd6f10a93f13e40e7477fd72e087b73326034f1c432f7d77

    Download Submit

  • /temp5.swap.21k5p
    Filesize

    1021.0MB

    MD5

    41219a35627e1d68bd54f19c5f4e2856

    SHA1

    409b767642572af305f9783bd6bcc0bb96e20554

    SHA256

    b7a77e3bf90688e9d69b2eda58654f4a7cda0b1c42451f0648431fdd020c5eca

    SHA512

    4eb8d3dfb5a2d3557153087b3e525f51f0e35861c1fe1538328b6e268593ce66e21f3284abc76cddf914a71117c60a4ee2d7822eaab684ed943ddccf264e9c57

    Download Submit

  • /temp6.swap.21k5p
    Filesize

    1021.0MB

    MD5

    d2223fcffced8d14ce6dd3256f0a2c60

    SHA1

    15e0c4f37ed3398482ae8c54a2ee8ffcdf8c3390

    SHA256

    b007ca9eb9604d15b2c57411d6e3bd5b1e49afdf014180eca5c083bda75c89c7

    SHA512

    316b0b5542c70a3ca7c8884145baddf0542401116ccec921173e7cab5249372dcb4dcb6e7226fac8443376e106bdab59afba78318ba7ae2999384b0fb7db95ff

    Download Submit

  • /temp7.swap.21k5p
    Filesize

    1016.0MB

    MD5

    9b2395d6974b4884fa0aabc4d24db92f

    SHA1

    970b931760c17749bdb8eeae19e2e6ca86c2098c

    SHA256

    f61e5aab10c3e7168c604fb4bb45f9b71bc27cb0c45c0b1bb1e518b1e91be3e6

    SHA512

    8e10be08948ba0838ab08e14f709cd42da33d8d06cad0ccbd898e5133ef671e8e4f175ccba43c9f706f05effcf08127d49a2ceee6ebee81227135d874f8c2c87

    Download Submit

  • /temp8.swap.21k5p
    Filesize

    1024.0MB

    MD5

    6e9c844b9c1caa139b7e6efccf39ac6f

    SHA1

    2c4ada8ebd2d9c0682b2dacfc0ee98be97985ca2

    SHA256

    51fd550c3b257dfd519014c057ae686ce6c4407a3fc7e4a4960ed849204981ca

    SHA512

    4be3e1fe359c4f710ef0e03e22eaa826bb4d375a1439f37812514fac0ca6dd9e26529215b90dbfe856c5fd52a2cafa72267c8ce0a0a630e2bb2f90e3dd963c57

    Download Submit

  • /temp9.swap.21k5p
    Filesize

    1013.0MB

    MD5

    83945d43550d5299f45a968ad0d73972

    SHA1

    6f87d7b862f27002f46bdac2cdce7a7642400ce1

    SHA256

    c8cf2fc6a3b9471aeb2e15aa837a50f30d470c033266fbcd710442ec48bcac2e

    SHA512

    46fba2c4daf6dea78851321ab3e97551312bb87de4d60dedd012af738a65e84f99bc8b0fee0eeadbce0b8f8d3000dc8868b86f159e22ee2a727f4e7ccca91e55

    Download Submit