106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104

Analysis

max time kernel
17676s
max time network
103s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
submitted
01-07-2022 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
Size

8.2MB
MD5

af7bee72c11cf18c92b171ff8494c652
SHA1

e3316f59eb7de8a140b09a7a49d14e8a7ebfe0ac
SHA256

106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
SHA512

0f5c50f643c801186a71df6ff4114e666476c996f6211cd7f992e6116a1df8671d08c103468f5311b5be343f7ee8475b63ed0606d779b8413ff9ae2801c620a6

Score

9^/10

antivm

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs
Checks CPU information for indicators that the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

/proc/cpuinfo /proc/cpuinfo cat
/proc/cpuinfo /proc/cpuinfo cat
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

description ioc

/etc/hosts /etc/hosts
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf

description	ioc	process
/proc/cpuinfo	/proc/cpuinfo	cat
/proc/cpuinfo	/proc/cpuinfo	cat

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/etc/resolv.conf	/etc/resolv.conf

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104cat106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104cat

description	ioc	process
/proc/sys/net/core/somaxconn	/proc/sys/net/core/somaxconn	106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
/proc/version	/proc/version	cat
/proc/sys/net/core/somaxconn	/proc/sys/net/core/somaxconn	106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
/proc/version	/proc/version	cat

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

Processes:

crontab

description	ioc
/tmp/.pid	/tmp/.pid
/tmp/nip9iNeiph5chee	/tmp/nip9iNeiph5chee
/tmp/nip9iNeiph5chee	/tmp/nip9iNeiph5chee	crontab
/tmp/[stealth].pid	/tmp/[stealth].pid

./106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
./106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
1⤵
- Reads runtime system information
PID:593

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:597

/bin/cat
cat /proc/cpuinfo
1⤵
- Attempts to identify hypervisor via CPU configuration
PID:599

/bin/uname
uname -a
1⤵
PID:600

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:605

/tmp/106db86e650ecabf95158ff04e0cb22e89682d792e31490e33828a74cff53104
"[stealth]"
1⤵
- Reads runtime system information
PID:606

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:610

/bin/cat
cat /proc/cpuinfo
1⤵
- Attempts to identify hypervisor via CPU configuration
PID:611

/bin/uname
uname -a
1⤵
PID:612

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:613

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Writes file to tmp directory
PID:615

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

T1568

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads