Malware Analysis Report

2025-01-23 15:02

Sample ID 240831-tfl1tasemc
Target chickernel-stable-2.zip
SHA256 dc6e78892709124cc4e8bcf9da1ef934c20b1711f28fa7ea5530258e626b6454
Tags
discovery antivm
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

dc6e78892709124cc4e8bcf9da1ef934c20b1711f28fa7ea5530258e626b6454

Threat Level: Likely benign

The file chickernel-stable-2.zip was found to be: Likely benign.

Malicious Activity Summary

discovery antivm

Checks CPU configuration

Reads runtime system information

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 16:00

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:00

Platform

debian9-armhf-20240418-en

Max time kernel

0s

Command Line

[/tmp/META-INF/com/google/android/update-binary]

Signatures

N/A

Processes

/tmp/META-INF/com/google/android/update-binary

[/tmp/META-INF/com/google/android/update-binary]

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:02

Platform

win7-20240708-en

Max time kernel

102s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.sh C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.sh\ = "sh_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anykernel.sh

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\anykernel.sh"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 89ce5c943374fd3176922820517b04b2
SHA1 be68529ade1cd5954e40cca6c5a6f99c51fc8df6
SHA256 c04945285e68c73556d0c28b4f7e6bdebe0ef7034b8d1d24728d60480d5fa257
SHA512 21bbfeb6dba58b7495f9fff35c574b07d3d3376e8cb460ba29676ec2567ff74d359974264bcbf4d0e5b5905adb91b8241042b1621a86112c771ef65b160ec43e

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:00

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

0s

Max time network

1s

Command Line

[/tmp/META-INF/com/google/android/update-binary]

Signatures

N/A

Processes

/tmp/META-INF/com/google/android/update-binary

[/tmp/META-INF/com/google/android/update-binary]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

debian9-armhf-20240729-en

Max time kernel

0s

Command Line

[/tmp/tools/busybox]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/stat /tmp/tools/busybox N/A

Processes

/tmp/tools/busybox

[/tmp/tools/busybox]

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

178s

Command Line

[/tmp/tools/snapshotupdater_static]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/tools/snapshotupdater_static N/A

Processes

/tmp/tools/snapshotupdater_static

[/tmp/tools/snapshotupdater_static]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:02

Platform

win7-20240708-en

Max time kernel

121s

Max time network

124s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.sh C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.sh\ = "sh_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 cf0e0d9cf91f647f7a16ddcb2218a602
SHA1 49b5bf232b897daee22156c1b81208162cc25332
SHA256 ee4cff0acd93a0eafd4bdd34b593be1b31b071d4e439b64a949dcbedcdeb6d75
SHA512 156bfa93fa77b6c08cde191ece595136ed5638bb05ceddafa0b1b239eae4276099f04bf71eb27ef764aba4383b2f282c6b9ffcd91747dff79bdb56150982bdeb

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:01

Platform

debian9-mipsel-20240226-en

Max time kernel

0s

Command Line

[/tmp/META-INF/com/google/android/update-binary]

Signatures

N/A

Processes

/tmp/META-INF/com/google/android/update-binary

[/tmp/META-INF/com/google/android/update-binary]

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

win10v2004-20240802-en

Max time kernel

136s

Max time network

144s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:00

Platform

debian12-armhf-20240418-en

Max time kernel

0s

Max time network

4s

Command Line

[/tmp/tools/fec]

Signatures

N/A

Processes

/tmp/tools/fec

[/tmp/tools/fec]

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

158s

Command Line

[/tmp/tools/httools_static]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/tools/httools_static N/A

Processes

/tmp/tools/httools_static

[/tmp/tools/httools_static]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-5 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-5 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-5 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-5 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

146s

Command Line

[/tmp/tools/lptools_static]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/tools/lptools_static N/A

Processes

/tmp/tools/lptools_static

[/tmp/tools/lptools_static]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-3 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-3 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-3 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-3 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

180s

Command Line

[/tmp/tools/magiskboot]

Signatures

N/A

Processes

/tmp/tools/magiskboot

[/tmp/tools/magiskboot]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:01

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

45s

Command Line

[/tmp/tools/magiskpolicy]

Signatures

N/A

Processes

/tmp/tools/magiskpolicy

[/tmp/tools/magiskpolicy]

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:01

Platform

debian9-mipsbe-20240611-en

Max time kernel

0s

Command Line

[/tmp/META-INF/com/google/android/update-binary]

Signatures

N/A

Processes

/tmp/META-INF/com/google/android/update-binary

[/tmp/META-INF/com/google/android/update-binary]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

win10v2004-20240802-en

Max time kernel

134s

Max time network

157s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A