c81d4770e812ddc883ead8ff41fd2e5a7d5bc8056521219ccf8784219d1bd819

General

Target

h4
Size

5.7MB
MD5

9741b569c88166bbc9bbdc2dea6797b9
SHA1

66b9dfae6a32b9b024b351b675275be7efcffff6
SHA256

c81d4770e812ddc883ead8ff41fd2e5a7d5bc8056521219ccf8784219d1bd819
SHA512

9b76fea5e2f40258a75d819613db03d33dc2eb47f62a5f5d9284a966ae43dc9c8e9459d83f083e080798505310f4d229dd2a935c8dc94419697ca9eaf6b7be8c

Score

9^/10

antivm

Malware Config

Signatures

Attempts to identify hypervisor via CPU configuration 1 TTPs 1 IoCs
Checks CPU information for indicators that the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

h4

description ioc process

/proc/cpuinfo /proc/cpuinfo h4
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

description ioc

/etc/hosts /etc/hosts
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf

description	ioc	process
/proc/cpuinfo	/proc/cpuinfo	h4

description	ioc
/etc/hosts	/etc/hosts

description	ioc
/etc/resolv.conf	/etc/resolv.conf

Reads CPU attributes 1 TTPs 3 IoCs

System Information Discovery

T1082

Processes:

h4

description	ioc	process
/sys/devices/system/cpu/online	/sys/devices/system/cpu/online	h4
/sys/devices/system/cpu/types	/sys/devices/system/cpu/types	h4
/sys/devices/system/cpu/possible	/sys/devices/system/cpu/possible	h4

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

h4

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

Processes:

h4

description	ioc	process
/proc/mounts	/proc/mounts	h4
/proc/self/cpuset	/proc/self/cpuset	h4
/proc/meminfo	/proc/meminfo	h4
/proc/driver/nvidia/gpus	/proc/driver/nvidia/gpus	h4
/proc/meminfo	/proc/meminfo

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

h4

description ioc process

/tmp/config.json /tmp/config.json h4

description	ioc	process
/tmp/config.json	/tmp/config.json	h4

/tmp/h4
/tmp/h4
1⤵
- Attempts to identify hypervisor via CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:571

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

1

T1568

Impact

description	ioc	process
/sys/bus/cpu/devices/cpu0/cache/index0/type	/sys/bus/cpu/devices/cpu0/cache/index0/type	h4
/sys/bus/node/devices/node0/access1/initiators	/sys/bus/node/devices/node0/access1/initiators	h4
/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	h4
/sys/bus/cpu/devices/cpu0/topology/thread_siblings	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	h4
/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	h4
/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	h4
/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	h4
/sys/bus/node/devices/node0/access0/initiators	/sys/bus/node/devices/node0/access0/initiators	h4
/sys/devices/virtual/dmi/id/product_name	/sys/devices/virtual/dmi/id/product_name	h4
/sys/devices/virtual/dmi/id/chassis_vendor	/sys/devices/virtual/dmi/id/chassis_vendor	h4
/sys/bus/cpu/devices/cpu0/cache/index3/size	/sys/bus/cpu/devices/cpu0/cache/index3/size	h4
/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	h4
/sys/bus/node/devices/node0/access0/initiators/read_latency	/sys/bus/node/devices/node0/access0/initiators/read_latency	h4
/sys/devices/virtual/dmi/id/board_name	/sys/devices/virtual/dmi/id/board_name	h4
/sys/devices/virtual/dmi/id/chassis_type	/sys/devices/virtual/dmi/id/chassis_type	h4
/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	h4
/sys/bus/cpu/devices/cpu0/cache/index2/level	/sys/bus/cpu/devices/cpu0/cache/index2/level	h4
/sys/bus/cpu/devices/cpu0/cache/index3/type	/sys/bus/cpu/devices/cpu0/cache/index3/type	h4
/sys/devices/virtual/dmi/id/chassis_serial	/sys/devices/virtual/dmi/id/chassis_serial	h4
/sys/devices/virtual/dmi/id/chassis_asset_tag	/sys/devices/virtual/dmi/id/chassis_asset_tag	h4
/sys/bus/node/devices/node0/meminfo	/sys/bus/node/devices/node0/meminfo	h4
/sys/bus/dax/devices/	/sys/bus/dax/devices/	h4
/sys/bus/cpu/devices/cpu0/topology/core_siblings	/sys/bus/cpu/devices/cpu0/topology/core_siblings	h4
/sys/bus/cpu/devices/cpu0/topology/physical_package_id	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	h4
/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	h4
/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	h4
/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	h4
/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	h4
/sys/bus/cpu/devices/cpu0/topology/die_cpus	/sys/bus/cpu/devices/cpu0/topology/die_cpus	h4
/sys/devices/virtual/dmi/id/chassis_version	/sys/devices/virtual/dmi/id/chassis_version	h4
/sys/devices/virtual/dmi/id	/sys/devices/virtual/dmi/id	h4
/sys/devices/virtual/dmi/id/sys_vendor	/sys/devices/virtual/dmi/id/sys_vendor	h4
/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	h4
/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	h4
/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	h4
/sys/devices/system/node/online	/sys/devices/system/node/online	h4
/sys/bus/node/devices/node0/cpumap	/sys/bus/node/devices/node0/cpumap	h4
/sys/bus/cpu/devices/cpu0/cache/index0/size	/sys/bus/cpu/devices/cpu0/cache/index0/size	h4
/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	h4
/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	h4
/sys/devices/virtual/dmi/id/board_vendor	/sys/devices/virtual/dmi/id/board_vendor	h4
/sys/fs/cgroup/cpuset//cpuset.mems	/sys/fs/cgroup/cpuset//cpuset.mems	h4
/sys/devices/virtual/dmi/id/product_serial	/sys/devices/virtual/dmi/id/product_serial	h4
/sys/devices/virtual/dmi/id/product_uuid	/sys/devices/virtual/dmi/id/product_uuid	h4
/sys/bus/cpu/devices/cpu0/cache/index2/type	/sys/bus/cpu/devices/cpu0/cache/index2/type	h4
/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	h4
/sys/devices/virtual/dmi/id/bios_date	/sys/devices/virtual/dmi/id/bios_date	h4
/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	h4
/sys/devices/virtual/dmi/id/product_version	/sys/devices/virtual/dmi/id/product_version	h4
/sys/devices/virtual/dmi/id/board_asset_tag	/sys/devices/virtual/dmi/id/board_asset_tag	h4
/sys/devices/virtual/dmi/id/bios_vendor	/sys/devices/virtual/dmi/id/bios_vendor	h4
/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	h4
/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	h4
/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	h4
/sys/devices/virtual/dmi/id/board_version	/sys/devices/virtual/dmi/id/board_version	h4
/sys/bus/cpu/devices	/sys/bus/cpu/devices	h4
/sys/bus/cpu/devices/cpu0/cache/index3/level	/sys/bus/cpu/devices/cpu0/cache/index3/level	h4
/sys/kernel/mm/hugepages	/sys/kernel/mm/hugepages	h4
/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	h4
/sys/bus/cpu/devices/cpu0/cache/index2/size	/sys/bus/cpu/devices/cpu0/cache/index2/size	h4
/sys/bus/node/devices/node0/hugepages	/sys/bus/node/devices/node0/hugepages	h4
/sys/devices/virtual/dmi/id/board_serial	/sys/devices/virtual/dmi/id/board_serial	h4
/sys/fs/cgroup/unified/cgroup.controllers	/sys/fs/cgroup/unified/cgroup.controllers	h4
/sys/fs/cgroup/cpuset//cpuset.cpus	/sys/fs/cgroup/cpuset//cpuset.cpus	h4

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads