de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb

General

Target

de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb
Size

358KB
MD5

639fc83ecdf903c5565b0328d4375e12
SHA1

7cbfed277c84d45641fc19852fd27193de2cffc8
SHA256

de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb
SHA512

3d2b151d71f72dc80db66697a834df6bba4e7a3bfeb048c992ad564dce5b432658b10f50c351b69e6563e75c502440d0d4720ca769d99ae4dd15e45ee7ff1cec

Score

9^/10

Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs
Checks CPU information for indicators that the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb

description ioc process

/proc/cpuinfo /proc/cpuinfo de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb
/proc/cpuinfo /proc/cpuinfo
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

description ioc

/etc/hosts /etc/hosts
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sed

description ioc process

/etc/init.d/boot.local /etc/init.d/boot.local sed
Modifies rc script 1 TTPs 4 IoCs
Adding/modifying system rc scripts is a common persistence mechanism.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

sedsedsedsed

description ioc process

/etc/rc.local /etc/rc.local sed
/etc/rc.local /etc/rc.local sed
/etc/rc.local /etc/rc.local sed
/etc/rc.d/rc.local /etc/rc.d/rc.local sed

description	ioc	process
/proc/cpuinfo	/proc/cpuinfo	de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb
/proc/cpuinfo	/proc/cpuinfo

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/etc/resolv.conf	/etc/resolv.conf

description	ioc	process
/etc/init.d/boot.local	/etc/init.d/boot.local	sed

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

Processes:

sedsedsedsedsedmvsed

./de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb
./de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb
1⤵
- Attempts to identify hypervisor via CPU configuration
PID:331

/bin/sh
/bin/sh -c "mv /tmp/de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb /etc/de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb"
2⤵
PID:334

/bin/mv
mv /tmp/de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb /etc/de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb
3⤵
- Reads runtime system information
PID:336

/bin/sh
/bin/sh -c "cd /etc;chmod 777 de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb"
2⤵
PID:340

/bin/chmod
chmod 777 de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb
3⤵
PID:341

/bin/sed
sed -i -e "/^ | | \$/d" /etc/rc.local
3⤵
- Reads runtime system information
PID:345

/bin/sh
/bin/sh -c "sed -i -e '/de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb/d' /etc/rc.local"
2⤵
PID:346

/bin/sh
/bin/sh -c "sed -i -e '2 i/etc/de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb reboot' /etc/rc.local"
2⤵
PID:348

/bin/sh
/bin/sh -c "sed -i -e '2 i/etc/de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb start' /etc/rc.d/rc.local"
2⤵
PID:350

/bin/sh
/bin/sh -c "sed -i -e '2 i/etc/de959af4e13c5a0b9799ffecbbee43a30f21763f784262addc650a41ca12f2bb start' /etc/init.d/boot.local"
2⤵
PID:352