Overview
overview
6Static
static
1.runner/boner
ubuntu-20.04-amd64
1.runner/cosynus
ubuntu-20.04-amd64
1.runner/main
ubuntu-20.04-amd64
1.runner/pscan2
ubuntu-18.04-amd64
1.runner/run
ubuntu-18.04-amd64
6.runner/run
debian-9-armhf
6.runner/run
debian-9-mips
6.runner/run
debian-9-mipsel
6.runner/send_vuln.py
windows7-x64
3.runner/send_vuln.py
windows10-2004-x64
3Analysis
-
max time kernel
150s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
03-04-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
.runner/boner
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
Behavioral task
behavioral2
Sample
.runner/cosynus
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
Behavioral task
behavioral3
Sample
.runner/main
Resource
ubuntu2004-amd64-20240221-en
ubuntu-20.04-amd64
Behavioral task
behavioral4
Sample
.runner/pscan2
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral5
Sample
.runner/run
Resource
ubuntu1804-amd64-20240226-en
ubuntu-18.04-amd64
Behavioral task
behavioral6
Sample
.runner/run
Resource
debian9-armhf-20240226-en
debian-9-armhf
Behavioral task
behavioral7
Sample
.runner/run
Resource
debian9-mipsbe-20240226-en
debian-9-mips
Behavioral task
behavioral8
Sample
.runner/run
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral9
Sample
.runner/send_vuln.py
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
.runner/send_vuln.py
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
.runner/run
-
Size
204B
-
MD5
05a280cfc91192143b3bc3ea958e5eee
-
SHA1
516f1ba2d9bc0090717cfe280ebbb7ea7c6ff21e
-
SHA256
3c0aee19ccba5a0080b20b198c2c00cc5432cad8bb9875462170bd58419259cf
-
SHA512
bf8d36c071fdc401d89d0a5a3eae5f5e713df3256295d95eb4a9a5b6b304b175f6eb712ca2c372bff1cf4fcf75c5c2d51e5c81a3c22ade07e7efcd3b0d62a987
Malware Config
Signatures
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads CPU attributes 1 TTPs 4 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/71/status ps File opened for reading /proc/78/status ps File opened for reading /proc/22/status ps File opened for reading /proc/24/status ps File opened for reading /proc/326/stat ps File opened for reading /proc/234/status ps File opened for reading /proc/324/status ps File opened for reading /proc/1/status ps File opened for reading /proc/148/status ps File opened for reading /proc/5/status ps File opened for reading /proc/79/stat ps File opened for reading /proc/148/stat ps File opened for reading /proc/700/status ps File opened for reading /proc/390/status ps File opened for reading /proc/653/status ps File opened for reading /proc/654/stat ps File opened for reading /proc/82/status ps File opened for reading /proc/2/status ps File opened for reading /proc/4/stat ps File opened for reading /proc/683/stat ps File opened for reading /proc/24/stat ps File opened for reading /proc/24/status ps File opened for reading /proc/699/stat ps File opened for reading /proc/3/status ps File opened for reading /proc/7/status ps File opened for reading /proc/24/status ps File opened for reading /proc/392/stat ps File opened for reading /proc/76/status ps File opened for reading /proc/9/status ps File opened for reading /proc/19/stat ps File opened for reading /proc/14/stat ps File opened for reading /proc/693/stat ps File opened for reading /proc/11/status ps File opened for reading /proc/114/stat ps File opened for reading /proc/669/stat ps File opened for reading /proc/103/stat ps File opened for reading /proc/366/stat ps File opened for reading /proc/78/stat ps File opened for reading /proc/692/status ps File opened for reading /proc/sys/kernel/pid_max ps File opened for reading /proc/324/stat ps File opened for reading /proc/700/stat ps File opened for reading /proc/14/status ps File opened for reading /proc/75/stat ps File opened for reading /proc/392/status ps File opened for reading /proc/79/status ps File opened for reading /proc/392/status ps File opened for reading /proc/uptime ps File opened for reading /proc/76/status ps File opened for reading /proc/103/stat ps File opened for reading /proc/392/stat ps File opened for reading /proc/meminfo ps File opened for reading /proc/1/stat ps File opened for reading /proc/17/status ps File opened for reading /proc/682/stat ps File opened for reading /proc/714/stat ps File opened for reading /proc/21/status ps File opened for reading /proc/716/status ps File opened for reading /proc/uptime ps File opened for reading /proc/6/stat ps File opened for reading /proc/72/status ps File opened for reading /proc/75/status ps File opened for reading /proc/148/stat ps File opened for reading /proc/11/stat ps -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/.runner/nohup.out nohup
Processes
-
/tmp/.runner/run/tmp/.runner/run1⤵PID:693
-
/tmp/.runner/a./a2⤵PID:724
-
-
/usr/bin/nohupnohup python3 send_vuln.py2⤵
- Writes file to tmp directory
PID:723
-
-
/bin/grepgrep pscan21⤵PID:699
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:698
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:708
-
/bin/grepgrep main1⤵PID:709
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:715
-
/bin/grepgrep cosynus1⤵PID:716
-
/bin/psps1⤵
- Reads CPU attributes
- Reads runtime system information
PID:721
-
/bin/grepgrep boner1⤵PID:722
-
/usr/local/sbin/python3python3 send_vuln.py1⤵PID:723
-
/usr/local/bin/python3python3 send_vuln.py1⤵PID:723
-
/usr/sbin/python3python3 send_vuln.py1⤵PID:723
-
/usr/bin/python3python3 send_vuln.py1⤵PID:723