467cdd188a7f739bc706adbc1d695f61ffdefc95916adb015947d80829f00a3d

Analysis

max time kernel
16s
max time network
129s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
13/08/2024, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ventoy-1.0.99/tool/x86_64/Ventoy2Disk.gtk3
Size

358KB
MD5

d1ddb6a698a67a937bc0ba38048a12a7
SHA1

cc04801dd80d6c2f886cd7014cd71a4fa275b8b5
SHA256

1e49505302b993b125cb871ccf223629ee451cc1358f463fac80048434033382
SHA512

bb70750818ebe6fdb548c4faf13a1f92c07e0ebb40c505c7927b75965ddca0ccd1794b2a19f72bfe445e1c5e439301f017da75513595cbe66e4df0e396aa3ae1
SSDEEP

6144:WpgjIRWtpn2hRUE8jH7NKxy/efSUs/DbVao4qqPIBXtHSWENLVxOR3:WpgoWtAhR78b8x2nVWqqPIBONhxs3

Score

4^/10

Malware Config

Signatures

Changes its process name 5 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	gmain	2475
Changes the process name, possibly in an attempt to hide itself	pool-spawner	2476
Changes the process name, possibly in an attempt to hide itself	pool-Ventoy2Dis	2477
Changes the process name, possibly in an attempt to hide itself	pool-Ventoy2Dis	2482
Changes the process name, possibly in an attempt to hide itself	gdbus	2484

Enumerates kernel/hardware configuration 1 TTPs 6 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/block/fd0/dev	Ventoy2Disk.gtk3
File opened for reading	/sys/block/vda/size	Ventoy2Disk.gtk3
File opened for reading	/sys/block/vda/dev	Ventoy2Disk.gtk3
File opened for reading	/sys/block/vda/device/vendor	Ventoy2Disk.gtk3
File opened for reading	/sys/block	Ventoy2Disk.gtk3
File opened for reading	/sys/block/fd0/size	Ventoy2Disk.gtk3

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	Ventoy2Disk.gtk3
File opened for reading	/proc/devices	Ventoy2Disk.gtk3

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/ventoy-1.0.99/log.txt	Ventoy2Disk.gtk3
File opened for modification	/tmp/ventoy-1.0.99/Ventoy2Disk.ini	Ventoy2Disk.gtk3

/tmp/ventoy-1.0.99/tool/x86_64/Ventoy2Disk.gtk3
/tmp/ventoy-1.0.99/tool/x86_64/Ventoy2Disk.gtk3
1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/ventoy-1.0.99/log.txt

Filesize
1KB

MD5
dc61639a7cea2857b74c5e823978006e

SHA1
07a08de89b3ed594dacf77bcee8ff9aea8288b60

SHA256
951bd2d3dd752d005dbd156fdfb5d2fcb3d52145b942b6b73335a9fe925d224f

SHA512
8bc38c53b2fed7cbacf04a9888ae1597ed949b08303b52022cae5f776f9c69756a94e6f33a640cdf701b5b019380591b248128ba8e9907f60b54e5ea5eb4a84b

Download Submit