73b06276c6ffc3658374d06065619590a1b9fd7a0c77fa1ce03e7fcb97b3ee8a

Analysis

max time kernel
149s
max time network
68s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
17-05-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha
Size

5KB
MD5

541e5398c07e73dd738a6924bc65df45
SHA1

4b23c3839dfaa419cab9268653c831e21a00c9eb
SHA256

590d234571b9ae42ede2a43df44b6ef530d2840c61546fc948f4f746176680c1
SHA512

fe18d47a9f22b99435c69ac0242899fb73fc90dad7ca03ac38fbcd6f4b2f81f7d4d047c767f907438c7fed3a0cc248a35a6d28e5a05d979ee2188f01043730ca
SSDEEP

96:Ru2T8eVnMBWBPUcpMR9mA0V1S0SKg4EkfclcKEY5A:RBob8pUcpG0VLSn4e

Score

4^/10

antivm

Malware Config

Signatures

Changes its process name 2 IoCs

Processes:

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	SDLHotplugALSA	1498
Changes the process name, possibly in an attempt to hide itself	SDLTimer	1500

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

FrenniFazclaireAlpha

description ioc process

File opened for reading /proc/cpuinfo FrenniFazclaireAlpha
Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery
T1082

Processes:

FrenniFazclaireAlpha

description ioc process

File opened for reading /sys/devices/system/cpu/online FrenniFazclaireAlpha

description	ioc	process
File opened for reading	/proc/cpuinfo	FrenniFazclaireAlpha

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	FrenniFazclaireAlpha

Enumerates kernel/hardware configuration 1 TTPs 29 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

FrenniFazclaireAlpha

description	ioc	process
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/vendor	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_device	FrenniFazclaireAlpha
File opened for reading	/sys/class	FrenniFazclaireAlpha
File opened for reading	/sys/devices/virtual/input/mice/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/platform/i8042/serio1/input/input3/event3/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/js0/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/product	FrenniFazclaireAlpha
File opened for reading	/sys/devices/platform/i8042/serio1/input/input3/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/mouse0/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/platform/i8042/serio0/input/input1/event1/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/platform/i8042/serio1/input/input3/mouse1/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor	FrenniFazclaireAlpha
File opened for reading	/sys/class/input	FrenniFazclaireAlpha
File opened for reading	/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0/event0/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/class/hidraw	FrenniFazclaireAlpha
File opened for reading	/sys/devices/platform/i8042/serio0/input/input1/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/event2/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/hidraw/hidraw0/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/manufacturer	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/bcdDevice	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/device	FrenniFazclaireAlpha
File opened for reading	/sys/bus	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0/uevent	FrenniFazclaireAlpha
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/bInterfaceNumber	FrenniFazclaireAlpha

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

Processes:

FrenniFazclaireAlpha

description	ioc	process
File opened for reading	/proc/self/fd	FrenniFazclaireAlpha
File opened for reading	/proc/sys/vm/overcommit_memory	FrenniFazclaireAlpha

Writes file to tmp directory 64 IoCs

Malware often drops required files in the /tmp directory.

Processes:

FrenniFazclaireAlpha

description	ioc	process
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/presplash.cpython-39.pyc.140079455427296	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/minstore.cpython-39.pyc.140079436363952	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/text/__pycache__/font.cpython-39.pyc.140079448663728	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/image.cpython-39.pyc.140079447208128	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/controller.cpython-39.pyc.140079447767056	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/pyanalysis.cpython-39.pyc.140079451948848	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/text/__pycache__/text.cpython-39.pyc.140079448619568	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/transform.cpython-39.pyc.140079447445840	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/sl2/__pycache__/sldisplayables.cpython-39.pyc.140079437317008	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/gl2/__pycache__/live2d.cpython-39.pyc.140079436692400	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/__init__.cpython-39.pyc.140079435550768	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/__init__.cpython-39.pyc.140079455787568	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/atl.cpython-39.pyc.140079450987184	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/parser.cpython-39.pyc.140079450888496	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/translation/__pycache__/extract.cpython-39.pyc.140079449651936	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/text/__pycache__/__init__.cpython-39.pyc.140079448686784	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/model.cpython-39.pyc.140079446746432	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/memory.cpython-39.pyc.140079437486256	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/motion.cpython-39.pyc.140079447344304	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/audio/__pycache__/music.cpython-39.pyc.140079446737072	FrenniFazclaireAlpha
File opened for modification	/tmp/vm9jx_su	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/audio/__pycache__/__init__.cpython-39.pyc.140079446962656	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/character.cpython-39.pyc.140079436691376	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/revertable.cpython-39.pyc.140079451945520	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/execution.cpython-39.pyc.140079451490864	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/savelocation.cpython-39.pyc.140079450287248	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/im.cpython-39.pyc.140079448351024	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/dragdrop.cpython-39.pyc.140079446901072	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/game/saves/text.txt	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/game/cache/screens.rpyb	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/translation/__pycache__/__init__.cpython-39.pyc.140079449782576	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/core.cpython-39.pyc.140079449083024	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/lint.cpython-39.pyc.140079447983920	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/lexer.cpython-39.pyc.140079451241264	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/styledata/__pycache__/__init__.cpython-39.pyc.140079449521728	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/module.cpython-39.pyc.140079448939520	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/scenelists.cpython-39.pyc.140079449252032	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/testexecution.cpython-39.pyc.140079435703184	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/compat/__pycache__/__init__.cpython-39.pyc.140079455587328	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/python.cpython-39.pyc.140079451945520	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/statements.cpython-39.pyc.140079450082096	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/sl2/__pycache__/slproperties.cpython-39.pyc.140079437316720	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/testkey.cpython-39.pyc.140079435552784	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/testast.cpython-39.pyc.140079435553360	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/script.cpython-39.pyc.140079450096048	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/audio/__pycache__/sound.cpython-39.pyc.140079446737072	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/defaultstore.cpython-39.pyc.140079436232720	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/displayable.cpython-39.pyc.140079448990896	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/ui.cpython-39.pyc.140079446737072	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/gl/__pycache__/glfunctions.cpython-39.pyc.140079327505264	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/substitutions.cpython-39.pyc.140079449781280	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/translation/__pycache__/scanstrings.cpython-39.pyc.140079449666880	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/transition.cpython-39.pyc.140079448556144	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/sl2/__pycache__/slparser.cpython-39.pyc.140079437464896	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/gl2/__pycache__/gl2shadercache.cpython-39.pyc.140079436449088	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/screen.cpython-39.pyc.140079447777472	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/test/__pycache__/testparser.cpython-39.pyc.140079435488976	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/display/__pycache__/particle.cpython-39.pyc.140079447737664	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/config.cpython-39.pyc.140079453328944	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/parameter.cpython-39.pyc.140079451948848	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/util.cpython-39.pyc.140079450082096	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/translation/__pycache__/dialogue.cpython-39.pyc.140079449650496	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/gl/__pycache__/__init__.cpython-39.pyc.140079448620208	FrenniFazclaireAlpha
File opened for modification	/tmp/FrenniFazclaireAlpha-0.3.1-pc/renpy/__pycache__/loader.cpython-39.pyc.140079452732336	FrenniFazclaireAlpha

/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha
/tmp/FrenniFazclaireAlpha-0.3.1-pc/lib/py3-linux-x86_64/FrenniFazclaireAlpha
1⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:1485
- /usr/local/sbin/uname
  uname -p
  2⤵
  PID:1491
- /usr/local/bin/uname
  uname -p
  2⤵
  PID:1491
- /usr/sbin/uname
  uname -p
  2⤵
  PID:1491
- /usr/bin/uname
  uname -p
  2⤵
  PID:1491
- /sbin/uname
  uname -p
  2⤵
  PID:1491
- /bin/uname
  uname -p
  2⤵
  PID:1491
- /usr/bin/dbus-launch
  dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr
  2⤵
  PID:1494

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.renpy/FrenniFazclaire-1683369202/text.txt

Filesize
5B

MD5
f4020e91252aafd4b18d8acd17f883db

SHA1
748d77dbb8bdb0dd330c099e7fde82da053fb1ff

SHA256
314ad142957febe390cc7223b4deb1d1b21c187f84f6e7257a23fe46c27fcae3

SHA512
301ddd0e34cbd842dae99a2cc4ccbfeb6ee8b3def39c214a719fa9edc26d7142749bbe6e992d26353dc167febbab0dbc05476b68a86ad93cab5f299f0aaf916d

Download Submit
/root/.renpy/tokens/security_keys.txt

Filesize
302B

MD5
a2bb9f111f66e41670450d766643b8d2

SHA1
108c2ec50de6f1334b6023e5d145771a813ee4aa

SHA256
82cb1252fa1466b51bc090c687e05689cb1dfb15408157acc8c255f1cc0ccbc0

SHA512
a864b46f0ce8b9eb314f956765fc343f640ce017d07cb1f70909aceb851e5d917f76817630dca1ff392a656b738c533c8ce3d9ad673fa38d57b6233603c3f62c

Download Submit
/root/.renpy/tokens/upgraded.txt

Filesize
27B

MD5
bfde9e02eec23c1dc00bd76e4e8a8355

SHA1
933760b994ed5d327e89633bd55a7989c7d63636

SHA256
bf5945fe4e5b1a2786b7791eacc28f583121bf76fffd1bc9ce22e3241bc6e356

SHA512
2ce7ea1bf09c82155f6cff6f617d0514970cb9c59c6966a46eed766797d8e8d5e086e3319c498e9c19cfb6470b2bcb659436e90dbdd4dbdd66d199ae1a50ff77

Download Submit
/tmp/FrenniFazclaireAlpha-0.3.1-pc/log.txt

Filesize
2KB

MD5
dab8291eb56153cf2f58121b6c977155

SHA1
7452b337f81ef4eb1b01c301754bce23f7c7792a

SHA256
6f7244af11f266715b9153325cf8532110ba644b1ea9171f0dc43057b87f102f

SHA512
e128f8858d23cf8246e53cfe66566bd1ab57c7ff6bbff630cbe44c4607c02ee7e9ee1dc8292c21ba6b643de8f1f945a67c96e49d9cfd7fb841f9d9cbbc3b89fb

Download Submit
/tmp/vm9jx_su

Filesize
4B

MD5
3f1d1d8d87177d3d8d897d7e421f84d6

SHA1
dd082d742a5cb751290f1db2bd519c286aa86d95

SHA256
f02285fb90ed8c81531fe78cf4e2abb68a62be73ee7d317623e2c3e3aefdfff2

SHA512
2ae2b3936f31756332ca7a4b877d18f3fcc50e41e9472b5cd45a70bea82e29a0fa956ee6a9ee0e02f23d9db56b41d19cb51d88aac06e9c923a820a21023752a9

Download Submit