1fe108997a73ffb91d6f85bb9e87bcb0f74224474182d0c66c032a87e7385688

Analysis

max time kernel
12s
max time network
133s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231026-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
13/11/2023, 02:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22294
Size

8.2MB
MD5

386b838f8e6c4a5cfbe29fc8bc674103
SHA1

00c7f79c669994a22468e9687a1be0c682845519
SHA256

1fe108997a73ffb91d6f85bb9e87bcb0f74224474182d0c66c032a87e7385688
SHA512

4dd0cdabb15a6a6e0b04d8dc19d15c9715c0b57b74dbdafe7c415956b6ae01a739812e1f5fe3655ac33a03ebd481da612996b13830eceeb4b9303309dd928075
SSDEEP

49152:3SWRptLrnjPs9tvKeD7UOWvNEyOmf6etrlJ9oaZWuMzjbo0g5dUrASKkLR/GIWAF:iqLPU91db1u4jVZL9Gz0n4uVdjCNE

Score

6^/10

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 22 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	22294
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	22294
File opened for reading	/sys/devices/system/cpu/cpu0/topology	22294
File opened for reading	/sys/devices/system/cpu/hotplug	22294
File opened for reading	/sys/devices/system/cpu/smt	22294
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/power	22294
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/power	22294
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/power	22294
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/power	22294
File opened for reading	/sys/devices/system/cpu/cpu0/microcode	22294
File opened for reading	/sys/devices/system/cpu/cpu0/cache	22294
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	22294
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	22294
File opened for reading	/sys/devices/system/cpu/cpuidle	22294
File opened for reading	/sys/devices/system/cpu/vulnerabilities	22294
File opened for reading	/sys/devices/system/cpu/cpu0	22294
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	22294
File opened for reading	/sys/devices/system/cpu/cpu0/cache/power	22294
File opened for reading	/sys/devices/system/cpu/cpu0/power	22294
File opened for reading	/sys/devices/system/cpu/cpufreq	22294
File opened for reading	/sys/devices/system/cpu/microcode	22294
File opened for reading	/sys/devices/system/cpu/power	22294

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/power	22294

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	22294
File opened for reading	/sys/devices/virtual/net/lo/queues	22294
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	22294
File opened for reading	/sys/devices/virtual/net/lo/power	22294
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	22294
File opened for reading	/sys/devices/virtual/net/lo/statistics	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	22294

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/bus/i2c/drivers/twl6040	22294
File opened for reading	/sys/class/ata_link	22294
File opened for reading	/sys/class/phy	22294
File opened for reading	/sys/kernel/debug/tracing/events/clk/clk_prepare	22294
File opened for reading	/sys/module/ata_piix/drivers	22294
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS7/power	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_setattr	22294
File opened for reading	/sys/module/autofs4/notes	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:01.1/ata2/link2/dev2.1/ata_device/dev2.1/power	22294
File opened for reading	/sys/fs/cgroup/systemd/system.slice/unattended-upgrades.service	22294
File opened for reading	/sys/kernel/debug/tracing/events/irq_matrix/irq_matrix_free	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_bpf	22294
File opened for reading	/sys/kernel/debug/tracing/events/timer/hrtimer_init	22294
File opened for reading	/sys/fs/cgroup/unified/system.slice/cups.service	22294
File opened for reading	/sys/fs/cgroup/unified/user.slice/user-0.slice/[email protected]/gvfs-goa-volume-monitor.service	22294
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_collapse_range	22294
File opened for reading	/sys/devices/virtual/net/lo	22294
File opened for reading	/sys/devices/virtual/tty/tty25	22294
File opened for reading	/sys/devices/virtual/tty/tty40/power	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_clock_adjtime	22294
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_inc_deq	22294
File opened for reading	/sys/class/mem	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:01.1/ata2/ata_port/ata2/power	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_copy_file_range	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_getpeername	22294
File opened for reading	/sys/devices/platform/i8042/serio0/input/input1/input1::capslock	22294
File opened for reading	/sys/fs/cgroup/pids/system.slice/NetworkManager.service	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mq_open	22294
File opened for reading	/sys/kernel/slab/kmem_cache	22294
File opened for reading	/sys/kernel/slab/proc_inode_cache/cgroup	22294
File opened for reading	/sys/module/psmouse/notes	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata3/link3/dev3.0/ata_device/dev3.0/power	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_acct	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getrandom	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_shutdown	22294
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_dbg_context_change	22294
File opened for reading	/sys/fs/cgroup/pids/system.slice/sys-fs-fuse-connections.mount	22294
File opened for reading	/sys/kernel/debug/tracing/events/irq_vectors/vector_activate	22294
File opened for reading	/sys/bus/mdio_bus/drivers	22294
File opened for reading	/sys/kernel/debug/tracing/events/xen/xen_mc_batch	22294
File opened for reading	/sys/bus/i2c/drivers/da9063	22294
File opened for reading	/sys/devices/platform/i8042/serio1/power	22294
File opened for reading	/sys/devices/virtual/vc/vcs/power	22294
File opened for reading	/sys/kernel/debug/tracing/events/ftrace/branch	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_capset	22294
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS23/power	22294
File opened for reading	/sys/kernel/debug/tracing/events/power/clock_disable	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getpeername	22294
File opened for reading	/sys/kernel/slab/:0000208	22294
File opened for reading	/sys/devices/virtual/tty/tty37	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_rt_sigprocmask	22294
File opened for reading	/sys/kernel/debug/tracing/events/timer	22294
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:04/power	22294
File opened for reading	/sys/devices/virtual/misc/memory_bandwidth	22294
File opened for reading	/sys/devices/virtual/tty/tty4	22294
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_ext_convert_to_initialized_enter	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mlockall	22294
File opened for reading	/sys/kernel/security/apparmor	22294
File opened for reading	/sys/module/8250/parameters	22294
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/msi_irqs	22294
File opened for reading	/sys/devices/virtual/bdi/7:6/power	22294
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_epoll_ctl	22294
File opened for reading	/sys/kernel/debug/tracing/events/vmscan/mm_vmscan_kswapd_wake	22294
File opened for reading	/sys/module/stahp/parameters	22294

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1061/task/1062/fdinfo	22294
File opened for reading	/proc/477/task/477/fdinfo	22294
File opened for reading	/proc/544/net	22294
File opened for reading	/proc/1162/task/1163	22294
File opened for reading	/proc/1348/task	22294
File opened for reading	/proc/82/task/82/net/stat	22294
File opened for reading	/proc/irq/0	22294
File opened for reading	/proc/1348/task/1351/net/netfilter	22294
File opened for reading	/proc/477/attr/apparmor	22294
File opened for reading	/proc/530/task/546/fd	22294
File opened for reading	/proc/1357/task/1358/fd	22294
File opened for reading	/proc/465/task/465/fdinfo	22294
File opened for reading	/proc/1323/attr/apparmor	22294
File opened for reading	/proc/27/net/netfilter	22294
File opened for reading	/proc/530/task/548/net/stat	22294
File opened for reading	/proc/1026/task/1027	22294
File opened for reading	/proc/1166/task/1198/net/stat	22294
File opened for reading	/proc/1307/task/1317/attr/apparmor	22294
File opened for reading	/proc/1479/attr/apparmor	22294
File opened for reading	/proc/501/net/netfilter	22294
File opened for reading	/proc/1190/task/1190	22294
File opened for reading	/proc/1397/task/1406/attr/apparmor	22294
File opened for reading	/proc/1479/fdinfo	22294
File opened for reading	/proc/178/task/178/attr/selinux	22294
File opened for reading	/proc/85/fdinfo	22294
File opened for reading	/proc/968/map_files	22294
File opened for reading	/proc/971/net	22294
File opened for reading	/proc/1117/task/1117/net/dev_snmp6	22294
File opened for reading	/proc/1206/task/1244/net/stat	22294
File opened for reading	/proc/1026/ns	22294
File opened for reading	/proc/1310/task/1314/net/netfilter	22294
File opened for reading	/proc/180/net/dev_snmp6	22294
File opened for reading	/proc/530/task/530/fdinfo	22294
File opened for reading	/proc/208/task/208/net/dev_snmp6	22294
File opened for reading	/proc/733/fd	22294
File opened for reading	/proc/884/task/884/net/stat	22294
File opened for reading	/proc/1272/task/1293/fd	22294
File opened for reading	/proc/1545/task/1547/ns	22294
File opened for reading	/proc/1/attr/apparmor	22294
File opened for reading	/proc/1456/task/1458	22294
File opened for reading	/proc/25/attr/smack	22294
File opened for reading	/proc/487/net/dev_snmp6	22294
File opened for reading	/proc/531/task/534/net/netfilter	22294
File opened for reading	/proc/1086/task/1098	22294
File opened for reading	/proc/1201/task/1246/fdinfo	22294
File opened for reading	/proc/1273/attr/selinux	22294
File opened for reading	/proc/1055/task/1057/attr	22294
File opened for reading	/proc/8/task/8	22294
File opened for reading	/proc/89/task/89	22294
File opened for reading	/proc/1061/task/1063/net/netfilter	22294
File opened for reading	/proc/11/attr/apparmor	22294
File opened for reading	/proc/1479/ns	22294
File opened for reading	/proc/176/map_files	22294
File opened for reading	/proc/432/task	22294
File opened for reading	/proc/489/attr/smack	22294
File opened for reading	/proc/1524/task/1524/attr/selinux	22294
File opened for reading	/proc/1541	22294
File opened for reading	/proc/175/task/175/net/dev_snmp6	22294
File opened for reading	/proc/505/task/505/net	22294
File opened for reading	/proc/1310/task/1313/fdinfo	22294
File opened for reading	/proc/493/attr/smack	22294
File opened for reading	/proc/1149/task/1151/attr	22294
File opened for reading	/proc/1170/attr/smack	22294
File opened for reading	/proc/1310/map_files	22294

/tmp/22294
/tmp/22294
1⤵
- Reads CPU attributes
- Reads hardware information
- Reads network interface configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1545

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads