Analysis Overview
score
10/10
SHA256
6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
Threat Level: Known bad
The file Blackmatter.elf was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Deletes itself
Deletes log files
Reads CPU attributes
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-17 17:08
Signatures
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-17 17:08
Reported
2024-09-17 17:10
Platform
ubuntu2204-amd64-20240522.1-en
Max time kernel
9s
Max time network
45s
Command Line
[/tmp/Blackmatter.elf]
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes log files
| Description | Indicator | Process | Target |
| File truncated | /var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF | /tmp/Blackmatter.elf | N/A |
| File truncated | /var/log/ReadMe.txt | /tmp/Blackmatter.elf | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | /tmp/Blackmatter.elf | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17 | /tmp/Blackmatter.elf | N/A |
| File opened for modification | /tmp/main.log | /tmp/Blackmatter.elf | N/A |
Processes
/tmp/Blackmatter.elf
[/tmp/Blackmatter.elf]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 15.197.148.33:80 | mojobiden.com | tcp |
| US | 8.8.8.8:53 | paymenthacks.com | udp |
| US | 204.11.56.48:80 | paymenthacks.com | tcp |
| US | 8.8.8.8:53 | _http._tcp.security.ubuntu.com | udp |
| US | 8.8.8.8:53 | _http._tcp.se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | se.archive.ubuntu.com | udp |
| GB | 185.125.190.82:80 | security.ubuntu.com | tcp |
| SE | 194.71.11.173:80 | se.archive.ubuntu.com | tcp |
| US | 8.8.8.8:53 | _http._tcp.saimei.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | _http._tcp.chuangtzu.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | saimei.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | saimei.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | chuangtzu.ftp.acc.umu.se | udp |
| US | 8.8.8.8:53 | chuangtzu.ftp.acc.umu.se | udp |
| SE | 194.71.11.167:80 | chuangtzu.ftp.acc.umu.se | tcp |
| SE | 194.71.11.138:80 | saimei.ftp.acc.umu.se | tcp |
Files
/tmp/.DBFD055C-9CF2-4BB8-908E-6DA22321BF17
| MD5 | 453e58926c7a670009ef3037c574bf4f |
| SHA1 | 089db9df121f723b61996ea0f83ead7e3c5ba493 |
| SHA256 | 72b6bda4f2579b6caad832e3457f82bdd4d300039ccc5d7fa730482eb335c753 |
| SHA512 | 31b66ed53ab01f776fd60e7cb14e8edf3f0509c331b2be05689802d7864d8da36034b7045f2d810e4c317a3c8c9d59a616fadd8499178259b1ad7fd892cb1f77 |
/tmp/main.log
| MD5 | 1716a832476acbf34edccb7ea4119517 |
| SHA1 | 204d791669569519e5a14f31aa424a2be5b04a21 |
| SHA256 | 9d33037b78fe0f86f457b69638d4023df2f86465894031f502de72b5a241e2a0 |
| SHA512 | cc3b03522734c4a22ed5b7b44edbb71e52c0f9c2909e4ddd4baf31d3490810c787909b25b725fac0bf1f6945e689eba92675557403bfa92e6b798d174b47480a |
/var/log/ReadMe.txt
| MD5 | a5d1d021df6f81a4137d7b58f2c94f33 |
| SHA1 | e5d2cd2451e8464bafb63cc6f6df74f7dc3ca4c1 |
| SHA256 | 005191d057f679970d95c15e553229f82d66c5b1f08d5aecbd4ce4c9dc27856e |
| SHA512 | d5f6f53cc7f18585214883a9de312c677e7adcc8956a01ae5583e859d730ea2be88f0ff8c297c9f1235b8695191758712845d1d6e801e5cef7979209868643c0 |
/var/log/.1BF5CC212DC7FB1A0EFC4B93CB0C38C0C67838D9DC2DF9EF
| MD5 | 0ffbff75b5ad12307e1cca224ee58d0e |
| SHA1 | 36dbab6ff8b84ccb3b9bbd7b609dec175d73d9b5 |
| SHA256 | a50895d8f4102deb59d14fa72862f705e88b2462686ee027ea9a63e8340a8653 |
| SHA512 | fa10abf4c5a89f00f1329878108b7c4e356c6ac1e2e0fba84a16872b8db34617f97edb12107f250981e40b54700a490914b124306b4771cf2092fb4842d0ee43 |