Malware Analysis Report

2024-10-16 03:21

Sample ID 240917-vn2lxavapp
Target Blackmatter.elf
SHA256 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
Tags
bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter defense_evasion discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502

Threat Level: Known bad

The file Blackmatter.elf was found to be: Known bad.

Malicious Activity Summary

bab21ee475b52c0c9eb47d23ec9ba1d1 blackmatter defense_evasion discovery ransomware

Blackmatter family

Deletes itself

Deletes log files

Reads CPU attributes

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-17 17:08

Signatures

Blackmatter family

blackmatter

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 17:08

Reported

2024-09-17 17:10

Platform

ubuntu2204-amd64-20240522.1-en

Max time kernel

9s

Max time network

45s

Command Line

[/tmp/Blackmatter.elf]

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Deletes log files

defense_evasion
Description Indicator Process Target
File truncated /var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF /tmp/Blackmatter.elf N/A
File truncated /var/log/ReadMe.txt /tmp/Blackmatter.elf N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/Blackmatter.elf N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 /tmp/Blackmatter.elf N/A
File opened for modification /tmp/main.log /tmp/Blackmatter.elf N/A

Processes

/tmp/Blackmatter.elf

[/tmp/Blackmatter.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mojobiden.com udp
US 15.197.148.33:80 mojobiden.com tcp
US 8.8.8.8:53 paymenthacks.com udp
US 204.11.56.48:80 paymenthacks.com tcp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
GB 185.125.190.82:80 security.ubuntu.com tcp
SE 194.71.11.173:80 se.archive.ubuntu.com tcp
US 8.8.8.8:53 _http._tcp.saimei.ftp.acc.umu.se udp
US 8.8.8.8:53 _http._tcp.chuangtzu.ftp.acc.umu.se udp
US 8.8.8.8:53 saimei.ftp.acc.umu.se udp
US 8.8.8.8:53 saimei.ftp.acc.umu.se udp
US 8.8.8.8:53 chuangtzu.ftp.acc.umu.se udp
US 8.8.8.8:53 chuangtzu.ftp.acc.umu.se udp
SE 194.71.11.167:80 chuangtzu.ftp.acc.umu.se tcp
SE 194.71.11.138:80 saimei.ftp.acc.umu.se tcp

Files

/tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17

MD5 453e58926c7a670009ef3037c574bf4f
SHA1 089db9df121f723b61996ea0f83ead7e3c5ba493
SHA256 72b6bda4f2579b6caad832e3457f82bdd4d300039ccc5d7fa730482eb335c753
SHA512 31b66ed53ab01f776fd60e7cb14e8edf3f0509c331b2be05689802d7864d8da36034b7045f2d810e4c317a3c8c9d59a616fadd8499178259b1ad7fd892cb1f77

/tmp/main.log

MD5 1716a832476acbf34edccb7ea4119517
SHA1 204d791669569519e5a14f31aa424a2be5b04a21
SHA256 9d33037b78fe0f86f457b69638d4023df2f86465894031f502de72b5a241e2a0
SHA512 cc3b03522734c4a22ed5b7b44edbb71e52c0f9c2909e4ddd4baf31d3490810c787909b25b725fac0bf1f6945e689eba92675557403bfa92e6b798d174b47480a

/var/log/ReadMe.txt

MD5 a5d1d021df6f81a4137d7b58f2c94f33
SHA1 e5d2cd2451e8464bafb63cc6f6df74f7dc3ca4c1
SHA256 005191d057f679970d95c15e553229f82d66c5b1f08d5aecbd4ce4c9dc27856e
SHA512 d5f6f53cc7f18585214883a9de312c677e7adcc8956a01ae5583e859d730ea2be88f0ff8c297c9f1235b8695191758712845d1d6e801e5cef7979209868643c0

/var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF

MD5 0ffbff75b5ad12307e1cca224ee58d0e
SHA1 36dbab6ff8b84ccb3b9bbd7b609dec175d73d9b5
SHA256 a50895d8f4102deb59d14fa72862f705e88b2462686ee027ea9a63e8340a8653
SHA512 fa10abf4c5a89f00f1329878108b7c4e356c6ac1e2e0fba84a16872b8db34617f97edb12107f250981e40b54700a490914b124306b4771cf2092fb4842d0ee43