Malware Analysis Report

2024-10-24 21:27

Sample ID 240830-wjcyesxaqb
Target update
SHA256 90adac72b6038472083e3e2ff8ab8a41eb624c5dc5b0dce58653d94d6c8b4da9
Tags
antivm evasion
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

90adac72b6038472083e3e2ff8ab8a41eb624c5dc5b0dce58653d94d6c8b4da9

Threat Level: Shows suspicious behavior

The file update was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm evasion

Checks mountinfo of local process

Reads hardware information

Reads list of loaded kernel modules

Checks CPU configuration

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to shm directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-30 17:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-30 17:56

Reported

2024-08-30 17:59

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

141s

Max time network

152s

Command Line

[/tmp/update]

Signatures

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /tmp/update N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_uuid /tmp/update N/A

Reads list of loaded kernel modules

evasion
Description Indicator Process Target
File opened for reading /proc/modules /tmp/update N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/update N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/update N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /tmp/update N/A
File opened for reading /proc/self/cgroup /tmp/update N/A
File opened for reading /proc/filesystems /tmp/update N/A
File opened for reading /proc/1/stat /tmp/update N/A
File opened for reading /proc/1/comm /tmp/update N/A
File opened for reading /proc/stat /tmp/update N/A
File opened for reading /proc/bus/pci/devices /tmp/update N/A
File opened for reading /proc/self/status /tmp/update N/A
File opened for reading /proc/1/environ /tmp/update N/A

Writes file to shm directory

Description Indicator Process Target
File opened for modification /dev/shm/.shmRYDjAr /tmp/update N/A

Processes

/tmp/update

[/tmp/update]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
GB 89.187.167.9:443 tcp
CN 123.56.45.175:443 tcp
CN 123.56.45.175:443 tcp
US 1.1.1.1:53 130.0.127.10.in-addr.arpa udp
US 1.1.1.1:53 175.45.56.123.in-addr.arpa udp
CN 123.57.223.22:443 tcp
CN 123.57.223.22:443 tcp
CN 39.107.75.91:443 tcp
CN 39.107.75.91:443 tcp
CN 182.92.101.4:443 tcp
CN 182.92.101.4:443 tcp

Files

/dev/shm/.shmRYDjAr

MD5 0cc445a80a3a1156192fc079d575428f
SHA1 8a403a154a5835296cf812cdbbab50c445e9758d
SHA256 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
SHA512 1eb6cce112630cc62379bacad791c41b383fa318a90ffeef40419d1029d444fa1a7763908926e909b1fc1c52822511ba155ff3ab23c9f362bdb68670fbf3c4d0

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-30 17:56

Reported

2024-08-30 17:59

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

141s

Max time network

141s

Command Line

[/tmp/update]

Signatures

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /tmp/update N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_uuid /tmp/update N/A

Reads list of loaded kernel modules

evasion
Description Indicator Process Target
File opened for reading /proc/modules /tmp/update N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/update N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/update N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /tmp/update N/A
File opened for reading /proc/filesystems /tmp/update N/A
File opened for reading /proc/1/stat /tmp/update N/A
File opened for reading /proc/1/comm /tmp/update N/A
File opened for reading /proc/self/cgroup /tmp/update N/A
File opened for reading /proc/stat /tmp/update N/A
File opened for reading /proc/bus/pci/devices /tmp/update N/A
File opened for reading /proc/self/status /tmp/update N/A
File opened for reading /proc/1/environ /tmp/update N/A

Writes file to shm directory

Description Indicator Process Target
File opened for modification /dev/shm/.shmTojAvR /tmp/update N/A

Processes

/tmp/update

[/tmp/update]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
CN 123.56.45.175:443 tcp
CN 123.56.45.175:443 tcp
CN 123.57.223.22:443 tcp
CN 123.57.223.22:443 tcp
CN 39.107.75.91:443 tcp
CN 39.107.75.91:443 tcp
CN 182.92.101.4:443 tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
CN 182.92.101.4:443 tcp

Files

/dev/shm/.shmTojAvR

MD5 0cc445a80a3a1156192fc079d575428f
SHA1 8a403a154a5835296cf812cdbbab50c445e9758d
SHA256 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
SHA512 1eb6cce112630cc62379bacad791c41b383fa318a90ffeef40419d1029d444fa1a7763908926e909b1fc1c52822511ba155ff3ab23c9f362bdb68670fbf3c4d0

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-30 17:56

Reported

2024-08-30 17:59

Platform

ubuntu2204-amd64-20240729-en

Max time kernel

113s

Max time network

131s

Command Line

[/tmp/update]

Signatures

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /tmp/update N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_uuid /tmp/update N/A

Reads list of loaded kernel modules

evasion
Description Indicator Process Target
File opened for reading /proc/modules /tmp/update N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/update N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/update N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/maps /tmp/update N/A
File opened for reading /proc/bus/pci/devices /tmp/update N/A
File opened for reading /proc/1/comm /tmp/update N/A
File opened for reading /proc/filesystems /tmp/update N/A
File opened for reading /proc/1/stat /tmp/update N/A
File opened for reading /proc/stat /tmp/update N/A
File opened for reading /proc/self/status /tmp/update N/A
File opened for reading /proc/1/environ /tmp/update N/A
File opened for reading /proc/self/cgroup /tmp/update N/A

Writes file to shm directory

Description Indicator Process Target
File opened for modification /dev/shm/.shm2z9QBZ /tmp/update N/A

Processes

/tmp/update

[/tmp/update]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 123.56.45.175:443 tcp
CN 123.56.45.175:443 tcp
CN 123.57.223.22:443 tcp
CN 123.57.223.22:443 tcp
CN 39.107.75.91:443 tcp
CN 39.107.75.91:443 tcp

Files

/dev/shm/.shm2z9QBZ

MD5 0cc445a80a3a1156192fc079d575428f
SHA1 8a403a154a5835296cf812cdbbab50c445e9758d
SHA256 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
SHA512 1eb6cce112630cc62379bacad791c41b383fa318a90ffeef40419d1029d444fa1a7763908926e909b1fc1c52822511ba155ff3ab23c9f362bdb68670fbf3c4d0

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-30 17:56

Reported

2024-08-30 17:59

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

141s

Max time network

152s

Command Line

[/tmp/update]

Signatures

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1/mountinfo /tmp/update N/A

Reads hardware information

Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_uuid /tmp/update N/A

Reads list of loaded kernel modules

evasion
Description Indicator Process Target
File opened for reading /proc/modules /tmp/update N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/update N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/update N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/bus/pci/devices /tmp/update N/A
File opened for reading /proc/filesystems /tmp/update N/A
File opened for reading /proc/1/stat /tmp/update N/A
File opened for reading /proc/1/comm /tmp/update N/A
File opened for reading /proc/self/maps /tmp/update N/A
File opened for reading /proc/stat /tmp/update N/A
File opened for reading /proc/self/status /tmp/update N/A
File opened for reading /proc/1/environ /tmp/update N/A
File opened for reading /proc/self/cgroup /tmp/update N/A

Writes file to shm directory

Description Indicator Process Target
File opened for modification /dev/shm/.shm7DLlM8 /tmp/update N/A

Processes

/tmp/update

[/tmp/update]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 123.56.45.175:443 tcp
CN 123.56.45.175:443 tcp
CN 123.57.223.22:443 tcp
CN 123.57.223.22:443 tcp
CN 39.107.75.91:443 tcp
CN 39.107.75.91:443 tcp
CN 182.92.101.4:443 tcp
CN 182.92.101.4:443 tcp

Files

/dev/shm/.shm7DLlM8

MD5 0cc445a80a3a1156192fc079d575428f
SHA1 8a403a154a5835296cf812cdbbab50c445e9758d
SHA256 20f09959706797b81b2a4de627c01d0c0d890d142954d455a0e50f7811bdc951
SHA512 1eb6cce112630cc62379bacad791c41b383fa318a90ffeef40419d1029d444fa1a7763908926e909b1fc1c52822511ba155ff3ab23c9f362bdb68670fbf3c4d0