7aa119d7971e575bb3674e91f421ea2fb33f91fc26f4e945f1c1a92fa994e7c3

Analysis

max time kernel
0s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
25-05-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

net.sh
Size

3KB
MD5

ee7cbe65a1c87663a1f3171c129c3f7b
SHA1

28a488f6de0ebd2284134119d7921c39fb7297af
SHA256

7aa119d7971e575bb3674e91f421ea2fb33f91fc26f4e945f1c1a92fa994e7c3
SHA512

b28a5c45ae2de0775c4b19063812575fe1cb0abe14069870cb4455c388b222e1412f5988fa1e3687059441f0ebc5297b20c0f8c82587069da6796957496d6e9b

Score

7^/10

antivm rootkit

Malware Config

Signatures

Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
rootkit

Processes:

modprobe

ioc pid process

/lib/modules/4.15.0-213-generic/kernel/net/ipv4/tcp_bbr.ko 1511 modprobe

ioc	pid	process
/lib/modules/4.15.0-213-generic/kernel/net/ipv4/tcp_bbr.ko	1511	modprobe

Checks hardware identifiers (DMI) 1 TTPs 2 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

systemd-detect-virt

description	ioc	process
File opened for reading	/sys/class/dmi/id/product_name	systemd-detect-virt
File opened for reading	/sys/class/dmi/id/sys_vendor	systemd-detect-virt

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery
T1082

Processes:

modprobe

description ioc process

File opened for reading /sys/module/tcp_bbr/initstate modprobe

description	ioc	process
File opened for reading	/sys/module/tcp_bbr/initstate	modprobe

Reads runtime system information 15 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemd-detect-virtmodprobesystemctlcpcp

description	ioc	process
File opened for reading	/proc/self/stat	systemd-detect-virt
File opened for reading	/proc/cmdline	modprobe
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemd-detect-virt
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	systemd-detect-virt
File opened for reading	/proc/sys/kernel/osrelease	systemd-detect-virt
File opened for reading	/proc/1/environ	systemd-detect-virt
File opened for reading	/proc/1/sched	systemd-detect-virt
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl

/tmp/net.sh
/tmp/net.sh
1⤵
PID:1507

/bin/cp
cp /etc/sysctl.conf /etc/sysctl.conf.bak
2⤵
- Reads runtime system information
PID:1508

/bin/cp
cp /etc/security/limits.conf /etc/security/limits.conf.bak
2⤵
- Reads runtime system information
PID:1509

/usr/bin/systemd-detect-virt
systemd-detect-virt
2⤵
- Checks hardware identifiers (DMI)
- Reads runtime system information
PID:1510

/sbin/modprobe
modprobe tcp_bbr
2⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1511

/sbin/sysctl
sysctl -p
2⤵
PID:1513

/bin/systemctl
systemctl restart networking.service
2⤵
- Reads runtime system information
PID:1514

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads