9d5036d204e6598fd4c4ac93688c9acdec3d6a1e4d14018ec16db955f3ee8b24

description	ioc	Process
File opened for reading	/proc/cpuinfo	mine

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	mine
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	mine
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	mine
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	mine

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.bKSM6j	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 47 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/possible	mine
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	mine
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/online	mine
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	mine
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	mine
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	mine
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	mine
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	mine

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_version	mine
File opened for reading	/sys/devices/virtual/dmi/id/board_version	mine
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	mine
File opened for reading	/sys/devices/virtual/dmi/id/board_name	mine
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	mine
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	mine
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	mine
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	mine
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	mine
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	mine
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	mine
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	mine
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	mine
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	mine

Enumerates kernel/hardware configuration 1 TTPs 21 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/kernel/mm/hugepages	mine
File opened for reading	/sys/devices/system/node/online	mine
File opened for reading	/sys/devices/system/node/node0/cpumap	mine
File opened for reading	/sys/devices/system/node/node0/access1/initiators	mine
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	mine
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	mine
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	Process not Found
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	mine
File opened for reading	/sys/devices/system/cpu	mine
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	mine
File opened for reading	/sys/devices/system/node/node0/hugepages	mine
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	mine
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	mine
File opened for reading	/sys/devices/virtual/dmi/id	mine
File opened for reading	/sys/firmware/dmi/tables/DMI	Process not Found
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	mine
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	mine
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	mine
File opened for reading	/sys/devices/system/node/node0/meminfo	mine
File opened for reading	/sys/bus/dax/devices	mine
File opened for reading	/sys/devices/system/node/node0/access0/initiators	mine

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/461/cmdline	pkill
File opened for reading	/proc/1150/status	ps
File opened for reading	/proc/1557/stat	ps
File opened for reading	/proc/1157/cmdline	pkill
File opened for reading	/proc/158/status	ps
File opened for reading	/proc/171/cmdline	ps
File opened for reading	/proc/587/cmdline	ps
File opened for reading	/proc/8/cmdline	pkill
File opened for reading	/proc/16/status	pkill
File opened for reading	/proc/32/cmdline	pkill
File opened for reading	/proc/6/status	pkill
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/1556/stat	ps
File opened for reading	/proc/961/cmdline	ps
File opened for reading	/proc/1181/stat	ps
File opened for reading	/proc/28/status	pkill
File opened for reading	/proc/315/status	pkill
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/961/status	pkill
File opened for reading	/proc/460/status	ps
File opened for reading	/proc/1299/status	ps
File opened for reading	/proc/159/status	ps
File opened for reading	/proc/1068/status	ps
File opened for reading	/proc/25/status	pkill
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/315/cmdline	pkill
File opened for reading	/proc/508/stat	ps
File opened for reading	/proc/588/cmdline	ps
File opened for reading	/proc/1160/status	pkill
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/315/cmdline	ps
File opened for reading	/proc/1149/cmdline	ps
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/29/cmdline	pkill
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/36/cmdline	ps
File opened for reading	/proc/89/stat	ps
File opened for reading	/proc/310/cmdline	ps
File opened for reading	/proc/1068/cmdline	pkill
File opened for reading	/proc/1556/cmdline	pkill
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/427/status	pkill
File opened for reading	/proc/1187/cmdline	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/160/cmdline	pkill
File opened for reading	/proc/162/cmdline	pkill
File opened for reading	/proc/160/status	ps
File opened for reading	/proc/458/status	ps
File opened for reading	/proc/1063/stat	ps
File opened for reading	/proc/1605/status	ps
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/196/status	pkill
File opened for reading	/proc/508/status	pkill
File opened for reading	/proc/82/stat	ps
File opened for reading	/proc/1285/cmdline	ps
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/702/cmdline	pkill
File opened for reading	/proc/1005/status	pkill
File opened for reading	/proc/437/cmdline	pkill
File opened for reading	/proc/542/cmdline	pkill
File opened for reading	/proc/1603/cmdline	ps
File opened for reading	/proc/171/status	ps
File opened for reading	/proc/430/stat	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sh-thd.SbPsNX	ai.sh

/tmp/ai.sh
/tmp/ai.sh
1⤵
- Writes file to tmp directory
PID:1562
- /bin/grep
  grep EST
  2⤵
  PID:1567
- /bin/grep
  grep 94.241.140.177
  2⤵
  PID:1568
- /bin/grep
  grep 80
  2⤵
  PID:1569
- /bin/mkdir
  mkdir -p /var/tmp/.22
  2⤵
  PID:1570
- /bin/tar
  tar -xf xm.jpg
  2⤵
  PID:1576
- - /usr/local/sbin/gzip
    gzip -d
    3⤵
    PID:1577
- - /usr/local/bin/gzip
    gzip -d
    3⤵
    PID:1577
- - /usr/sbin/gzip
    gzip -d
    3⤵
    PID:1577
- - /usr/bin/gzip
    gzip -d
    3⤵
    PID:1577
- - /sbin/gzip
    gzip -d
    3⤵
    PID:1577
- - /bin/gzip
    gzip -d
    3⤵
    PID:1577
- /bin/chmod
  chmod +x start
  2⤵
  PID:1578
- /var/tmp/.22/start
  ./start
  2⤵
  - Executes dropped EXE
  PID:1579
- - /bin/uname
    uname -m
    3⤵
    PID:1580
- - /bin/cp
    cp x86_64 mine
    3⤵
    PID:1581
- - /var/tmp/.22/hide
    ./hide
    3⤵
    - Executes dropped EXE
    PID:1582

/usr/bin/base64
base64 -d
1⤵
PID:1565

/bin/cat
cat
1⤵
PID:1575

/var/tmp/.22/create
./create
1⤵
- Executes dropped EXE
PID:1583
- /bin/cat
  cat auto
  2⤵
  PID:1584
- /usr/bin/crontab
  crontab cronjobs
  2⤵
  - Creates/modifies Cron job
  PID:1585
- /bin/rm
  rm -f cronjobs
  2⤵
  PID:1586
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1587
- /bin/chmod
  chmod u+x auto init.d
  2⤵
  PID:1588
- /bin/sh
  sh -c "./auto > /dev/null 2>&1 &"
  2⤵
  PID:1589
- /bin/rm
  rm -f aarch64 x86_64 hide.c init.c start create
  2⤵
  PID:1591

/var/tmp/.22/auto
./auto
1⤵
- Executes dropped EXE
PID:1590
- /var/tmp/.22/init.d
  /var/tmp/.22/init.d
  2⤵
  PID:1592
- /bin/chmod
  chmod 755 auto hide init init.d logs mine mining mkcfg xm.jpg
  2⤵
  PID:1594
- /usr/bin/pkill
  pkill -9 init
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1596

/var/tmp/.22/init
./init
1⤵
- Executes dropped EXE
PID:1593

/var/tmp/.22/mining
./mining
1⤵
- Executes dropped EXE
PID:1597
- /var/tmp/.22/init
  /var/tmp/.22/init
  2⤵
  - Executes dropped EXE
  PID:1599
- /bin/uname
  uname -m
  2⤵
  PID:1601
- /var/tmp/.22/hide
  ./hide -s "sendmail: accepting connections" ./mine
  2⤵
  - Executes dropped EXE
  PID:1602
- /var/tmp/.22/mine
  "sendmail: accepting connections"
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Checks hardware identifiers (DMI)
  - Reads CPU attributes
  - Reads hardware information
  - Enumerates kernel/hardware configuration
  PID:1602
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1603
- /bin/grep
  grep "sendmail: accepting connections"
  2⤵
  PID:1604
- /bin/grep
  grep -v grep
  2⤵
  PID:1605
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1606
- /usr/bin/head
  head -1
  2⤵
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion