Malware Analysis Report

2024-10-16 05:32

Sample ID 240714-rceq8atbqm
Target lscpu.sh
SHA256 ccd6ff0b8b062a9eacd7c4cb1e1e0601aecab965a6652210962676aa25ccef9f
Tags
antivm
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

ccd6ff0b8b062a9eacd7c4cb1e1e0601aecab965a6652210962676aa25ccef9f

Threat Level: Shows suspicious behavior

The file lscpu.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Checks system information (zLinux)

Checks CPU configuration

Reads CPU attributes

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 14:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 14:02

Reported

2024-07-14 14:04

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

5s

Command Line

[/tmp/lscpu.sh]

Signatures

Checks system information (zLinux)

antivm
Description Indicator Process Target
File opened for reading /proc/sysinfo /usr/bin/lscpu N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/lscpu N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/ways_of_associativity /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/write_policy /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/l1tf /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/physical_line_partition /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/allocation_policy /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/tsx_async_abort /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/thread_siblings /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/book_siblings /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/book_id /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/write_policy /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/spectre_v1 /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/drawer_siblings /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/write_policy /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/ways_of_associativity /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/mmio_stale_data /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/spectre_v2 /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/core_siblings /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/ways_of_associativity /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/ways_of_associativity /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/present /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/mds /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/retbleed /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/dispatching /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/coherency_line_size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/spec_store_bypass /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/drawer_id /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/number_of_sets /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/itlb_multihit /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/meltdown /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/allocation_policy /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/allocation_policy /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/vulnerabilities/gather_data_sampling /usr/bin/lscpu N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/node /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/node/node0/cpumap /usr/bin/lscpu N/A
File opened for reading /sys/firmware/dmi/tables/DMI /usr/bin/lscpu N/A
File opened for reading /sys/kernel/cpu_byteorder /usr/bin/lscpu N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/kernel/osrelease /usr/bin/lscpu N/A
File opened for reading /proc/device-tree/compatible /usr/bin/lscpu N/A
File opened for reading /proc/bus/pci/devices /usr/bin/lscpu N/A
File opened for reading /proc/self/status /usr/bin/lscpu N/A

Processes

/tmp/lscpu.sh

[/tmp/lscpu.sh]

/usr/bin/lscpu

[lscpu]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A