f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

General

Target

f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
Size

7.6MB
MD5

0014403121eeaebaeede796e4b6e5dbe
SHA1

4898e80e81129ab9f75be89a3e4fc004039c257e
SHA256

f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
SHA512

a2dcaa447880b1f015c157cb7a6d71ca4005b8944191dd656aa5078233f99dca1902d844f36d45105dff69a4e529c3c35f43597303fbb7088e2042966b26bcaf

Score

9^/10

antivm

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs
Checks CPU information for indicators that the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

description ioc process

/proc/cpuinfo /proc/cpuinfo f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

description	ioc	process
/proc/cpuinfo	/proc/cpuinfo	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

Reads CPU attributes 1 TTPs 3 IoCs

System Information Discovery

T1082

Processes:

f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/system/cpu/types	/sys/devices/system/cpu/types	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/system/cpu/possible	/sys/devices/system/cpu/possible	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

description	ioc	process
/proc/mounts	/proc/mounts	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/proc/self/cpuset	/proc/self/cpuset	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/proc/meminfo	/proc/meminfo	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/proc/driver/nvidia/gpus	/proc/driver/nvidia/gpus	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

description ioc process

/tmp/config.json /tmp/config.json f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

description	ioc	process
/tmp/config.json	/tmp/config.json	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

./f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
./f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
1⤵
- Attempts to identify hypervisor via CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:571

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

description	ioc	process
/sys/bus/node/devices/node0/cpumap	/sys/bus/node/devices/node0/cpumap	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id	/sys/devices/virtual/dmi/id	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/chassis_asset_tag	/sys/devices/virtual/dmi/id/chassis_asset_tag	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/fs/cgroup/unified/cgroup.controllers	/sys/fs/cgroup/unified/cgroup.controllers	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index1/level	/sys/bus/cpu/devices/cpu0/cache/index1/level	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/chassis_type	/sys/devices/virtual/dmi/id/chassis_type	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/bios_date	/sys/devices/virtual/dmi/id/bios_date	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/system/cpu	/sys/devices/system/cpu	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/fs/cgroup/cpuset//cpuset.mems	/sys/fs/cgroup/cpuset//cpuset.mems	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices	/sys/bus/cpu/devices	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/topology/die_cpus	/sys/bus/cpu/devices/cpu0/topology/die_cpus	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index0/type	/sys/bus/cpu/devices/cpu0/cache/index0/type	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/dax/devices/	/sys/bus/dax/devices/	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/topology/thread_siblings	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/system/node/online	/sys/devices/system/node/online	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/node/devices/node0/access0/initiators/read_latency	/sys/bus/node/devices/node0/access0/initiators/read_latency	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/board_asset_tag	/sys/devices/virtual/dmi/id/board_asset_tag	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/chassis_version	/sys/devices/virtual/dmi/id/chassis_version	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/chassis_serial	/sys/devices/virtual/dmi/id/chassis_serial	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/product_serial	/sys/devices/virtual/dmi/id/product_serial	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/chassis_vendor	/sys/devices/virtual/dmi/id/chassis_vendor	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/bios_version	/sys/devices/virtual/dmi/id/bios_version	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index1/type	/sys/bus/cpu/devices/cpu0/cache/index1/type	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index3/size	/sys/bus/cpu/devices/cpu0/cache/index3/size	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/board_vendor	/sys/devices/virtual/dmi/id/board_vendor	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/node/devices/node0/access1/initiators	/sys/bus/node/devices/node0/access1/initiators	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/board_serial	/sys/devices/virtual/dmi/id/board_serial	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/topology/core_id	/sys/bus/cpu/devices/cpu0/topology/core_id	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/node/devices/node0/hugepages	/sys/bus/node/devices/node0/hugepages	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/product_version	/sys/devices/virtual/dmi/id/product_version	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/product_uuid	/sys/devices/virtual/dmi/id/product_uuid	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/board_version	/sys/devices/virtual/dmi/id/board_version	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index0/level	/sys/bus/cpu/devices/cpu0/cache/index0/level	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/bios_vendor	/sys/devices/virtual/dmi/id/bios_vendor	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index2/level	/sys/bus/cpu/devices/cpu0/cache/index2/level	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index3/type	/sys/bus/cpu/devices/cpu0/cache/index3/type	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/kernel/mm/hugepages	/sys/kernel/mm/hugepages	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/topology/physical_package_id	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/product_name	/sys/devices/virtual/dmi/id/product_name	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index2/size	/sys/bus/cpu/devices/cpu0/cache/index2/size	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/devices/virtual/dmi/id/sys_vendor	/sys/devices/virtual/dmi/id/sys_vendor	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/fs/cgroup/cpuset//cpuset.cpus	/sys/fs/cgroup/cpuset//cpuset.cpus	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
/sys/bus/cpu/devices/cpu0/cache/index3/level	/sys/bus/cpu/devices/cpu0/cache/index3/level	f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads