Overview
overview
6Static
static
1.runner/boner
ubuntu-20.04-amd64
1.runner/cosynus
ubuntu-20.04-amd64
1.runner/main
ubuntu-20.04-amd64
1.runner/pscan2
ubuntu-18.04-amd64
1.runner/run
ubuntu-18.04-amd64
6.runner/run
debian-9-armhf
6.runner/run
debian-9-mips
6.runner/run
debian-9-mipsel
6.runner/send_vuln.py
windows7-x64
3.runner/send_vuln.py
windows10-2004-x64
3Analysis
-
max time kernel
150s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240226-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
03-04-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
.runner/boner
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
Behavioral task
behavioral2
Sample
.runner/cosynus
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
Behavioral task
behavioral3
Sample
.runner/main
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
Behavioral task
behavioral4
Sample
.runner/pscan2
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral5
Sample
.runner/run
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral6
Sample
.runner/run
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral7
Sample
.runner/run
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral8
Sample
.runner/run
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral9
Sample
.runner/send_vuln.py
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
.runner/send_vuln.py
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
.runner/run
-
Size
204B
-
MD5
05a280cfc91192143b3bc3ea958e5eee
-
SHA1
516f1ba2d9bc0090717cfe280ebbb7ea7c6ff21e
-
SHA256
3c0aee19ccba5a0080b20b198c2c00cc5432cad8bb9875462170bd58419259cf
-
SHA512
bf8d36c071fdc401d89d0a5a3eae5f5e713df3256295d95eb4a9a5b6b304b175f6eb712ca2c372bff1cf4fcf75c5c2d51e5c81a3c22ade07e7efcd3b0d62a987
Malware Config
Signatures
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 4 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/13/status ps File opened for reading /proc/21/status ps File opened for reading /proc/594/stat ps File opened for reading /proc/4/stat ps File opened for reading /proc/373/stat ps File opened for reading /proc/1/status ps File opened for reading /proc/114/stat ps File opened for reading /proc/11/stat ps File opened for reading /proc/79/stat ps File opened for reading /proc/166/stat ps File opened for reading /proc/70/status ps File opened for reading /proc/10/status ps File opened for reading /proc/2/status ps File opened for reading /proc/7/stat ps File opened for reading /proc/16/stat ps File opened for reading /proc/404/status ps File opened for reading /proc/7/status ps File opened for reading /proc/330/status ps File opened for reading /proc/10/status ps File opened for reading /proc/114/status ps File opened for reading /proc/679/stat ps File opened for reading /proc/382/status ps File opened for reading /proc/404/stat ps File opened for reading /proc/558/stat ps File opened for reading /proc/340/stat ps File opened for reading /proc/17/stat ps File opened for reading /proc/114/status ps File opened for reading /proc/8/stat ps File opened for reading /proc/73/stat ps File opened for reading /proc/12/stat ps File opened for reading /proc/74/status ps File opened for reading /proc/16/stat ps File opened for reading /proc/728/stat ps File opened for reading /proc/69/stat ps File opened for reading /proc/700/stat ps File opened for reading /proc/543/status ps File opened for reading /proc/105/status ps File opened for reading /proc/166/status ps File opened for reading /proc/558/stat ps File opened for reading /proc/330/stat ps File opened for reading /proc/166/stat ps File opened for reading /proc/339/stat ps File opened for reading /proc/713/stat ps File opened for reading /proc/17/stat ps File opened for reading /proc/17/status ps File opened for reading /proc/19/status ps File opened for reading /proc/81/stat ps File opened for reading /proc/148/stat ps File opened for reading /proc/21/status ps File opened for reading /proc/734/stat ps File opened for reading /proc/7/stat ps File opened for reading /proc/77/status ps File opened for reading /proc/20/stat ps File opened for reading /proc/242/status ps File opened for reading /proc/334/status ps File opened for reading /proc/698/status ps File opened for reading /proc/708/stat ps File opened for reading /proc/373/status ps File opened for reading /proc/self/stat ps File opened for reading /proc/17/status ps File opened for reading /proc/700/status ps File opened for reading /proc/382/stat ps File opened for reading /proc/19/status ps File opened for reading /proc/728/status ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.runner/nohup.out nohup
Processes
-
/tmp/.runner/run/tmp/.runner/run1⤵PID:706
-
/tmp/.runner/a./a2⤵PID:737
-
-
/usr/bin/nohupnohup python3 send_vuln.py2⤵
- Writes file to tmp directory
PID:736
-
-
/bin/grepgrep pscan21⤵PID:713
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:712
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:721
-
/bin/grepgrep main1⤵PID:722
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:728
-
/bin/grepgrep cosynus1⤵PID:729
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:733
-
/bin/grepgrep boner1⤵PID:734
-
/usr/local/sbin/python3python3 send_vuln.py1⤵PID:736
-
/usr/local/bin/python3python3 send_vuln.py1⤵PID:736
-
/usr/sbin/python3python3 send_vuln.py1⤵PID:736
-
/usr/bin/python3python3 send_vuln.py1⤵PID:736