Malware Analysis Report

2024-10-24 21:45

Sample ID 240522-nsv7csdc2v
Target wireguard-install.sh
SHA256 ed76a56e70e67195e15d8d08554631d387518bf8594182b94c9200fc96c6f64b
Tags
antivm
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

ed76a56e70e67195e15d8d08554631d387518bf8594182b94c9200fc96c6f64b

Threat Level: Shows suspicious behavior

The file wireguard-install.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Checks hardware identifiers (DMI)

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 11:40

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 11:40

Reported

2024-05-22 11:40

Platform

debian9-mipsbe-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 11:40

Reported

2024-05-22 11:40

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 11:40

Reported

2024-05-22 11:42

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

149s

Max time network

129s

Command Line

[/tmp/wireguard-install.sh]

Signatures

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/1/sched /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/filesystems /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/1/sched /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/cmdline /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/self/stat /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/cmdline /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/filesystems /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/1/environ /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/1/environ /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/self/stat /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/filesystems /bin/sed N/A

Processes

/tmp/wireguard-install.sh

[/tmp/wireguard-install.sh]

/usr/bin/systemd-detect-virt

[systemd-detect-virt]

/usr/bin/systemd-detect-virt

[systemd-detect-virt]

/usr/bin/head

[head -1]

/bin/sed

[sed -ne s|^.* inet \([^/]*\)/.* scope global.*$|\1|p]

/sbin/ip

[ip -4 addr]

/usr/bin/head

[head -1]

/bin/sed

[sed -ne s|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p]

/sbin/ip

[ip -6 addr]

/usr/bin/head

[head -1]

/bin/grep

[grep -Po (?<=dev )(\S+)]

/bin/grep

[grep default]

/sbin/ip

[ip -4 route ls]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 11:40

Reported

2024-05-22 11:42

Platform

debian9-armhf-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A