Analysis
-
max time kernel
149s -
max time network
144s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20250619-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20250619-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
03/07/2025, 05:28
Static task
static1
Behavioral task
behavioral1
Sample
i686.elf
Resource
ubuntu2204-amd64-20250619-en
General
-
Target
i686.elf
-
Size
573KB
-
MD5
490ad35e351803f7d5d8adb8cab6ea1b
-
SHA1
3967a16181bdf5052fb548890863c0c6b28d2a1c
-
SHA256
09e563ee72e2242d9f2e67d402ffe5b1f480134dd34fe8fd05930a90c1fc11ab
-
SHA512
6058dcfb54e0394e79760208f5129c8a99f7fb68a4306092929061308bed3be28ffcedfb0846a1fe4d5df5aa544b6e2455a3fa5c033b1d82b74617edb7bfba23
-
SSDEEP
12288:5D+Azf/CVCW3ISw+hRNb3W/aTyA9VV/cZWLnR98V+:5D+AznCVNIZ+vNbG/WYWrR98V
Malware Config
Signatures
-
Renames itself 1 IoCs
pid 1563 -
Checks hardware identifiers (DMI) 1 TTPs 2 IoCs
Checks DMI information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/board_vendor configuration File opened for reading /sys/class/dmi/id/board_vendor configuration -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.sHn8ys crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads MAC address of network interface 2 TTPs 1 IoCs
Fetches the MAC address of active network interfaces. May be used to detect known values for hypervisors.
description ioc Process File opened for reading /sys/class/net/ens3/address configuration -
Reads hardware information 1 TTPs 4 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_uuid configuration File opened for reading /sys/class/dmi/id/board_name configuration File opened for reading /sys/class/dmi/id/product_uuid configuration File opened for reading /sys/devices/virtual/dmi/id/board_name configuration -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo configuration -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/class/net configuration -
description ioc Process File opened for reading /proc/887/cmdline configuration File opened for reading /proc/1303/cmdline configuration File opened for reading /proc/6/cmdline configuration File opened for reading /proc/194/cmdline configuration File opened for reading /proc/497/cmdline configuration File opened for reading /proc/1052/cmdline configuration File opened for reading /proc/1181/cmdline configuration File opened for reading /proc/1283/cmdline configuration File opened for reading /proc/1364/cmdline configuration File opened for reading /proc/1484/cmdline configuration File opened for reading /proc/20/cmdline configuration File opened for reading /proc/99/cmdline configuration File opened for reading /proc/1162/cmdline configuration File opened for reading /proc/1174/cmdline configuration File opened for reading /proc/1218/cmdline configuration File opened for reading /proc/23/cmdline configuration File opened for reading /proc/78/cmdline configuration File opened for reading /proc/85/cmdline configuration File opened for reading /proc/165/cmdline configuration File opened for reading /proc/787/cmdline configuration File opened for reading /proc/905/cmdline configuration File opened for reading /proc/1307/cmdline configuration File opened for reading /proc/1312/cmdline configuration File opened for reading /proc/89/cmdline configuration File opened for reading /proc/27/cmdline configuration File opened for reading /proc/11/cmdline configuration File opened for reading /proc/1023/cmdline configuration File opened for reading /proc/1088/cmdline configuration File opened for reading /proc/1133/cmdline configuration File opened for reading /proc/1553/cmdline configuration File opened for reading /proc/189/cmdline configuration File opened for reading /proc/1058/cmdline configuration File opened for reading /proc/1158/cmdline configuration File opened for reading /proc/1375/cmdline configuration File opened for reading /proc/1551/cmdline configuration File opened for reading /proc/14/cmdline configuration File opened for reading /proc/73/cmdline configuration File opened for reading /proc/95/cmdline configuration File opened for reading /proc/101/cmdline configuration File opened for reading /proc/188/cmdline configuration File opened for reading /proc/588/cmdline configuration File opened for reading /proc/593/cmdline configuration File opened for reading /proc/604/cmdline configuration File opened for reading /proc/74/cmdline configuration File opened for reading /proc/186/cmdline configuration File opened for reading /proc/522/cmdline configuration File opened for reading /proc/773/cmdline configuration File opened for reading /proc/1073/cmdline configuration File opened for reading /proc/1166/cmdline configuration File opened for reading /proc/1195/cmdline configuration File opened for reading /proc/1245/cmdline configuration File opened for reading /proc/92/cmdline configuration File opened for reading /proc/93/cmdline configuration File opened for reading /proc/162/cmdline configuration File opened for reading /proc/637/cmdline configuration File opened for reading /proc/734/cmdline configuration File opened for reading /proc/1233/cmdline configuration File opened for reading /proc/1317/cmdline configuration File opened for reading /proc/15/cmdline configuration File opened for reading /proc/1142/cmdline configuration File opened for reading /proc/1192/cmdline configuration File opened for reading /proc/10/cmdline configuration File opened for reading /proc/83/cmdline configuration File opened for reading /proc/175/cmdline configuration -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/root1086f3d configuration
Processes
-
/usr/bin/crontabcrontab -l1⤵PID:1565
-
/usr/bin/crontabcrontab -1⤵
- Creates/modifies Cron job
PID:1568
-
/usr/bin/crontabcrontab -l1⤵PID:1569
-
/root/.sys/configuration/tmp/i686.elf1⤵
- Checks hardware identifiers (DMI)
- Reads MAC address of network interface
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1563
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5759a652ed7e7a97a0f00299c595b3d72
SHA191c3f7e58a12b98f839aad238a68bc23860eac23
SHA256d215568de167b4417ddd3d68c65cc53e4d834afe175e35926b2ca8be376a72da
SHA512af28c7930bfe2f0fb2798b70d9f9b507ca53eafc2f1e58b4ec397915a78158f6f5494a9e90998a1fbd7a5d91c12599b92f2fb49068097fc91d8ce583260090cd