Analysis Overview
score
6/10
SHA256
ccd6ff0b8b062a9eacd7c4cb1e1e0601aecab965a6652210962676aa25ccef9f
Threat Level: Shows suspicious behavior
The file lscpu.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks system information (zLinux)
Checks CPU configuration
Reads CPU attributes
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 14:02
Signatures
N/A
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 14:02
Reported
2024-07-14 14:04
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
5s
Command Line
[/tmp/lscpu.sh]
Signatures
Checks system information (zLinux)
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sysinfo | /usr/bin/lscpu | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/lscpu | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/ways_of_associativity | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/write_policy | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/l1tf | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/core_id | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/physical_line_partition | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/allocation_policy | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/tsx_async_abort | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/level | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/type | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/size | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/thread_siblings | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/book_siblings | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/book_id | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/write_policy | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/spectre_v1 | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/drawer_siblings | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/write_policy | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/ways_of_associativity | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/type | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/physical_package_id | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/id | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/online | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/mmio_stale_data | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/type | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/level | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/size | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/spectre_v2 | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/core_siblings | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/level | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/ways_of_associativity | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/ways_of_associativity | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/present | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/mds | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/retbleed | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/type | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/dispatching | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/coherency_line_size | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/level | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/spec_store_bypass | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology/drawer_id | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/number_of_sets | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/itlb_multihit | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/meltdown | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/allocation_policy | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/allocation_policy | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities/gather_data_sampling | /usr/bin/lscpu | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/node | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/devices/system/node/node0/cpumap | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/firmware/dmi/tables/DMI | /usr/bin/lscpu | N/A |
| File opened for reading | /sys/kernel/cpu_byteorder | /usr/bin/lscpu | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/lscpu | N/A |
| File opened for reading | /proc/device-tree/compatible | /usr/bin/lscpu | N/A |
| File opened for reading | /proc/bus/pci/devices | /usr/bin/lscpu | N/A |
| File opened for reading | /proc/self/status | /usr/bin/lscpu | N/A |
Processes
/tmp/lscpu.sh
[/tmp/lscpu.sh]
/usr/bin/lscpu
[lscpu]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
N/A