Analysis Overview
SHA256
90adac72b6038472083e3e2ff8ab8a41eb624c5dc5b0dce58653d94d6c8b4da9
Threat Level: Shows suspicious behavior
The file update was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks mountinfo of local process
Reads hardware information
Reads list of loaded kernel modules
Checks CPU configuration
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to shm directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 17:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 17:56
Reported
2024-08-30 17:59
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Checks mountinfo of local process
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1/mountinfo | /tmp/update | N/A |
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/dmi/id/product_uuid | /tmp/update | N/A |
Reads list of loaded kernel modules
| Description | Indicator | Process | Target |
| File opened for reading | /proc/modules | /tmp/update | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/update | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/update | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /tmp/update | N/A |
| File opened for reading | /proc/self/cgroup | /tmp/update | N/A |
| File opened for reading | /proc/filesystems | /tmp/update | N/A |
| File opened for reading | /proc/1/stat | /tmp/update | N/A |
| File opened for reading | /proc/1/comm | /tmp/update | N/A |
| File opened for reading | /proc/stat | /tmp/update | N/A |
| File opened for reading | /proc/bus/pci/devices | /tmp/update | N/A |
| File opened for reading | /proc/self/status | /tmp/update | N/A |
| File opened for reading | /proc/1/environ | /tmp/update | N/A |
Writes file to shm directory
| Description | Indicator | Process | Target |
| File opened for modification | /dev/shm/.shmRYDjAr | /tmp/update | N/A |
Processes
/tmp/update
[/tmp/update]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| GB | 89.187.167.9:443 | tcp | |
| CN | 123.56.45.175:443 | tcp | |
| CN | 123.56.45.175:443 | tcp | |
| US | 1.1.1.1:53 | 130.0.127.10.in-addr.arpa | udp |
| US | 1.1.1.1:53 | 175.45.56.123.in-addr.arpa | udp |
| CN | 123.57.223.22:443 | tcp | |
| CN | 123.57.223.22:443 | tcp | |
| CN | 39.107.75.91:443 | tcp | |
| CN | 39.107.75.91:443 | tcp | |
| CN | 182.92.101.4:443 | tcp | |
| CN | 182.92.101.4:443 | tcp |
Files
/dev/shm/.shmRYDjAr
| MD5 | 0cc445a80a3a1156192fc079d575428f |
| SHA1 | 8a403a154a5835296cf812cdbbab50c445e9758d |
| SHA256 | 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951 |
| SHA512 | 1eb6cce112630cc62379bacad791c41b383fa318a90ffeef40419d1029d444fa1a7763908926e909b1fc1c52822511ba155ff3ab23c9f362bdb68670fbf3c4d0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 17:56
Reported
2024-08-30 17:59
Platform
ubuntu2004-amd64-20240611-en
Max time kernel
141s
Max time network
141s
Command Line
Signatures
Checks mountinfo of local process
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1/mountinfo | /tmp/update | N/A |
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/dmi/id/product_uuid | /tmp/update | N/A |
Reads list of loaded kernel modules
| Description | Indicator | Process | Target |
| File opened for reading | /proc/modules | /tmp/update | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/update | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/update | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /tmp/update | N/A |
| File opened for reading | /proc/filesystems | /tmp/update | N/A |
| File opened for reading | /proc/1/stat | /tmp/update | N/A |
| File opened for reading | /proc/1/comm | /tmp/update | N/A |
| File opened for reading | /proc/self/cgroup | /tmp/update | N/A |
| File opened for reading | /proc/stat | /tmp/update | N/A |
| File opened for reading | /proc/bus/pci/devices | /tmp/update | N/A |
| File opened for reading | /proc/self/status | /tmp/update | N/A |
| File opened for reading | /proc/1/environ | /tmp/update | N/A |
Writes file to shm directory
| Description | Indicator | Process | Target |
| File opened for modification | /dev/shm/.shmTojAvR | /tmp/update | N/A |
Processes
/tmp/update
[/tmp/update]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| CN | 123.56.45.175:443 | tcp | |
| CN | 123.56.45.175:443 | tcp | |
| CN | 123.57.223.22:443 | tcp | |
| CN | 123.57.223.22:443 | tcp | |
| CN | 39.107.75.91:443 | tcp | |
| CN | 39.107.75.91:443 | tcp | |
| CN | 182.92.101.4:443 | tcp | |
| US | 1.1.1.1:53 | connectivity-check.ubuntu.com | udp |
| CN | 182.92.101.4:443 | tcp |
Files
/dev/shm/.shmTojAvR
| MD5 | 0cc445a80a3a1156192fc079d575428f |
| SHA1 | 8a403a154a5835296cf812cdbbab50c445e9758d |
| SHA256 | 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951 |
| SHA512 | 1eb6cce112630cc62379bacad791c41b383fa318a90ffeef40419d1029d444fa1a7763908926e909b1fc1c52822511ba155ff3ab23c9f362bdb68670fbf3c4d0 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-30 17:56
Reported
2024-08-30 17:59
Platform
ubuntu2204-amd64-20240729-en
Max time kernel
113s
Max time network
131s
Command Line
Signatures
Checks mountinfo of local process
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1/mountinfo | /tmp/update | N/A |
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/dmi/id/product_uuid | /tmp/update | N/A |
Reads list of loaded kernel modules
| Description | Indicator | Process | Target |
| File opened for reading | /proc/modules | /tmp/update | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/update | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/update | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/maps | /tmp/update | N/A |
| File opened for reading | /proc/bus/pci/devices | /tmp/update | N/A |
| File opened for reading | /proc/1/comm | /tmp/update | N/A |
| File opened for reading | /proc/filesystems | /tmp/update | N/A |
| File opened for reading | /proc/1/stat | /tmp/update | N/A |
| File opened for reading | /proc/stat | /tmp/update | N/A |
| File opened for reading | /proc/self/status | /tmp/update | N/A |
| File opened for reading | /proc/1/environ | /tmp/update | N/A |
| File opened for reading | /proc/self/cgroup | /tmp/update | N/A |
Writes file to shm directory
| Description | Indicator | Process | Target |
| File opened for modification | /dev/shm/.shm2z9QBZ | /tmp/update | N/A |
Processes
/tmp/update
[/tmp/update]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 123.56.45.175:443 | tcp | |
| CN | 123.56.45.175:443 | tcp | |
| CN | 123.57.223.22:443 | tcp | |
| CN | 123.57.223.22:443 | tcp | |
| CN | 39.107.75.91:443 | tcp | |
| CN | 39.107.75.91:443 | tcp |
Files
/dev/shm/.shm2z9QBZ
| MD5 | 0cc445a80a3a1156192fc079d575428f |
| SHA1 | 8a403a154a5835296cf812cdbbab50c445e9758d |
| SHA256 | 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951 |
| SHA512 | 1eb6cce112630cc62379bacad791c41b383fa318a90ffeef40419d1029d444fa1a7763908926e909b1fc1c52822511ba155ff3ab23c9f362bdb68670fbf3c4d0 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-30 17:56
Reported
2024-08-30 17:59
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Checks mountinfo of local process
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1/mountinfo | /tmp/update | N/A |
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/dmi/id/product_uuid | /tmp/update | N/A |
Reads list of loaded kernel modules
| Description | Indicator | Process | Target |
| File opened for reading | /proc/modules | /tmp/update | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/update | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/update | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/bus/pci/devices | /tmp/update | N/A |
| File opened for reading | /proc/filesystems | /tmp/update | N/A |
| File opened for reading | /proc/1/stat | /tmp/update | N/A |
| File opened for reading | /proc/1/comm | /tmp/update | N/A |
| File opened for reading | /proc/self/maps | /tmp/update | N/A |
| File opened for reading | /proc/stat | /tmp/update | N/A |
| File opened for reading | /proc/self/status | /tmp/update | N/A |
| File opened for reading | /proc/1/environ | /tmp/update | N/A |
| File opened for reading | /proc/self/cgroup | /tmp/update | N/A |
Writes file to shm directory
| Description | Indicator | Process | Target |
| File opened for modification | /dev/shm/.shm7DLlM8 | /tmp/update | N/A |
Processes
/tmp/update
[/tmp/update]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| CN | 123.56.45.175:443 | tcp | |
| CN | 123.56.45.175:443 | tcp | |
| CN | 123.57.223.22:443 | tcp | |
| CN | 123.57.223.22:443 | tcp | |
| CN | 39.107.75.91:443 | tcp | |
| CN | 39.107.75.91:443 | tcp | |
| CN | 182.92.101.4:443 | tcp | |
| CN | 182.92.101.4:443 | tcp |
Files
/dev/shm/.shm7DLlM8
| MD5 | 0cc445a80a3a1156192fc079d575428f |
| SHA1 | 8a403a154a5835296cf812cdbbab50c445e9758d |
| SHA256 | 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951 |
| SHA512 | 1eb6cce112630cc62379bacad791c41b383fa318a90ffeef40419d1029d444fa1a7763908926e909b1fc1c52822511ba155ff3ab23c9f362bdb68670fbf3c4d0 |