Overview
overview
4Static
static
1META-INF/c...binary
ubuntu-18.04-amd64
META-INF/c...binary
debian-9-armhf
META-INF/c...binary
debian-9-mips
META-INF/c...binary
debian-9-mipsel
anykernel.sh
windows7-x64
3anykernel.sh
windows10-2004-x64
3tools/ak3-core.sh
windows7-x64
3tools/ak3-core.sh
windows10-2004-x64
3tools/busybox
debian-9-armhf
3tools/fec
debian-12-armhf
tools/httools_static
debian-12-armhf
4tools/lptools_static
debian-12-armhf
4tools/magiskboot
debian-12-armhf
1tools/magiskpolicy
debian-12-armhf
tools/snap...static
debian-12-armhf
4Analysis
-
max time kernel
102s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
31-08-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
META-INF/com/google/android/update-binary
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
META-INF/com/google/android/update-binary
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
META-INF/com/google/android/update-binary
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
META-INF/com/google/android/update-binary
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral5
Sample
anykernel.sh
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
anykernel.sh
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
tools/ak3-core.sh
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
tools/ak3-core.sh
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
tools/busybox
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral10
Sample
tools/fec
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral11
Sample
tools/httools_static
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral12
Sample
tools/lptools_static
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral13
Sample
tools/magiskboot
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral14
Sample
tools/magiskpolicy
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral15
Sample
tools/snapshotupdater_static
Resource
debian12-armhf-20240221-en
General
-
Target
anykernel.sh
-
Size
2KB
-
MD5
2a9c25f4619959223d62f93f9307e61f
-
SHA1
0e9d3f1cad26ce05ee697548268a98d716d27846
-
SHA256
878140b0809a138f2781205982376bf5fb9b49a55b1935ed20bf4f007234b96e
-
SHA512
714c2f20574a64e8461f954ccf3a33125837cb2824df68f47eeb9b447464ad00533f980c480b6d605b6362e1d5bc270106e2019114e9ac1abb97565692100ddd
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.sh rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2100 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2100 AcroRd32.exe 2100 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2836 1400 cmd.exe 31 PID 1400 wrote to memory of 2836 1400 cmd.exe 31 PID 1400 wrote to memory of 2836 1400 cmd.exe 31 PID 2836 wrote to memory of 2100 2836 rundll32.exe 32 PID 2836 wrote to memory of 2100 2836 rundll32.exe 32 PID 2836 wrote to memory of 2100 2836 rundll32.exe 32 PID 2836 wrote to memory of 2100 2836 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anykernel.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\anykernel.sh"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD589ce5c943374fd3176922820517b04b2
SHA1be68529ade1cd5954e40cca6c5a6f99c51fc8df6
SHA256c04945285e68c73556d0c28b4f7e6bdebe0ef7034b8d1d24728d60480d5fa257
SHA51221bbfeb6dba58b7495f9fff35c574b07d3d3376e8cb460ba29676ec2567ff74d359974264bcbf4d0e5b5905adb91b8241042b1621a86112c771ef65b160ec43e