Analysis
-
max time kernel
0s -
max time network
103s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
04-05-2022 05:29
Behavioral task
behavioral1
Sample
cnrig
Resource
ubuntu1804-amd64-en-20211208
linux_amd64
0 signatures
0 seconds
General
-
Target
cnrig
-
Size
7.6MB
-
MD5
0014403121eeaebaeede796e4b6e5dbe
-
SHA1
4898e80e81129ab9f75be89a3e4fc004039c257e
-
SHA256
f72babf978d8b86a75e3b34f59d4fc6464dc988720d1574a781347896c2989c7
-
SHA512
a2dcaa447880b1f015c157cb7a6d71ca4005b8944191dd656aa5078233f99dca1902d844f36d45105dff69a4e529c3c35f43597303fbb7088e2042966b26bcaf
Score
9/10
Malware Config
Signatures
-
Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs
Checks CPU information for indicators that the system is a virtual machine.
description ioc Process /proc/cpuinfo /proc/cpuinfo cnrig -
Reads CPU attributes 1 TTPs 3 IoCs
description ioc Process /sys/devices/system/cpu/online /sys/devices/system/cpu/online cnrig /sys/devices/system/cpu/types /sys/devices/system/cpu/types cnrig /sys/devices/system/cpu/possible /sys/devices/system/cpu/possible cnrig -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process /sys/bus/cpu/devices/cpu0/topology/thread_siblings /sys/bus/cpu/devices/cpu0/topology/thread_siblings cnrig /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition cnrig /sys/bus/node/devices/node0/hugepages /sys/bus/node/devices/node0/hugepages cnrig /sys/devices/virtual/dmi/id/board_vendor /sys/devices/virtual/dmi/id/board_vendor cnrig /sys/devices/virtual/dmi/id/sys_vendor /sys/devices/virtual/dmi/id/sys_vendor cnrig /sys/bus/cpu/devices/cpu0/topology/physical_package_id /sys/bus/cpu/devices/cpu0/topology/physical_package_id cnrig /sys/bus/cpu/devices/cpu0/cache/index0/level /sys/bus/cpu/devices/cpu0/cache/index0/level cnrig /sys/bus/cpu/devices/cpu0/cache/index3/type /sys/bus/cpu/devices/cpu0/cache/index3/type cnrig /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size cnrig /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages cnrig /sys/devices/virtual/dmi/id/product_uuid /sys/devices/virtual/dmi/id/product_uuid cnrig /sys/devices/virtual/dmi/id/bios_version /sys/devices/virtual/dmi/id/bios_version cnrig /sys/bus/cpu/devices/cpu0/cache/index0/type /sys/bus/cpu/devices/cpu0/cache/index0/type cnrig /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition cnrig /sys/bus/cpu/devices/cpu0/cache/index3/size /sys/bus/cpu/devices/cpu0/cache/index3/size cnrig /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map cnrig /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages cnrig /sys/devices/virtual/dmi/id/product_name /sys/devices/virtual/dmi/id/product_name cnrig /sys/bus/cpu/devices/cpu0/topology/die_cpus /sys/bus/cpu/devices/cpu0/topology/die_cpus cnrig /sys/bus/cpu/devices/cpu0/cache/index0/size /sys/bus/cpu/devices/cpu0/cache/index0/size cnrig /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size /sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size cnrig /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets cnrig /sys/bus/cpu/devices/cpu0/cache/index2/level /sys/bus/cpu/devices/cpu0/cache/index2/level cnrig /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size cnrig /sys/bus/cpu/devices/cpu0/cache/index3/level /sys/bus/cpu/devices/cpu0/cache/index3/level cnrig /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq cnrig /sys/devices/system/node/online /sys/devices/system/node/online cnrig /sys/bus/node/devices/node0/access1/initiators /sys/bus/node/devices/node0/access1/initiators cnrig /sys/devices/virtual/dmi/id/board_asset_tag /sys/devices/virtual/dmi/id/board_asset_tag cnrig /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map cnrig /sys/bus/node/devices/node0/meminfo /sys/bus/node/devices/node0/meminfo cnrig /sys/devices/virtual/dmi/id/chassis_type /sys/devices/virtual/dmi/id/chassis_type cnrig /sys/bus/cpu/devices/cpu0/cache/index2/type /sys/bus/cpu/devices/cpu0/cache/index2/type cnrig /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map cnrig /sys/kernel/mm/hugepages /sys/kernel/mm/hugepages cnrig /sys/bus/cpu/devices/cpu0/topology/core_siblings /sys/bus/cpu/devices/cpu0/topology/core_siblings cnrig /sys/bus/cpu/devices/cpu0/cache/index1/type /sys/bus/cpu/devices/cpu0/cache/index1/type cnrig /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map /sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map cnrig /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets cnrig /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map cnrig /sys/devices/virtual/dmi/id/board_name /sys/devices/virtual/dmi/id/board_name cnrig /sys/fs/cgroup/cpuset//cpuset.mems /sys/fs/cgroup/cpuset//cpuset.mems cnrig /sys/bus/dax/devices/ /sys/bus/dax/devices/ cnrig /sys/devices/virtual/dmi/id/chassis_vendor /sys/devices/virtual/dmi/id/chassis_vendor cnrig /sys/bus/node/devices/node0/access0/initiators /sys/bus/node/devices/node0/access0/initiators cnrig /sys/devices/virtual/dmi/id/board_version /sys/devices/virtual/dmi/id/board_version cnrig /sys/devices/virtual/dmi/id/bios_date /sys/devices/virtual/dmi/id/bios_date cnrig /sys/bus/cpu/devices /sys/bus/cpu/devices cnrig /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map /sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map cnrig /sys/bus/cpu/devices/cpu0/cache/index2/size /sys/bus/cpu/devices/cpu0/cache/index2/size cnrig /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets cnrig /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map cnrig /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency cnrig /sys/devices/virtual/dmi/id/product_serial /sys/devices/virtual/dmi/id/product_serial cnrig /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map /sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map cnrig /sys/devices/virtual/dmi/id /sys/devices/virtual/dmi/id cnrig /sys/devices/virtual/dmi/id/chassis_version /sys/devices/virtual/dmi/id/chassis_version cnrig /sys/devices/system/cpu /sys/devices/system/cpu cnrig /sys/bus/cpu/devices/cpu0/cache/index1/level /sys/bus/cpu/devices/cpu0/cache/index1/level cnrig /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map cnrig /sys/fs/cgroup/unified/cgroup.controllers /sys/fs/cgroup/unified/cgroup.controllers cnrig /sys/bus/cpu/devices/cpu0/topology/core_id /sys/bus/cpu/devices/cpu0/topology/core_id cnrig /sys/devices/virtual/dmi/id/bios_vendor /sys/devices/virtual/dmi/id/bios_vendor cnrig /sys/fs/cgroup/cpuset//cpuset.cpus /sys/fs/cgroup/cpuset//cpuset.cpus cnrig -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
description ioc Process /proc/mounts /proc/mounts cnrig /proc/self/cpuset /proc/self/cpuset cnrig /proc/meminfo /proc/meminfo cnrig /proc/driver/nvidia/gpus /proc/driver/nvidia/gpus cnrig -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process /tmp/config.json /tmp/config.json cnrig