Overview
overview
6Static
static
1.runner/boner
ubuntu-20.04-amd64
1.runner/cosynus
ubuntu-20.04-amd64
1.runner/main
ubuntu-20.04-amd64
1.runner/pscan2
ubuntu-18.04-amd64
1.runner/run
ubuntu-18.04-amd64
6.runner/run
debian-9-armhf
6.runner/run
debian-9-mips
6.runner/run
debian-9-mipsel
6.runner/send_vuln.py
windows7-x64
3.runner/send_vuln.py
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240226-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
03-04-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
.runner/boner
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
Behavioral task
behavioral2
Sample
.runner/cosynus
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
Behavioral task
behavioral3
Sample
.runner/main
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
Behavioral task
behavioral4
Sample
.runner/pscan2
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral5
Sample
.runner/run
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral6
Sample
.runner/run
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral7
Sample
.runner/run
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral8
Sample
.runner/run
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral9
Sample
.runner/send_vuln.py
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
.runner/send_vuln.py
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
.runner/run
-
Size
204B
-
MD5
05a280cfc91192143b3bc3ea958e5eee
-
SHA1
516f1ba2d9bc0090717cfe280ebbb7ea7c6ff21e
-
SHA256
3c0aee19ccba5a0080b20b198c2c00cc5432cad8bb9875462170bd58419259cf
-
SHA512
bf8d36c071fdc401d89d0a5a3eae5f5e713df3256295d95eb4a9a5b6b304b175f6eb712ca2c372bff1cf4fcf75c5c2d51e5c81a3c22ade07e7efcd3b0d62a987
Malware Config
Signatures
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 4 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/1561/stat ps File opened for reading /proc/1555/status ps File opened for reading /proc/505/status ps File opened for reading /proc/1210/status ps File opened for reading /proc/29/status ps File opened for reading /proc/164/stat ps File opened for reading /proc/4/stat ps File opened for reading /proc/1208/status ps File opened for reading /proc/690/stat ps File opened for reading /proc/421/status ps File opened for reading /proc/304/stat ps File opened for reading /proc/1030/status ps File opened for reading /proc/81/stat ps File opened for reading /proc/1167/stat ps File opened for reading /proc/1271/status ps File opened for reading /proc/171/stat ps File opened for reading /proc/535/status ps File opened for reading /proc/1314/stat ps File opened for reading /proc/1049/status ps File opened for reading /proc/7/status ps File opened for reading /proc/304/stat ps File opened for reading /proc/166/status ps File opened for reading /proc/161/stat ps File opened for reading /proc/499/status ps File opened for reading /proc/535/status ps File opened for reading /proc/497/stat ps File opened for reading /proc/1191/stat ps File opened for reading /proc/1556/stat ps File opened for reading /proc/965/stat ps File opened for reading /proc/1326/stat ps File opened for reading /proc/11/status ps File opened for reading /proc/175/stat ps File opened for reading /proc/25/status ps File opened for reading /proc/18/status ps File opened for reading /proc/1161/stat ps File opened for reading /proc/974/stat ps File opened for reading /proc/30/stat ps File opened for reading /proc/81/status ps File opened for reading /proc/692/stat ps File opened for reading /proc/173/stat ps File opened for reading /proc/175/status ps File opened for reading /proc/3/stat ps File opened for reading /proc/168/stat ps File opened for reading /proc/419/status ps File opened for reading /proc/161/status ps File opened for reading /proc/486/status ps File opened for reading /proc/165/stat ps File opened for reading /proc/1185/stat ps File opened for reading /proc/670/status ps File opened for reading /proc/31/stat ps File opened for reading /proc/690/stat ps File opened for reading /proc/1126/status ps File opened for reading /proc/24/status ps File opened for reading /proc/83/status ps File opened for reading /proc/30/status ps File opened for reading /proc/177/status ps File opened for reading /proc/13/stat ps File opened for reading /proc/8/stat ps File opened for reading /proc/985/stat ps File opened for reading /proc/175/stat ps File opened for reading /proc/1207/stat ps File opened for reading /proc/26/status ps File opened for reading /proc/83/status ps File opened for reading /proc/1049/stat ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.runner/nohup.out nohup
Processes
-
/tmp/.runner/run/tmp/.runner/run1⤵PID:1561
-
/tmp/.runner/a./a2⤵PID:1575
-
-
/bin/grepgrep pscan21⤵PID:1564
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1563
-
/bin/grepgrep main1⤵PID:1567
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1566
-
/bin/grepgrep cosynus1⤵PID:1570
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1569
-
/bin/grepgrep boner1⤵PID:1573
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1572
-
/usr/bin/nohupnohup python3 send_vuln.py1⤵
- Writes file to tmp directory
PID:1574
-
/usr/local/sbin/python3python3 send_vuln.py1⤵PID:1574
-
/usr/local/bin/python3python3 send_vuln.py1⤵PID:1574
-
/usr/sbin/python3python3 send_vuln.py1⤵PID:1574
-
/usr/bin/python3python3 send_vuln.py1⤵PID:1574