Malware Analysis Report

2024-11-30 16:23

Sample ID 240905-vdmp1awcnf
Target vac
SHA256 1f0323eda8e0ecb09deaaf9200d1c985d431813e19e4d31dd2898d8ad15f8c2d
Tags
discovery execution persistence privilege_escalatio
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1f0323eda8e0ecb09deaaf9200d1c985d431813e19e4d31dd2898d8ad15f8c2d

Threat Level: Shows suspicious behavior

The file vac was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery execution persistence privilege_escalatio

Executes dropped EXE

Creates/modifies Cron job

Writes file to system bin folder

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-05 16:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 16:52

Reported

2024-09-05 16:55

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

25s

Max time network

132s

Command Line

[/tmp/vac]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/fileAF7FQ3 /tmp/fileAF7FQ3 N/A
N/A /tmp/fileU4Rzi1 /tmp/fileU4Rzi1 N/A
N/A /tmp/fileSxrHKb /tmp/fileSxrHKb N/A
N/A /tmp/fileg6zEL3 /tmp/fileg6zEL3 N/A
N/A /tmp/filePMz3ZE /tmp/filePMz3ZE N/A
N/A /tmp/filepJxRGQ /tmp/filepJxRGQ N/A
N/A /tmp/filenZSgAW /tmp/filenZSgAW N/A
N/A /tmp/fileTQN1Lt /tmp/fileTQN1Lt N/A
N/A /tmp/fileS6KAKj /tmp/fileS6KAKj N/A
N/A /tmp/fileBj5isw /tmp/fileBj5isw N/A
N/A /tmp/file1g7ULM /tmp/file1g7ULM N/A
N/A /tmp/fileCKmZGX /tmp/fileCKmZGX N/A
N/A /tmp/fileZgKFj7 /tmp/fileZgKFj7 N/A
N/A /tmp/fileS8itZt /tmp/fileS8itZt N/A
N/A /tmp/fileO6wFvo /tmp/fileO6wFvo N/A
N/A /tmp/file2X8kcE /tmp/file2X8kcE N/A
N/A /tmp/filebOFqHL /tmp/filebOFqHL N/A
N/A /tmp/filetcpIC9 /tmp/filetcpIC9 N/A
N/A /tmp/fileqxKp1u /tmp/fileqxKp1u N/A
N/A /tmp/file3EBczs /tmp/file3EBczs N/A
N/A /tmp/fileJMVBq1 /tmp/fileJMVBq1 N/A
N/A /tmp/fileGLKqkj /tmp/fileGLKqkj N/A
N/A /tmp/file4gLyCS /tmp/file4gLyCS N/A
N/A /tmp/filejPGAol /tmp/filejPGAol N/A
N/A /tmp/file4mMfbk /tmp/file4mMfbk N/A
N/A /tmp/filempT3ra /tmp/filempT3ra N/A
N/A /tmp/fileFUKEei /tmp/fileFUKEei N/A
N/A /tmp/file6KqtXc /tmp/file6KqtXc N/A
N/A /tmp/fileJouaWa /tmp/fileJouaWa N/A
N/A /tmp/fileJhj06p /tmp/fileJhj06p N/A
N/A /tmp/filecMdt1N /tmp/filecMdt1N N/A
N/A /tmp/fileCKspTP /tmp/fileCKspTP N/A
N/A /tmp/filehliO5e /tmp/filehliO5e N/A
N/A /tmp/fileTgSnFn /tmp/fileTgSnFn N/A
N/A /tmp/filete2sxA /tmp/filete2sxA N/A
N/A /tmp/file5zSbzk /tmp/file5zSbzk N/A
N/A /tmp/file7wm7Oi /tmp/file7wm7Oi N/A
N/A /tmp/fileaG0N1q /tmp/fileaG0N1q N/A
N/A /tmp/filevi53qv /tmp/filevi53qv N/A
N/A /tmp/filesUbXGn /tmp/filesUbXGn N/A
N/A /tmp/filePcnbJJ /tmp/filePcnbJJ N/A
N/A /tmp/fileRA3xEx /tmp/fileRA3xEx N/A
N/A /tmp/filekgddqe /tmp/filekgddqe N/A
N/A /tmp/fileB3WqHI /tmp/fileB3WqHI N/A

Creates/modifies Cron job

execution persistence privilege_escalatio
Description Indicator Process Target
File opened for modification /etc/cron.hourly/0 /tmp/filePMz3ZE N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileBj5isw N/A
File opened for modification /etc/cron.hourly/0 /tmp/filesUbXGn N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileFUKEei N/A
File opened for modification /etc/cron.hourly/0 /tmp/file5zSbzk N/A
File opened for modification /etc/cron.hourly/0 /tmp/filevi53qv N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileSxrHKb N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileTQN1Lt N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileS6KAKj N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileZgKFj7 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileqxKp1u N/A
File opened for modification /etc/cron.hourly/0 /tmp/filePcnbJJ N/A
File opened for modification /etc/cron.hourly/0 /tmp/filekgddqe N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileg6zEL3 N/A
File opened for modification /etc/cron.hourly/0 /tmp/filepJxRGQ N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileS8itZt N/A
File opened for modification /etc/cron.hourly/0 /tmp/file3EBczs N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileaG0N1q N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileO6wFvo N/A
File opened for modification /etc/cron.hourly/0 /tmp/file2X8kcE N/A
File opened for modification /etc/cron.hourly/0 /tmp/filetcpIC9 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileCKspTP N/A
File opened for modification /etc/cron.hourly/0 /tmp/filenZSgAW N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileGLKqkj N/A
File opened for modification /etc/cron.hourly/0 /tmp/filete2sxA N/A
File opened for modification /etc/cron.hourly/0 /tmp/file6KqtXc N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileJhj06p N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileTgSnFn N/A
File opened for modification /etc/cron.hourly/0 /tmp/vac N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileAF7FQ3 N/A
File opened for modification /etc/cron.hourly/0 /tmp/file1g7ULM N/A
File opened for modification /etc/cron.hourly/0 /tmp/file4gLyCS N/A
File opened for modification /etc/cron.hourly/0 /tmp/file4mMfbk N/A
File opened for modification /etc/cron.hourly/0 /tmp/file7wm7Oi N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileRA3xEx N/A
File opened for modification /etc/cron.hourly/0 /tmp/filebOFqHL N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileJMVBq1 N/A
File opened for modification /etc/cron.hourly/0 /tmp/filempT3ra N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileJouaWa N/A
File opened for modification /etc/cron.hourly/0 /tmp/filecMdt1N N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileU4Rzi1 N/A
File opened for modification /etc/cron.hourly/0 /tmp/fileCKmZGX N/A
File opened for modification /etc/cron.hourly/0 /tmp/filejPGAol N/A
File opened for modification /etc/cron.hourly/0 /tmp/filehliO5e N/A

Writes file to system bin folder

Description Indicator Process Target
File opened for modification /bin/ls /tmp/vac N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/file2X8kcE N/A
File opened for reading /proc/self/exe /tmp/file4gLyCS N/A
File opened for reading /proc/self/exe /tmp/filempT3ra N/A
File opened for reading /proc/self/exe /tmp/fileTgSnFn N/A
File opened for reading /proc/self/exe /tmp/filete2sxA N/A
File opened for reading /proc/self/exe /tmp/file7wm7Oi N/A
File opened for reading /proc/self/exe /tmp/fileAF7FQ3 N/A
File opened for reading /proc/self/exe /tmp/fileU4Rzi1 N/A
File opened for reading /proc/self/exe /tmp/filePcnbJJ N/A
File opened for reading /proc/self/exe /tmp/filejPGAol N/A
File opened for reading /proc/self/exe /tmp/filecMdt1N N/A
File opened for reading /proc/self/exe /tmp/fileaG0N1q N/A
File opened for reading /proc/self/exe /tmp/filesUbXGn N/A
File opened for reading /proc/self/exe /tmp/filekgddqe N/A
File opened for reading /proc/self/exe /tmp/fileTQN1Lt N/A
File opened for reading /proc/self/exe /tmp/fileO6wFvo N/A
File opened for reading /proc/self/exe /tmp/fileS6KAKj N/A
File opened for reading /proc/self/exe /tmp/fileBj5isw N/A
File opened for reading /proc/self/exe /tmp/vac N/A
File opened for reading /proc/self/exe /tmp/filenZSgAW N/A
File opened for reading /proc/self/exe /tmp/fileJhj06p N/A
File opened for reading /proc/self/exe /tmp/file5zSbzk N/A
File opened for reading /proc/self/exe /tmp/fileCKmZGX N/A
File opened for reading /proc/self/exe /tmp/file3EBczs N/A
File opened for reading /proc/self/exe /tmp/fileS8itZt N/A
File opened for reading /proc/self/exe /tmp/filetcpIC9 N/A
File opened for reading /proc/self/exe /tmp/file6KqtXc N/A
File opened for reading /proc/self/exe /tmp/fileCKspTP N/A
File opened for reading /proc/self/exe /tmp/filevi53qv N/A
File opened for reading /proc/self/exe /tmp/fileB3WqHI N/A
File opened for reading /proc/self/exe /tmp/fileSxrHKb N/A
File opened for reading /proc/self/exe /tmp/filePMz3ZE N/A
File opened for reading /proc/self/exe /tmp/fileGLKqkj N/A
File opened for reading /proc/self/exe /tmp/fileFUKEei N/A
File opened for reading /proc/self/exe /tmp/fileJouaWa N/A
File opened for reading /proc/self/exe /tmp/filehliO5e N/A
File opened for reading /proc/self/exe /tmp/fileRA3xEx N/A
File opened for reading /proc/self/exe /tmp/filebOFqHL N/A
File opened for reading /proc/self/exe /tmp/fileJMVBq1 N/A
File opened for reading /proc/self/exe /tmp/filepJxRGQ N/A
File opened for reading /proc/self/exe /tmp/fileZgKFj7 N/A
File opened for reading /proc/self/exe /tmp/fileqxKp1u N/A
File opened for reading /proc/self/exe /tmp/file4mMfbk N/A
File opened for reading /proc/self/exe /tmp/fileg6zEL3 N/A
File opened for reading /proc/self/exe /tmp/file1g7ULM N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/file1g7ULM /tmp/fileBj5isw N/A
File opened for modification /tmp/filecMdt1N /tmp/fileJhj06p N/A
File opened for modification /tmp/fileJMVBq1 /tmp/file3EBczs N/A
File opened for modification /tmp/filempT3ra /tmp/file4mMfbk N/A
File opened for modification /tmp/filesUbXGn /tmp/filevi53qv N/A
File opened for modification /tmp/filePcnbJJ /tmp/filesUbXGn N/A
File opened for modification /tmp/fileU4Rzi1 /tmp/fileAF7FQ3 N/A
File opened for modification /tmp/fileS6KAKj /tmp/fileTQN1Lt N/A
File opened for modification /tmp/fileBj5isw /tmp/fileS6KAKj N/A
File opened for modification /tmp/filePMz3ZE /tmp/fileg6zEL3 N/A
File opened for modification /tmp/fileCKmZGX /tmp/file1g7ULM N/A
File opened for modification /tmp/fileGLKqkj /tmp/fileJMVBq1 N/A
File opened for modification /tmp/file4gLyCS /tmp/fileGLKqkj N/A
File opened for modification /tmp/file6KqtXc /tmp/fileFUKEei N/A
File opened for modification /tmp/fileAF7FQ3 /tmp/vac N/A
File opened for modification /tmp/fileSxrHKb /tmp/fileU4Rzi1 N/A
File opened for modification /tmp/fileg6zEL3 /tmp/fileSxrHKb N/A
File opened for modification /tmp/fileTgSnFn /tmp/filehliO5e N/A
File opened for modification /tmp/filevi53qv /tmp/fileaG0N1q N/A
File opened for modification /tmp/file4mMfbk /tmp/filejPGAol N/A
File opened for modification /tmp/fileJhj06p /tmp/fileJouaWa N/A
File opened for modification /tmp/file5zSbzk /tmp/filete2sxA N/A
File opened for modification /tmp/fileaG0N1q /tmp/file7wm7Oi N/A
File opened for modification /tmp/filenZSgAW /tmp/filepJxRGQ N/A
File opened for modification /tmp/fileTQN1Lt /tmp/filenZSgAW N/A
File opened for modification /tmp/filebOFqHL /tmp/file2X8kcE N/A
File opened for modification /tmp/filetcpIC9 /tmp/filebOFqHL N/A
File opened for modification /tmp/fileCKspTP /tmp/filecMdt1N N/A
File opened for modification /tmp/fileRA3xEx /tmp/filePcnbJJ N/A
File opened for modification /tmp/fileB3WqHI /tmp/filekgddqe N/A
File opened for modification /tmp/fileZgKFj7 /tmp/fileCKmZGX N/A
File opened for modification /tmp/fileO6wFvo /tmp/fileS8itZt N/A
File opened for modification /tmp/file2X8kcE /tmp/fileO6wFvo N/A
File opened for modification /tmp/file7wm7Oi /tmp/file5zSbzk N/A
File opened for modification /tmp/fileS8itZt /tmp/fileZgKFj7 N/A
File opened for modification /tmp/filejPGAol /tmp/file4gLyCS N/A
File opened for modification /tmp/fileJouaWa /tmp/file6KqtXc N/A
File opened for modification /tmp/filehliO5e /tmp/fileCKspTP N/A
File opened for modification /tmp/filekgddqe /tmp/fileRA3xEx N/A
File opened for modification /tmp/fileo2F9BV /tmp/fileB3WqHI N/A
File opened for modification /tmp/filepJxRGQ /tmp/filePMz3ZE N/A
File opened for modification /tmp/fileqxKp1u /tmp/filetcpIC9 N/A
File opened for modification /tmp/fileFUKEei /tmp/filempT3ra N/A
File opened for modification /tmp/file3EBczs /tmp/fileqxKp1u N/A
File opened for modification /tmp/filete2sxA /tmp/fileTgSnFn N/A

Processes

/tmp/vac

[/tmp/vac]

/tmp/fileAF7FQ3

[/tmp/vac]

/tmp/fileU4Rzi1

[/tmp/vac]

/tmp/fileSxrHKb

[/tmp/vac]

/tmp/fileg6zEL3

[/tmp/vac]

/tmp/filePMz3ZE

[/tmp/vac]

/tmp/filepJxRGQ

[/tmp/vac]

/tmp/filenZSgAW

[/tmp/vac]

/tmp/fileTQN1Lt

[/tmp/vac]

/tmp/fileS6KAKj

[/tmp/vac]

/tmp/fileBj5isw

[/tmp/vac]

/tmp/file1g7ULM

[/tmp/vac]

/tmp/fileCKmZGX

[/tmp/vac]

/tmp/fileZgKFj7

[/tmp/vac]

/tmp/fileS8itZt

[/tmp/vac]

/tmp/fileO6wFvo

[/tmp/vac]

/tmp/file2X8kcE

[/tmp/vac]

/tmp/filebOFqHL

[/tmp/vac]

/tmp/filetcpIC9

[/tmp/vac]

/tmp/fileqxKp1u

[/tmp/vac]

/tmp/file3EBczs

[/tmp/vac]

/tmp/fileJMVBq1

[/tmp/vac]

/tmp/fileGLKqkj

[/tmp/vac]

/tmp/file4gLyCS

[/tmp/vac]

/tmp/filejPGAol

[/tmp/vac]

/tmp/file4mMfbk

[/tmp/vac]

/tmp/filempT3ra

[/tmp/vac]

/tmp/fileFUKEei

[/tmp/vac]

/tmp/file6KqtXc

[/tmp/vac]

/tmp/fileJouaWa

[/tmp/vac]

/tmp/fileJhj06p

[/tmp/vac]

/tmp/filecMdt1N

[/tmp/vac]

/tmp/fileCKspTP

[/tmp/vac]

/tmp/filehliO5e

[/tmp/vac]

/tmp/fileTgSnFn

[/tmp/vac]

/tmp/filete2sxA

[/tmp/vac]

/tmp/file5zSbzk

[/tmp/vac]

/tmp/file7wm7Oi

[/tmp/vac]

/tmp/fileaG0N1q

[/tmp/vac]

/tmp/filevi53qv

[/tmp/vac]

/tmp/filesUbXGn

[/tmp/vac]

/tmp/filePcnbJJ

[/tmp/vac]

/tmp/fileRA3xEx

[/tmp/vac]

/tmp/filekgddqe

[/tmp/vac]

/tmp/fileB3WqHI

[/tmp/vac]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/tmp/fileAF7FQ3

MD5 48805d6b82345b2bbb57b35eca8bacf4
SHA1 403f8b330080d7ea3e07201710961d1bad872fcd
SHA256 aee1832e7cf60032f2aa3394db506857f2bca4065bf6444eae1426cc6d9c6037
SHA512 ce361ac513ab1593d18981022d5771e9500b945473b4fa54255cb07650092d7dc679c1b8528a61d8a8b32de61e261e198503f2b8069eb02bab8232d144cffbff

/etc/cron.hourly/0

MD5 3f006f7f81fc17be7f4a0d3da0fad5de
SHA1 97a94d3d0654c6551057af3809b52572bd7f9f5d
SHA256 982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf
SHA512 97d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0

/tmp/fileAF7FQ3

MD5 b1d1639bf838956f5a587ff28615de40
SHA1 a28c606b566f6c71626a71d90d7a0b7cd79a86b4
SHA256 1f0323eda8e0ecb09deaaf9200d1c985d431813e19e4d31dd2898d8ad15f8c2d
SHA512 2d1c2f021a053b2d24974c992bb912c2cc581ab0fdccd81d43b3819610cc88a27beff7e5923e94495a2b0d0ea4c2ff50455f1260d8ca1c73c9594c8b0c9cc4fe