ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4

General

Target

revil.bin
Size

102KB
MD5

395249d3e6dae1caff6b5b2e1f75bacd
SHA1

29f16c046a344e0d0adfea80d5d7958d6b6b8cfa
SHA256

ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4
SHA512

54bf867c030f708eb0975825d7c8e4c1b3bca49451bc08ebc3bb9fbd10e9ffdce82332ca200ee960b8ce7dfee1247e52c4ca11041cd976aa7cee6d4957144714

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery
T1082

Processes:

pkill

description ioc process

/sys/devices/system/cpu/online /sys/devices/system/cpu/online pkill

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pkill

description	ioc	process
/proc/22/cmdline	/proc/22/cmdline	pkill
/proc/158/cmdline	/proc/158/cmdline	pkill
/proc/166/cmdline	/proc/166/cmdline	pkill
/proc/285/status	/proc/285/status	pkill
/proc/581/status	/proc/581/status	pkill
/proc/12/cmdline	/proc/12/cmdline	pkill
/proc/18/cmdline	/proc/18/cmdline	pkill
/proc/80/cmdline	/proc/80/cmdline	pkill
/proc/379/cmdline	/proc/379/cmdline	pkill
/proc/4/status	/proc/4/status	pkill
/proc/89/status	/proc/89/status	pkill
/proc/115/status	/proc/115/status	pkill
/proc/115/cmdline	/proc/115/cmdline	pkill
/proc/358/cmdline	/proc/358/cmdline	pkill
/proc/379/status	/proc/379/status	pkill
/proc/29/cmdline	/proc/29/cmdline	pkill
/proc/31/cmdline	/proc/31/cmdline	pkill
/proc/32/cmdline	/proc/32/cmdline	pkill
/proc/78/status	/proc/78/status	pkill
/proc/425/status	/proc/425/status	pkill
/proc/451/cmdline	/proc/451/cmdline	pkill
/proc/19/status	/proc/19/status	pkill
/proc/162/status	/proc/162/status	pkill
/proc/169/status	/proc/169/status	pkill
/proc/345/cmdline	/proc/345/cmdline	pkill
/proc/360/status	/proc/360/status	pkill
/proc/364/cmdline	/proc/364/cmdline	pkill
/proc/285/cmdline	/proc/285/cmdline	pkill
/proc/372/cmdline	/proc/372/cmdline	pkill
/proc/2/status	/proc/2/status	pkill
/proc/11/status	/proc/11/status	pkill
/proc/12/status	/proc/12/status	pkill
/proc/20/cmdline	/proc/20/cmdline	pkill
/proc/158/status	/proc/158/status	pkill
/proc/169/cmdline	/proc/169/cmdline	pkill
/proc/1/status	/proc/1/status	pkill
/proc/15/cmdline	/proc/15/cmdline	pkill
/proc/34/cmdline	/proc/34/cmdline	pkill
/proc/89/cmdline	/proc/89/cmdline	pkill
/proc/165/status	/proc/165/status	pkill
/proc/79/cmdline	/proc/79/cmdline	pkill
/proc/163/cmdline	/proc/163/cmdline	pkill
/proc/579/status	/proc/579/status	pkill
/proc/155/status	/proc/155/status	pkill
/proc/159/status	/proc/159/status	pkill
/proc/160/status	/proc/160/status	pkill
/proc/168/cmdline	/proc/168/cmdline	pkill
/proc/170/cmdline	/proc/170/cmdline	pkill
/proc/14/cmdline	/proc/14/cmdline	pkill
/proc/80/status	/proc/80/status	pkill
/proc/81/cmdline	/proc/81/cmdline	pkill
/proc/130/status	/proc/130/status	pkill
/proc/155/cmdline	/proc/155/cmdline	pkill
/proc/161/cmdline	/proc/161/cmdline	pkill
/proc/6/status	/proc/6/status	pkill
/proc/10/cmdline	/proc/10/cmdline	pkill
/proc/27/status	/proc/27/status	pkill
/proc/36/status	/proc/36/status	pkill
/proc/83/cmdline	/proc/83/cmdline	pkill
/proc/2/cmdline	/proc/2/cmdline	pkill
/proc/11/cmdline	/proc/11/cmdline	pkill
/proc/21/cmdline	/proc/21/cmdline	pkill
/proc/26/cmdline	/proc/26/cmdline	pkill
/proc/165/cmdline	/proc/165/cmdline	pkill

./revil.bin
./revil.bin
1⤵
PID:581

/bin/sh
sh -c "uname -a && echo \" | \" && hostname"
2⤵
PID:582

/bin/uname
uname -a
3⤵
PID:583

/bin/hostname
hostname
3⤵
PID:584

/bin/sh
sh -c "uname -a && echo \" | \" && hostname"
2⤵
PID:585

/bin/uname
uname -a
3⤵
PID:586

/bin/hostname
hostname
3⤵
PID:587

/bin/sh
sh -c "pkill -9 vmx-*"
2⤵
PID:588

/usr/bin/pkill
pkill -9 "vmx-*"
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:589

/bin/sh
sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}'"
2⤵
PID:590

/usr/bin/awk
awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}"
3⤵
PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads