5fce9897236be18457fb98979087b0c1ef3f65064e6c647810838614bff85288

General

Target

getInfo.sh
Size

3KB
MD5

b3ca7bbcd6b3e3324dd6fc243c22ded6
SHA1

e43e9173c15dd66476c9d00ae8282879d8b5b9bd
SHA256

5fce9897236be18457fb98979087b0c1ef3f65064e6c647810838614bff85288
SHA512

859528b9387d2d792c9098f9373824a4b9875baba9cee06abc2b8607c177ad5665bd2a150c7f99f9a34b3690501505edaae24ac96eac14e2debd0e30d31e583d

Score

4^/10

antivm

Malware Config

Signatures

Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

awkawk

description ioc process

File opened for reading /proc/cpuinfo awk
File opened for reading /proc/cpuinfo awk
Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery
T1082

Processes:

free

description ioc process

File opened for reading /sys/devices/system/cpu/online free

description	ioc	process
File opened for reading	/proc/cpuinfo	awk
File opened for reading	/proc/cpuinfo	awk

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	free

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

lsblklsblk

description	ioc	process
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/slaves	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/ro	lsblk
File opened for reading	/sys/devices/virtual/block/loop1/queue/discard_granularity	lsblk
File opened for reading	/sys/devices/platform/floppy.0/block/fd0/ro	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/ro	lsblk
File opened for reading	/sys/devices/virtual/block/loop0/queue/discard_granularity	lsblk
File opened for reading	/sys/dev/block/7:7	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/size	lsblk
File opened for reading	/sys/devices/virtual/block/loop6/queue/discard_granularity	lsblk
File opened for reading	/sys/block/loop4/dev	lsblk
File opened for reading	/sys/block/loop3/dev	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/holders	lsblk
File opened for reading	/sys/block/loop2/dev	lsblk
File opened for reading	/sys/dev/block/7:2	lsblk
File opened for reading	/sys/devices/platform/floppy.0/block/fd0/queue/discard_granularity	lsblk
File opened for reading	/sys/block	lsblk
File opened for reading	/sys/devices/virtual/block/loop4/size	lsblk
File opened for reading	/sys/dev/block/7:0	lsblk
File opened for reading	/sys/devices/virtual/block/loop6/size	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/slaves	lsblk
File opened for reading	/sys/block/vda/vda1/dev	lsblk
File opened for reading	/sys/devices/virtual/block/loop5/queue/discard_granularity	lsblk
File opened for reading	/sys/dev/block/252:0	lsblk
File opened for reading	/sys/block/loop3/dev	lsblk
File opened for reading	/sys/devices/virtual/block/loop1/size	lsblk
File opened for reading	/sys/devices/virtual/block/loop2/queue/discard_granularity	lsblk
File opened for reading	/sys/dev/block/7:1	lsblk
File opened for reading	/sys/block/fd0/dev	lsblk
File opened for reading	/sys/block/loop6/dev	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/removable	lsblk
File opened for reading	/sys/dev/block/7:2	lsblk
File opened for reading	/sys/dev/block/2:0	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/size	lsblk
File opened for reading	/sys/block/sr0/dev	lsblk
File opened for reading	/sys/dev/block/7:6	lsblk
File opened for reading	/sys/devices/platform/floppy.0/block/fd0/size	lsblk
File opened for reading	/sys/block/loop2/dev	lsblk
File opened for reading	/sys/devices/platform/floppy.0/block/fd0/holders	lsblk
File opened for reading	/sys/devices/virtual/block/loop5/queue/discard_granularity	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/size	lsblk
File opened for reading	/sys/devices/virtual/block/loop1/size	lsblk
File opened for reading	/sys/dev/block/7:6	lsblk
File opened for reading	/sys/block/loop7/dev	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/holders	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/queue/discard_granularity	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/queue/discard_granularity	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/ro	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/device/type	lsblk
File opened for reading	/sys/devices/virtual/block/loop6/queue/discard_granularity	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/slaves	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/slaves	lsblk
File opened for reading	/sys/block/loop1/dev	lsblk
File opened for reading	/sys/block/loop6/dev	lsblk
File opened for reading	/sys/dev/block/7:1	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/ro	lsblk
File opened for reading	/sys/devices/platform/floppy.0/block/fd0/device/type	lsblk
File opened for reading	/sys/devices/virtual/block/loop7/size	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/vda1/queue/discard_granularity	lsblk
File opened for reading	/sys/dev/block/252:0	lsblk
File opened for reading	/sys/devices/platform/floppy.0/block/fd0/removable	lsblk
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/device/type	lsblk
File opened for reading	/sys/devices/virtual/block/loop3/size	lsblk
File opened for reading	/sys/dev/block/7:0	lsblk
File opened for reading	/sys/devices/virtual/block/loop5/size	lsblk

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

Processes:

awkfreeawksedawklsblksedawksedlsblkawkawksedawksed

description	ioc	process
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/sys/kernel/osrelease	free
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/mountinfo	lsblk
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	lsblk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	lsblk
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/swaps	lsblk
File opened for reading	/proc/swaps	lsblk
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/meminfo	free
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/mountinfo	lsblk

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

bash

description ioc process

File opened for modification /tmp/hardware1512.dat bash

description	ioc	process
File opened for modification	/tmp/hardware1512.dat	bash

/tmp/getInfo.sh
/tmp/getInfo.sh
1⤵
PID:1512

/usr/local/sbin/bash
bash /tmp/getInfo.sh
1⤵
PID:1512

/usr/local/bin/bash
bash /tmp/getInfo.sh
1⤵
PID:1512

/usr/sbin/bash
bash /tmp/getInfo.sh
1⤵
PID:1512

/usr/bin/bash
bash /tmp/getInfo.sh
1⤵
PID:1512

/sbin/bash
bash /tmp/getInfo.sh
1⤵
PID:1512

/bin/bash
bash /tmp/getInfo.sh
1⤵
- Writes file to tmp directory
PID:1512

/usr/bin/clear
clear
2⤵
PID:1513

/bin/date
date "+%Y%m%d-%H%M"
2⤵
PID:1514

/bin/rm
rm -fr hardware1512.dat
2⤵
PID:1515

/bin/cat
cat /etc/machine-id
2⤵
PID:1516

/bin/sed
sed "s/^[ \\t]*//;s/[ \\t]*\$//"
2⤵
- Reads runtime system information
PID:1519

/usr/bin/awk
awk -F: "/model name/ {name=\$2} END {print name}" /proc/cpuinfo
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:1518

/usr/bin/awk
awk -F: "/model name/ {core++} END {print core}" /proc/cpuinfo
2⤵
- Checks CPU configuration
- Reads runtime system information
PID:1520

/usr/bin/awk
awk "/Mem/ {print \$2}"
2⤵
- Reads runtime system information
PID:1523

/usr/bin/free
free -g
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1522

/usr/bin/awk
awk "-F[= \"]" "/PRETTY_NAME/{print \$3,\$4,\$5}" /etc/os-release
2⤵
- Reads runtime system information
PID:1525

/bin/uname
uname -m
2⤵
PID:1526

/usr/bin/getconf
getconf LONG_BIT
2⤵
PID:1527

/bin/uname
uname -r
2⤵
PID:1528

/bin/sed
sed "s/\\s/-/g"
2⤵
- Reads runtime system information
PID:1530

/bin/sed
sed "s/\\s/-/g"
2⤵
- Reads runtime system information
PID:1532

/bin/sed
sed "s/\\s/-/g"
2⤵
- Reads runtime system information
PID:1534

/usr/bin/uniq
uniq
2⤵
PID:1537

/usr/bin/sort
sort
2⤵
PID:1536

/usr/bin/awk
awk "{print \$1}"
2⤵
- Reads runtime system information
PID:1541

/bin/grep
grep "^sd"
2⤵
PID:1540

/bin/lsblk
lsblk
2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1539

/usr/bin/uniq
uniq
2⤵
PID:1544

/usr/bin/sort
sort
2⤵
PID:1543

/usr/bin/awk
awk "{print \$1}"
2⤵
- Reads runtime system information
PID:1548

/bin/grep
grep "^nvme"
2⤵
PID:1547

/bin/lsblk
lsblk
2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1546

/bin/sed
sed "s/\\s/-/g"
2⤵
- Reads runtime system information
PID:1550

/usr/bin/md5sum
md5sum hardware1512.dat
2⤵
PID:1551

/usr/bin/awk
awk -F / "{print \$4}"
2⤵
- Reads runtime system information
PID:1554

/usr/bin/curl
curl -k -s --upload-file hardware1512.dat https://tophpc.top:8443
2⤵
PID:1553

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/hardware1512.dat
Filesize
459B

MD5
4937370113e312b6a14ca5c1919bf809

SHA1
70c3f42fc556011ad1aae5d42f7b0e1c040e0c06

SHA256
c41ed7ccebc30cf3ebb8a0b17a6bb1d92b42b92a083a68d03b61add75f175df7

SHA512
5a216fd820ec808be2639a138e3469f749aee4c14826d85dfd0de44ff60b482e56b2731654743e8c4d4bd6677373eb0fa94267acf138ffc3fd42882e10789a90

Download Submit

Analysis

Sharing