Overview
overview
10Static
static
1script_mal...6c1.sh
ubuntu-20.04-amd64
9script_malware/1.sh
ubuntu-20.04-amd64
10script_mal...459.sh
ubuntu-20.04-amd64
7script_mal...ux.elf
ubuntu-20.04-amd64
1script_mal...da.elf
ubuntu-20.04-amd64
1script_malware/23.sh
ubuntu-20.04-amd64
10script_malware/404
ubuntu-20.04-amd64
script_mal...c5b.py
ubuntu-20.04-amd64
1script_mal...006.sh
ubuntu-20.04-amd64
10script_mal...oPy.sh
ubuntu-20.04-amd64
1script_mal...617.sh
ubuntu-20.04-amd64
script_mal...dc0.sh
ubuntu-20.04-amd64
9script_mal...e58.sh
ubuntu-20.04-amd64
7script_mal...d28.sh
ubuntu-20.04-amd64
7script_mal...ail.sh
ubuntu-20.04-amd64
script_malware/rs.sh
ubuntu-20.04-amd64
6script_mal...tup.sh
ubuntu-20.04-amd64
7script_mal...ll.elf
ubuntu-20.04-amd64
1script_malware/ta.sh
ubuntu-20.04-amd64
10General
-
Target
script_malware.zip
-
Size
4.4MB
-
Sample
240225-rtjrhaee9z
-
MD5
cabc07f288cc71b7447d6098ce3bb245
-
SHA1
2ff090c33470e3c8c2c10888ba0de5539c5126d1
-
SHA256
78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107
-
SHA512
7aef8936dd1f734d20a9ab251ab46c22bcaa4c2a012387b7e9fce48e9d870926981c22cf3fac87c2b3bd0ae6f6efe084aaefd15fe229cd1bf085a55e0322dd80
-
SSDEEP
98304:OUCcwlITgiAybrbTWITgJbyvVqUCcwlITgiAybrbTWITgJbyvVvM:pCcCEgiAsTHsyPCcCEgiAsTHsyhM
Static task
static1
Behavioral task
behavioral1
Sample
script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral2
Sample
script_malware/1.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral3
Sample
script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral4
Sample
script_malware/164f8295_linux.elf
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral5
Sample
script_malware/21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da.elf
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral6
Sample
script_malware/23.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral7
Sample
script_malware/404
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral8
Sample
script_malware/864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b.py
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral9
Sample
script_malware/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral10
Sample
script_malware/SnOoPy.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral11
Sample
script_malware/a423a2a11c1904e42dc8630064e252ac4568220417a9ae072a557131e9386617.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral12
Sample
script_malware/a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral13
Sample
script_malware/aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral14
Sample
script_malware/ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral15
Sample
script_malware/redtail.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral16
Sample
script_malware/rs.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral17
Sample
script_malware/setup.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral18
Sample
script_malware/shell.elf
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral19
Sample
script_malware/ta.sh
Resource
ubuntu2004-amd64-20240221-en
Malware Config
Extracted
xorddos
www.imagetw0.com:889
www.myserv012.com:889
http://qq.com/lib.asp
http://aa.hostasa.org/config.rar
www.enoan2107.com:443
www.gzcfr5axf6.com:443
-
crc_polynomial
CDB88320
Targets
-
-
Target
script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
-
Size
11KB
-
MD5
07b7746b922cf7d7fa821123a226ed36
-
SHA1
bf2df8f2813ef4e2cf61ea193e091b808aa854c7
-
SHA256
063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1
-
SHA512
ad29993a88c996f96fdc5c01fda89400b1e27228c58445d181dc6af974a171ee36e014d90aa8e09de6d83e4bfd12d167eb361bd52b6d194af6f249a6812019cb
-
SSDEEP
192:Xws08k5tkd5DFPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esP:XQwL4/e867USbRXA8kWT4yCtvUgDjdWi
Score9/10-
Modifies the dynamic linker configuration file
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
-
Flushes firewall rules
Flushes/ disables firewall rules inside the Linux kernel.
-
Reads EFI boot settings
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads CPU attributes
-
-
-
Target
script_malware/1.sh
-
Size
35KB
-
MD5
2550990d2d52581b213e7c9305c392d3
-
SHA1
f7f069915c9b97550dc1fb6cf631f6222416dcf5
-
SHA256
8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
-
SHA512
a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50
-
SSDEEP
768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z
-
XMRig Miner payload
-
Deletes system logs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Executes dropped EXE
-
Flushes firewall rules
Flushes/ disables firewall rules inside the Linux kernel.
-
Reads EFI boot settings
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks CPU configuration
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads CPU attributes
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads list of loaded kernel modules
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
-
-
-
Target
script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh
-
Size
3KB
-
MD5
d0d36f169f1458806053aae482af5010
-
SHA1
e603944aceb5c0885a8627de12f36b159bbf2f05
-
SHA256
10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459
-
SHA512
982abe39731d8cc852c25650740ff73975c10d19027eccf610401260e2f508334f1de656f8dd332fa698dccc9f7d3bda610c8b9e84d276036a6e9408d826229a
Score7/10-
Deletes log files
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads network interface configuration
Fetches information about one or more active network interfaces.
-
-
-
Target
script_malware/164f8295_linux.elf
-
Size
5.1MB
-
MD5
c850f6816459e3364b2a54239642101b
-
SHA1
30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624
-
SHA256
21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da
-
SHA512
be7eaec0e4847a422ab7b52af7f0493e2390973077500f4faab38cb0dafd9d651346aee13bb9e5a4fb936e3cc3f83c7db598121df37be9ff6cda2dadf59ccb2f
-
SSDEEP
98304:nxygRxtJ8tcZe32l/+jMSXYTU4BcoPfa8/X:Stc0kbSXWJ
Score1/10 -
-
-
Target
script_malware/21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da.elf
-
Size
5.1MB
-
MD5
c850f6816459e3364b2a54239642101b
-
SHA1
30c60f18279ed5fd36e3ac2d3ba5ddbdc5d1f624
-
SHA256
21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da
-
SHA512
be7eaec0e4847a422ab7b52af7f0493e2390973077500f4faab38cb0dafd9d651346aee13bb9e5a4fb936e3cc3f83c7db598121df37be9ff6cda2dadf59ccb2f
-
SSDEEP
98304:nxygRxtJ8tcZe32l/+jMSXYTU4BcoPfa8/X:Stc0kbSXWJ
Score1/10 -
-
-
Target
script_malware/23.sh
-
Size
287B
-
MD5
aa0772cff70daa00d44a201b28ef6b08
-
SHA1
d129e51acd50ed4ff87672dca4975ed313ae9ad9
-
SHA256
a55e9eb1cb4dc2cb8d1a697d329b3a76e18b949308e16ef50aafca1e08123939
-
SHA512
9d2654a7c7634909117d65b0d60bee51e2b9f2de320c2dfc7a30b36f182e2a44b21be91c3dd73fabd4d0cbff7fbc6c18a712cfd41fdcf51cf06ef4a39fe846b1
-
XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
-
XorDDoS payload
-
Deletes itself
-
Executes dropped EXE
-
Reads EFI boot settings
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Checks CPU configuration
Checks CPU information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Write file to user bin folder
-
-
-
Target
script_malware/404
-
Size
26KB
-
MD5
e53cf00cf16d5e645103a266959ce5b7
-
SHA1
d145edc39d2b5ab2392a989734ef28af77f74f7e
-
SHA256
0fb9eb96a08f9ad3400f89749d32f3e44362346ec7fca9bd5e9ba85022e5ebc1
-
SHA512
30b31e6b89f8f1eb92de62a2ba90ab299e060e11a91ef069927f045506dc73d0a276adf3966b4525164488bc8779b4a1a48f005513d9ba9f92916d04ec26f50a
-
SSDEEP
192:phe97oGORlRQ4CR1ydi5DAomxCdsjnbP19+9Uc3gHNgWW1kSNPWW0wnENfICSo4M:iWBLZCRwdkzzsjT1TtE1dIfICSoTx9k2
Score1/10 -
-
-
Target
script_malware/864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b.py
-
Size
38KB
-
MD5
02e98c71545c8345d28920fbc4f99c28
-
SHA1
a09e2b273c4cb323d4ea424ae456d9dbc9fc43f0
-
SHA256
864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b
-
SHA512
62ca71f1028be36e9afa5d26c8f11471d6679658b8b3db7b2db696f093a2a9d5e616a7b3c336a18c143c5c73908259eb4ca2f4af66d3ee56a5dc4ee358d2f530
-
SSDEEP
768:Jkcso0KfNBqjxvcG4DRINIUBqKENI1gJkOpvUBL6GYJ5jHQES8Z80foQy2aCrhX:ueNB40xbUBqKEix2vLzwES8Z80foQ9X
Score1/10 -
-
-
Target
script_malware/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh
-
Size
35KB
-
MD5
2550990d2d52581b213e7c9305c392d3
-
SHA1
f7f069915c9b97550dc1fb6cf631f6222416dcf5
-
SHA256
8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
-
SHA512
a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50
-
SSDEEP
768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z
-
Kinsing payload
-
XMRig Miner payload
-
Changes its process name
-
Deletes system logs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
-
Executes dropped EXE
-
Flushes firewall rules
Flushes/ disables firewall rules inside the Linux kernel.
-
Reads EFI boot settings
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Checks CPU configuration
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Disables AppArmor
Disables AppArmor security module.
-
Disables SELinux
Disables SELinux security module.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Reads CPU attributes
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads list of loaded kernel modules
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
-
-
-
Target
script_malware/SnOoPy.sh
-
Size
2KB
-
MD5
f0664749e65d26335de79a90c7074d00
-
SHA1
0deb03914ba232314b5214803dd97b94c1c9d9e5
-
SHA256
57ad07730428c1412ba43f4470c2074f4f0ef4e6eb5fcd24c9e19e49028e455a
-
SHA512
b605e84c23dad423a5e585c49957b0ade5f8764681f010fc1d192c81f677e4a849872db8afedd262e740f648aca18649a89420a54a02f1f1bd594c2125c2b6ff
Score1/10 -
-
-
Target
script_malware/a423a2a11c1904e42dc8630064e252ac4568220417a9ae072a557131e9386617.sh
-
Size
677B
-
MD5
0d60923ea49eff0f3624cd2fa2eb4b47
-
SHA1
96c5fb1d27bc80c19e3d5804fa32ec4879280f4d
-
SHA256
a423a2a11c1904e42dc8630064e252ac4568220417a9ae072a557131e9386617
-
SHA512
3426d42801fedec6c2a2da166098079006fc2b527d9c93c053aa29d635231e246203039de27d7cb7cd0450518ecb40ab9c6b6506295cd096075fab9021055eb3
Score1/10 -
-
-
Target
script_malware/a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh
-
Size
11KB
-
MD5
22a189e0266e0ad722b7e58923eafab5
-
SHA1
04d01163b1a8ce62aabbc8636aeeb201a3ff28cc
-
SHA256
a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0
-
SHA512
12c98beec2d8d7449b79bd42c61f8a8c1c2bffb786ba0c0badeca69df46b10b535491ea6d9f938d7f47476a79a9021d0852ffefd31fcbfa8346e3c794ff55518
-
SSDEEP
192:Xws08k5tkQPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esH:XQl4/e867USbRXA8kWT4yCtvUgDjdWO7
Score9/10-
Modifies the dynamic linker configuration file
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
-
Executes dropped EXE
-
Flushes firewall rules
Flushes/ disables firewall rules inside the Linux kernel.
-
Reads EFI boot settings
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Attempts to change immutable files
Modifies inode attributes on the filesystem to allow changing of immutable files.
-
Creates/modifies Cron job
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Legitimate hosting services abused for malware hosting/C2
-
Reads CPU attributes
-
-
-
Target
script_malware/aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58.sh
-
Size
4KB
-
MD5
34de9725e232ba82275bb0dcf9282e16
-
SHA1
b17403e7dcb992ba8d2b56dd843406264d3910e5
-
SHA256
aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58
-
SHA512
1e63fe08153e6b3c1b3593fcc070d297a1d0e67ffc3b7f3fc58b71b4b39487f1fe738b863ea5e23c21159b248bc2149a69009ee5372ff17d386effc4f2111fd7
Score7/10-
Deletes log files
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads network interface configuration
Fetches information about one or more active network interfaces.
-
-
-
Target
script_malware/ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28.sh
-
Size
3KB
-
MD5
cf5762eea336cf74a0323d715f72b8b9
-
SHA1
b40e39adadc5ae4d98fd3900837414797562b1bc
-
SHA256
ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28
-
SHA512
35822aafe30d8a14a1ac48d25f6a5eff90c55e18c44df6432bcec962370b6ff1fe06559510090691abb5e4b50594b7067b48f3e582944b07af1c3669fe739c77
Score7/10-
Deletes log files
Deletes log files on the system.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
Reads network interface configuration
Fetches information about one or more active network interfaces.
-
-
-
Target
script_malware/redtail.sh
-
Size
551B
-
MD5
9ec39c70dc24d8b1052ea5bf288cbb08
-
SHA1
4ba674f003cb45986a88df222db6ad42e5102313
-
SHA256
ef0195a0befc456ced03bdba95223c27dd106fcc2c5bc5617c31512f4b65eaff
-
SHA512
b736e7740b3e3b533c97c275b47c1022efd1a281ee17ece61e515b2d3a4ed13ab3480e4378484b0abbbb2aa542d99436ea25aef6f2917af185e7989b9f7ff93b
ScoreN/A -
-
-
Target
script_malware/rs.sh
-
Size
4KB
-
MD5
1b3a715d9ee7524d75010c628255b7e5
-
SHA1
e8fcd0dda56bf98f345974089a96f6391964a972
-
SHA256
edc64c943e577f7a80cd893d045d0b8984ebd3ef5df59d6ef4c497adb877fa9b
-
SHA512
351213285db6d1d0f12bd82755f521bc57882b69e1af81baa51dc366c94aaac3a180c2a230d582e052a53560f82e0ea0489efb1fd8bbb8476312fa418a425e1c
-
SSDEEP
96:mhiSGbe3mp35gBzIX0bd0NNFGcrcBc3gjXuc2k:mhiSmeWpJgi0bONNFGzJus
Score6/10-
Disables SELinux
Disables SELinux security module.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes
-
-
-
Target
script_malware/setup.sh
-
Size
1KB
-
MD5
37d7c910159cf1d62dbcf5b7bff399ea
-
SHA1
90a783bc89f7fbfb52da193849d5d849b9a3a1e6
-
SHA256
29acfdc8b457d7b56d5eb443fe6d22f8169db3786605e37be0bdac9bfb1503fb
-
SHA512
dc78fbcfd58d8383842de7eb18b3f9f72b7255db8f670e93230916e98b8f6dbf77f8ba28cd93f9d3f740243adec500e9f245e4ebbb440aa882eff7907e9fe0c0
Score7/10-
Executes dropped EXE
-
-
-
Target
script_malware/shell.elf
-
Size
207B
-
MD5
8427bcae96bac624c94ebf3e2f605984
-
SHA1
45ac1af64f2118702f92b27cb62a2ada4277a16e
-
SHA256
8841199eadcc4529587ddce865c3ee84de7495ed59b90ec64acfdbb4568562b9
-
SHA512
6fddb09394661f542eab2566aedabdcf1432d414303fef7af24799f47a6bca8b6a930fa68a4c2d374483f083ab351c484581df66f91a187c34b01951a065307a
Score1/10 -
-
-
Target
script_malware/ta.sh
-
Size
9KB
-
MD5
83821e27601305f76432759042d2c2a2
-
SHA1
ad255cce6b52d77b8791d2539667ebcefb5113d1
-
SHA256
03f1490eb936b54330934b4e677a12b11c3acf2b0e4ca97c6c21ee3dc5a381fb
-
SHA512
0570993f37ce4a0405f837e7e732f428e783e732c97a8c565bc73475542375bc30c6e2b7791d77566de104b426994571c5e1ae9818655e656aa4ebc62cc61864
-
SSDEEP
192:R9FFa1GIJz8c104etI1Dd7mf85tunuFc8kIvTKxP4CUqQv2a44rKmmcDK9K7omhA:RjEAem4TNruwrCUqQua44rnm+2v47vGT
Score10/10-
Executes dropped EXE
-
Reads EFI boot settings
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
-
Checks CPU configuration
Checks CPU information which indicate if the system is a virtual machine.
-
Checks hardware identifiers (DMI)
Checks DMI information which indicate if the system is a virtual machine.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes
-
Reads hardware information
Accesses system info like serial numbers, manufacturer names etc.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Hijack Execution Flow
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Hijack Execution Flow
2Scheduled Task/Job
1Defense Evasion
Hijack Execution Flow
2Indicator Removal
3Virtualization/Sandbox Evasion
3