Overview
overview
7Static
static
1getroot/full-nelson
ubuntu-18.04-amd64
getroot/go.sh
windows7-x64
3getroot/go.sh
windows10-2004-x64
3getroot/ho...endmsg
ubuntu-18.04-amd64
getroot/ip...d_data
ubuntu-18.04-amd64
getroot/k-rad3
ubuntu-18.04-amd64
1getroot/linux-gate
ubuntu-18.04-amd64
getroot/mc...filter
ubuntu-18.04-amd64
getroot/pr...redump
ubuntu-18.04-amd64
getroot/prctlpute
ubuntu-18.04-amd64
getroot/pt...keuser
ubuntu-18.04-amd64
7getroot/rds-privesc
ubuntu-18.04-amd64
getroot/udev-141
ubuntu-18.04-amd64
getroot/vmsplice
ubuntu-18.04-amd64
getroot/vmsplice2
ubuntu-18.04-amd64
1getroot/vmsplice3
ubuntu-18.04-amd64
Analysis
-
max time kernel
122s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 12:26
Static task
static1
Behavioral task
behavioral1
Sample
getroot/full-nelson
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral2
Sample
getroot/go.sh
Resource
win7-20231215-en
Behavioral task
behavioral3
Sample
getroot/go.sh
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
getroot/hoagie_udpsendmsg
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral5
Sample
getroot/ip_append_data
Resource
ubuntu1804-amd64-20231222-en
Behavioral task
behavioral6
Sample
getroot/k-rad3
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral7
Sample
getroot/linux-gate
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral8
Sample
getroot/mcast_msfilter
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral9
Sample
getroot/prctl_coredump
Resource
ubuntu1804-amd64-20231222-en
Behavioral task
behavioral10
Sample
getroot/prctlpute
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral11
Sample
getroot/ptrace_pokeuser
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral12
Sample
getroot/rds-privesc
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral13
Sample
getroot/udev-141
Resource
ubuntu1804-amd64-20231222-en
Behavioral task
behavioral14
Sample
getroot/vmsplice
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral15
Sample
getroot/vmsplice2
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral16
Sample
getroot/vmsplice3
Resource
ubuntu1804-amd64-20231222-en
General
-
Target
getroot/go.sh
-
Size
209B
-
MD5
b1714d537de6ee274a91cb36a7e05474
-
SHA1
6015ca3fcfbe74eecb9013bce63a63ae62ea5100
-
SHA256
70ed5f76524f6217435299f7e07e0305f6a5cdc8850a5bade4d42411fc6c7472
-
SHA512
07d92aa35f3b5553907639d3dc7d588ecdb9ff63a7d09da06d8fdc23a781190782f6fd1bdf191493c966a62603a5fd8a45b9ceb487c898348317873f61c99d58
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\sh_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\sh_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.sh rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\sh_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2700 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2700 AcroRd32.exe 2700 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2300 wrote to memory of 2108 2300 cmd.exe rundll32.exe PID 2300 wrote to memory of 2108 2300 cmd.exe rundll32.exe PID 2300 wrote to memory of 2108 2300 cmd.exe rundll32.exe PID 2108 wrote to memory of 2700 2108 rundll32.exe AcroRd32.exe PID 2108 wrote to memory of 2700 2108 rundll32.exe AcroRd32.exe PID 2108 wrote to memory of 2700 2108 rundll32.exe AcroRd32.exe PID 2108 wrote to memory of 2700 2108 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\getroot\go.sh1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\getroot\go.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\getroot\go.sh"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5524dea27282de062c749891a13c3f04e
SHA16aeae9c5ed3e6daab8c18bda8028dd57017b43c4
SHA2568455096fd1367efef7b6bd66b83a5d3c5f31eb143e7e520377543b6a5b316076
SHA5123913e9d30639d745d32e4f9b9e93f4f9c508f8a3836922063b62b0734a7602758564c7f75f49adcda60f134fa6850b684de8f9b42b62138c4095b6d0f0fe3cee