Overview
overview
4Static
static
1META-INF/c...binary
ubuntu-18.04-amd64
META-INF/c...binary
debian-9-armhf
META-INF/c...binary
debian-9-mips
META-INF/c...binary
debian-9-mipsel
anykernel.sh
windows7-x64
3anykernel.sh
windows10-2004-x64
3tools/ak3-core.sh
windows7-x64
3tools/ak3-core.sh
windows10-2004-x64
3tools/busybox
debian-9-armhf
3tools/fec
debian-12-armhf
tools/httools_static
debian-12-armhf
4tools/lptools_static
debian-12-armhf
4tools/magiskboot
debian-12-armhf
1tools/magiskpolicy
debian-12-armhf
tools/snap...static
debian-12-armhf
4Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
31-08-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
META-INF/com/google/android/update-binary
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
META-INF/com/google/android/update-binary
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
META-INF/com/google/android/update-binary
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
META-INF/com/google/android/update-binary
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral5
Sample
anykernel.sh
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
anykernel.sh
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
tools/ak3-core.sh
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
tools/ak3-core.sh
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
tools/busybox
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral10
Sample
tools/fec
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral11
Sample
tools/httools_static
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral12
Sample
tools/lptools_static
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral13
Sample
tools/magiskboot
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral14
Sample
tools/magiskpolicy
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral15
Sample
tools/snapshotupdater_static
Resource
debian12-armhf-20240221-en
General
-
Target
tools/ak3-core.sh
-
Size
33KB
-
MD5
be2c5b2dcd28a976558199ebba4a949d
-
SHA1
774baecf91987fa9ab648861e628a92594e65516
-
SHA256
7c2ff4571d56a2969295966b3c90a1b3bd2126df3557982e01881f6c4dae3932
-
SHA512
927481c54d5821a6322ab1e198a09c978c6d861725a11042ebe1d77aa95381a7dc080696826849ec29e46ff71436ddeeffe5df56cd06226bd629e308e8b35f2e
-
SSDEEP
768:6dDod1osreJJIzGdTadB5vqcKbOEEx0xe53k3wGy2+AJGf1IzpcLJc:lPeJJIz4+N1Iz3
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.sh rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2532 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2532 AcroRd32.exe 2532 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2820 2672 cmd.exe 32 PID 2672 wrote to memory of 2820 2672 cmd.exe 32 PID 2672 wrote to memory of 2820 2672 cmd.exe 32 PID 2820 wrote to memory of 2532 2820 rundll32.exe 33 PID 2820 wrote to memory of 2532 2820 rundll32.exe 33 PID 2820 wrote to memory of 2532 2820 rundll32.exe 33 PID 2820 wrote to memory of 2532 2820 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh1⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5cf0e0d9cf91f647f7a16ddcb2218a602
SHA149b5bf232b897daee22156c1b81208162cc25332
SHA256ee4cff0acd93a0eafd4bdd34b593be1b31b071d4e439b64a949dcbedcdeb6d75
SHA512156bfa93fa77b6c08cde191ece595136ed5638bb05ceddafa0b1b239eae4276099f04bf71eb27ef764aba4383b2f282c6b9ffcd91747dff79bdb56150982bdeb