Analysis
-
max time kernel
148s -
max time network
132s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
23-05-2024 11:53
Static task
static1
Behavioral task
behavioral1
Sample
getAppUnlocker.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
getAppUnlocker.sh
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
getAppUnlocker.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
getAppUnlocker.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
getAppUnlocker.sh
-
Size
3KB
-
MD5
22215121ea5283aac208e1b136b877c5
-
SHA1
0d4eafbf50cf8c29bca8ead594a347a90b5e026d
-
SHA256
0e775fa14394678cb3989bd9aa916230f9289b7683aaac476751a59094462887
-
SHA512
1c4d114d0671d78dbbd38d483468a7c07826ddeb343f78777533e075cca84d8c480fdfe0553bd54516b38656a77479a7caf29981fe182c588374b5d07f41a2e3
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
awkawkdescription ioc process File opened for reading /proc/cpuinfo awk File opened for reading /proc/cpuinfo awk -
Reads CPU attributes 1 TTPs 1 IoCs
Processes:
freedescription ioc process File opened for reading /sys/devices/system/cpu/online free -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
lsblklsblkdescription ioc process File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/removable lsblk File opened for reading /sys/block/loop6/dev lsblk File opened for reading /sys/devices/platform/floppy.0/block/fd0/removable lsblk File opened for reading /sys/block/vda/vda1/dev lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/queue/discard_granularity lsblk File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/ro lsblk File opened for reading /sys/dev/block/7:6 lsblk File opened for reading /sys/devices/virtual/block/loop5/size lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/slaves lsblk File opened for reading /sys/dev/block/7:3 lsblk File opened for reading /sys/block/loop2/dev lsblk File opened for reading /sys/devices/platform/floppy.0/block/fd0/device/type lsblk File opened for reading /sys/devices/virtual/block/loop0/size lsblk File opened for reading /sys/devices/virtual/block/loop2/queue/discard_granularity lsblk File opened for reading /sys/block/loop5/dev lsblk File opened for reading /sys/block/vda/dev lsblk File opened for reading /sys/devices/virtual/block/loop1/size lsblk File opened for reading /sys/block lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/holders lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/queue/discard_granularity lsblk File opened for reading /sys/devices/virtual/block/loop5/size lsblk File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/removable lsblk File opened for reading /sys/block/vda/vda1/dev lsblk File opened for reading /sys/devices/virtual/block/loop4/queue/discard_granularity lsblk File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/slaves lsblk File opened for reading /sys/devices/platform/floppy.0/block/fd0/ro lsblk File opened for reading /sys/devices/virtual/block/loop4/queue/discard_granularity lsblk File opened for reading /sys/dev/block/252:1 lsblk File opened for reading /sys/devices/virtual/block/loop4/size lsblk File opened for reading /sys/devices/virtual/block/loop7/size lsblk File opened for reading /sys/dev/block/7:0 lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/slaves lsblk File opened for reading /sys/dev/block/7:1 lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/size lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/ro lsblk File opened for reading /sys/block/loop3/dev lsblk File opened for reading /sys/dev/block/7:5 lsblk File opened for reading /sys/devices/virtual/block/loop1/queue/discard_granularity lsblk File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/size lsblk File opened for reading /sys/devices/platform/floppy.0/block/fd0/size lsblk File opened for reading /sys/devices/platform/floppy.0/block/fd0/device/type lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/device/type lsblk File opened for reading /sys/block/loop3/dev lsblk File opened for reading /sys/devices/virtual/block/loop6/size lsblk File opened for reading /sys/devices/virtual/block/loop2/queue/discard_granularity lsblk File opened for reading /sys/block/vda/dev lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/holders lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/device/type lsblk File opened for reading /sys/block/sr0/dev lsblk File opened for reading /sys/dev/block/11:0 lsblk File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/device/type lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/device/type lsblk File opened for reading /sys/dev/block/252:0 lsblk File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/holders lsblk File opened for reading /sys/dev/block/7:4 lsblk File opened for reading /sys/block/sr0/dev lsblk File opened for reading /sys/devices/virtual/block/loop5/queue/discard_granularity lsblk File opened for reading /sys/devices/platform/floppy.0/block/fd0/slaves lsblk File opened for reading /sys/devices/virtual/block/loop7/queue/discard_granularity lsblk File opened for reading /sys/block/loop5/dev lsblk File opened for reading /sys/block/loop0/dev lsblk File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/ro lsblk File opened for reading /sys/devices/platform/floppy.0/block/fd0/queue/discard_granularity lsblk File opened for reading /sys/devices/virtual/block/loop0/queue/discard_granularity lsblk -
Reads runtime system information 20 IoCs
Reads data from /proc virtual filesystem.
Processes:
awklsblklsblkawkawkfreesedawksedawksedsedawkawkseddescription ioc process File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems lsblk File opened for reading /proc/self/mountinfo lsblk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/sys/kernel/osrelease free File opened for reading /proc/meminfo free File opened for reading /proc/swaps lsblk File opened for reading /proc/filesystems sed File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems sed File opened for reading /proc/self/mountinfo lsblk File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems lsblk File opened for reading /proc/swaps lsblk File opened for reading /proc/self/maps awk File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems sed -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
bashdescription ioc process File opened for modification /tmp/AppUnlocker-Info-1513.dat bash
Processes
-
/tmp/getAppUnlocker.sh/tmp/getAppUnlocker.sh1⤵
-
/usr/local/sbin/bashbash /tmp/getAppUnlocker.sh1⤵
-
/usr/local/bin/bashbash /tmp/getAppUnlocker.sh1⤵
-
/usr/sbin/bashbash /tmp/getAppUnlocker.sh1⤵
-
/usr/bin/bashbash /tmp/getAppUnlocker.sh1⤵
-
/sbin/bashbash /tmp/getAppUnlocker.sh1⤵
-
/bin/bashbash /tmp/getAppUnlocker.sh1⤵
- Writes file to tmp directory
-
/usr/bin/clearclear2⤵
-
/bin/datedate "+%Y%m%d-%H%M"2⤵
-
/bin/rmrm -fr "AppUnlocker-Info*.dat"2⤵
-
/bin/catcat /etc/machine-id2⤵
-
/bin/sedsed "s/^[ \\t]*//;s/[ \\t]*\$//"2⤵
- Reads runtime system information
-
/usr/bin/awkawk -F: "/model name/ {name=\$2} END {print name}" /proc/cpuinfo2⤵
- Checks CPU configuration
- Reads runtime system information
-
/usr/bin/awkawk -F: "/model name/ {core++} END {print core}" /proc/cpuinfo2⤵
- Checks CPU configuration
- Reads runtime system information
-
/usr/bin/awkawk "/Mem/ {print \$2}"2⤵
- Reads runtime system information
-
/usr/bin/freefree -g2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "-F[= \"]" "/PRETTY_NAME/{print \$3,\$4,\$5}" /etc/os-release2⤵
- Reads runtime system information
-
/bin/unameuname -m2⤵
-
/usr/bin/getconfgetconf LONG_BIT2⤵
-
/bin/unameuname -r2⤵
-
/bin/sedsed "s/\\s/-/g"2⤵
- Reads runtime system information
-
/bin/sedsed "s/\\s/-/g"2⤵
- Reads runtime system information
-
/bin/sedsed "s/\\s/-/g"2⤵
- Reads runtime system information
-
/usr/bin/uniquniq2⤵
-
/usr/bin/sortsort2⤵
-
/bin/grepgrep "^sd"2⤵
-
/usr/bin/awkawk "{print \$1}"2⤵
- Reads runtime system information
-
/bin/lsblklsblk2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/bin/uniquniq2⤵
-
/usr/bin/sortsort2⤵
-
/usr/bin/awkawk "{print \$1}"2⤵
- Reads runtime system information
-
/bin/grepgrep "^nvme"2⤵
-
/bin/lsblklsblk2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/sedsed "s/\\s/-/g"2⤵
- Reads runtime system information
-
/usr/bin/md5summd5sum AppUnlocker-Info-1513.dat2⤵
-
/usr/bin/awkawk -F / "{print \$4}"2⤵
- Reads runtime system information
-
/usr/bin/curlcurl -k -s --upload-file AppUnlocker-Info-1513.dat https://tophpc.top:84432⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/AppUnlocker-Info-1513.datFilesize
459B
MD54937370113e312b6a14ca5c1919bf809
SHA170c3f42fc556011ad1aae5d42f7b0e1c040e0c06
SHA256c41ed7ccebc30cf3ebb8a0b17a6bb1d92b42b92a083a68d03b61add75f175df7
SHA5125a216fd820ec808be2639a138e3469f749aee4c14826d85dfd0de44ff60b482e56b2731654743e8c4d4bd6677373eb0fa94267acf138ffc3fd42882e10789a90