Malware Analysis Report

2025-01-23 15:01

Sample ID 240830-h2q14ssapa
Target acc.rust
SHA256 1232b8d5f116421803d267d6195e37a7198883d71b76ce3cdcb91730f86c9b79
Tags
antivm evasion
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

1232b8d5f116421803d267d6195e37a7198883d71b76ce3cdcb91730f86c9b79

Threat Level: Shows suspicious behavior

The file acc.rust was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm evasion

Checks mountinfo of local process

Reads hardware information

Reads list of loaded kernel modules

Checks CPU configuration

Reads runtime system information

Writes file to shm directory

Enumerates kernel/hardware configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 07:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 07:14

Reported

2024-08-30 07:16

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

147s

Max time network

149s

Command Line

[/tmp/acc.rust]

Signatures

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /tmp/acc.rust N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_uuid /tmp/acc.rust N/A

Reads list of loaded kernel modules

evasion
Description Indicator Process Target
File opened for reading /proc/modules /tmp/acc.rust N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/acc.rust N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/acc.rust N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/cgroup /tmp/acc.rust N/A
File opened for reading /proc/filesystems /tmp/acc.rust N/A
File opened for reading /proc/1/stat /tmp/acc.rust N/A
File opened for reading /proc/self/maps /tmp/acc.rust N/A
File opened for reading /proc/self/status /tmp/acc.rust N/A
File opened for reading /proc/1/environ /tmp/acc.rust N/A
File opened for reading /proc/stat /tmp/acc.rust N/A
File opened for reading /proc/bus/pci/devices /tmp/acc.rust N/A
File opened for reading /proc/1/comm /tmp/acc.rust N/A

Writes file to shm directory

Description Indicator Process Target
File opened for modification /dev/shm/.shmeu23hq /tmp/acc.rust N/A

Processes

/tmp/acc.rust

[/tmp/acc.rust]

Network

Country Destination Domain Proto
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
N/A 224.0.0.251:5353 udp
GB 89.187.167.7:443 tcp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp
CN 101.200.156.217:81 tcp
CN 182.92.155.149:81 tcp
CN 123.57.218.176:81 tcp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp
CN 101.200.156.217:81 tcp
CN 182.92.155.149:81 tcp
CN 123.57.218.176:81 tcp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp

Files

/dev/shm/.shmeu23hq

MD5 43ce320e49782adecfd70d4c0050c178
SHA1 72ea1ca71b2b95d869b51660477527010cfd574f
SHA256 aa0d8c7d92a0aac4c19d35b49b26ab430425ebc794a35775679624df4367c851
SHA512 61a24aa7bca6215c35538f99844d6dca0d9aa29127dc20b749d3d260020f469d97494cb62afa5ce88bd0ea0e8ba91eeb94840579523fdaa19f747838c0fbcc73

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 07:14

Reported

2024-08-30 07:17

Platform

ubuntu2004-amd64-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

[/tmp/acc.rust]

Signatures

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /tmp/acc.rust N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_uuid /tmp/acc.rust N/A

Reads list of loaded kernel modules

evasion
Description Indicator Process Target
File opened for reading /proc/modules /tmp/acc.rust N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/acc.rust N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/acc.rust N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /tmp/acc.rust N/A
File opened for reading /proc/bus/pci/devices /tmp/acc.rust N/A
File opened for reading /proc/self/cgroup /tmp/acc.rust N/A
File opened for reading /proc/stat /tmp/acc.rust N/A
File opened for reading /proc/self/status /tmp/acc.rust N/A
File opened for reading /proc/1/environ /tmp/acc.rust N/A
File opened for reading /proc/filesystems /tmp/acc.rust N/A
File opened for reading /proc/1/stat /tmp/acc.rust N/A
File opened for reading /proc/1/comm /tmp/acc.rust N/A

Writes file to shm directory

Description Indicator Process Target
File opened for modification /dev/shm/.shmbIZ212 /tmp/acc.rust N/A

Processes

/tmp/acc.rust

[/tmp/acc.rust]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp
CN 101.200.156.217:81 tcp
CN 182.92.155.149:81 tcp
CN 123.57.218.176:81 tcp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp
CN 101.200.156.217:81 tcp
CN 182.92.155.149:81 tcp
CN 123.57.218.176:81 tcp
CN 123.56.109.160:81 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp

Files

/dev/shm/.shmbIZ212

MD5 43ce320e49782adecfd70d4c0050c178
SHA1 72ea1ca71b2b95d869b51660477527010cfd574f
SHA256 aa0d8c7d92a0aac4c19d35b49b26ab430425ebc794a35775679624df4367c851
SHA512 61a24aa7bca6215c35538f99844d6dca0d9aa29127dc20b749d3d260020f469d97494cb62afa5ce88bd0ea0e8ba91eeb94840579523fdaa19f747838c0fbcc73

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-30 07:14

Reported

2024-08-30 07:17

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

147s

Max time network

154s

Command Line

[/tmp/acc.rust]

Signatures

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /tmp/acc.rust N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_uuid /tmp/acc.rust N/A

Reads list of loaded kernel modules

evasion
Description Indicator Process Target
File opened for reading /proc/modules /tmp/acc.rust N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/acc.rust N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/acc.rust N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/1/stat /tmp/acc.rust N/A
File opened for reading /proc/1/comm /tmp/acc.rust N/A
File opened for reading /proc/stat /tmp/acc.rust N/A
File opened for reading /proc/bus/pci/devices /tmp/acc.rust N/A
File opened for reading /proc/self/status /tmp/acc.rust N/A
File opened for reading /proc/filesystems /tmp/acc.rust N/A
File opened for reading /proc/self/maps /tmp/acc.rust N/A
File opened for reading /proc/1/environ /tmp/acc.rust N/A
File opened for reading /proc/self/cgroup /tmp/acc.rust N/A

Writes file to shm directory

Description Indicator Process Target
File opened for modification /dev/shm/.shma3f0cV /tmp/acc.rust N/A

Processes

/tmp/acc.rust

[/tmp/acc.rust]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp
CN 101.200.156.217:81 tcp
CN 182.92.155.149:81 tcp
CN 123.57.218.176:81 tcp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp
CN 101.200.156.217:81 tcp
CN 182.92.155.149:81 tcp
CN 123.57.218.176:81 tcp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp

Files

/dev/shm/.shma3f0cV

MD5 43ce320e49782adecfd70d4c0050c178
SHA1 72ea1ca71b2b95d869b51660477527010cfd574f
SHA256 aa0d8c7d92a0aac4c19d35b49b26ab430425ebc794a35775679624df4367c851
SHA512 61a24aa7bca6215c35538f99844d6dca0d9aa29127dc20b749d3d260020f469d97494cb62afa5ce88bd0ea0e8ba91eeb94840579523fdaa19f747838c0fbcc73

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-30 07:14

Reported

2024-08-30 07:16

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

147s

Max time network

150s

Command Line

[/tmp/acc.rust]

Signatures

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /tmp/acc.rust N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_uuid /tmp/acc.rust N/A

Reads list of loaded kernel modules

evasion
Description Indicator Process Target
File opened for reading /proc/modules /tmp/acc.rust N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/acc.rust N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/acc.rust N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/bus/pci/devices /tmp/acc.rust N/A
File opened for reading /proc/self/status /tmp/acc.rust N/A
File opened for reading /proc/1/environ /tmp/acc.rust N/A
File opened for reading /proc/filesystems /tmp/acc.rust N/A
File opened for reading /proc/1/stat /tmp/acc.rust N/A
File opened for reading /proc/1/comm /tmp/acc.rust N/A
File opened for reading /proc/self/maps /tmp/acc.rust N/A
File opened for reading /proc/stat /tmp/acc.rust N/A
File opened for reading /proc/self/cgroup /tmp/acc.rust N/A

Writes file to shm directory

Description Indicator Process Target
File opened for modification /dev/shm/.shmBn3CSl /tmp/acc.rust N/A

Processes

/tmp/acc.rust

[/tmp/acc.rust]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp
CN 101.200.156.217:81 tcp
CN 182.92.155.149:81 tcp
CN 123.57.218.176:81 tcp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp
CN 101.200.156.217:81 tcp
CN 182.92.155.149:81 tcp
CN 123.57.218.176:81 tcp
CN 123.56.109.160:81 tcp
CN 123.57.6.3:81 tcp
CN 39.107.67.131:81 tcp

Files

/dev/shm/.shmBn3CSl

MD5 43ce320e49782adecfd70d4c0050c178
SHA1 72ea1ca71b2b95d869b51660477527010cfd574f
SHA256 aa0d8c7d92a0aac4c19d35b49b26ab430425ebc794a35775679624df4367c851
SHA512 61a24aa7bca6215c35538f99844d6dca0d9aa29127dc20b749d3d260020f469d97494cb62afa5ce88bd0ea0e8ba91eeb94840579523fdaa19f747838c0fbcc73