Analysis Overview
SHA256
dc6e78892709124cc4e8bcf9da1ef934c20b1711f28fa7ea5530258e626b6454
Threat Level: Likely benign
The file chickernel-stable-2.zip was found to be: Likely benign.
Malicious Activity Summary
Checks CPU configuration
Reads runtime system information
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-31 16:00
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:00
Platform
debian9-armhf-20240418-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/META-INF/com/google/android/update-binary
[/tmp/META-INF/com/google/android/update-binary]
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:02
Platform
win7-20240708-en
Max time kernel
102s
Max time network
17s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.sh | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.sh\ = "sh_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\sh_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1400 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1400 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2836 wrote to memory of 2100 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2836 wrote to memory of 2100 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2836 wrote to memory of 2100 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2836 wrote to memory of 2100 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anykernel.sh
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\anykernel.sh"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 89ce5c943374fd3176922820517b04b2 |
| SHA1 | be68529ade1cd5954e40cca6c5a6f99c51fc8df6 |
| SHA256 | c04945285e68c73556d0c28b4f7e6bdebe0ef7034b8d1d24728d60480d5fa257 |
| SHA512 | 21bbfeb6dba58b7495f9fff35c574b07d3d3376e8cb460ba29676ec2567ff74d359974264bcbf4d0e5b5905adb91b8241042b1621a86112c771ef65b160ec43e |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:00
Platform
ubuntu1804-amd64-20240729-en
Max time kernel
0s
Max time network
1s
Command Line
Signatures
Processes
/tmp/META-INF/com/google/android/update-binary
[/tmp/META-INF/com/google/android/update-binary]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
debian9-armhf-20240729-en
Max time kernel
0s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/stat | /tmp/tools/busybox | N/A |
Processes
/tmp/tools/busybox
[/tmp/tools/busybox]
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Max time network
178s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/tools/snapshotupdater_static | N/A |
Processes
/tmp/tools/snapshotupdater_static
[/tmp/tools/snapshotupdater_static]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-0 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-0 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-0 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-0 | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:02
Platform
win7-20240708-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.sh | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\.sh\ = "sh_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\sh_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2672 wrote to memory of 2820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2672 wrote to memory of 2820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2672 wrote to memory of 2820 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2820 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2820 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2820 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2820 wrote to memory of 2532 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | cf0e0d9cf91f647f7a16ddcb2218a602 |
| SHA1 | 49b5bf232b897daee22156c1b81208162cc25332 |
| SHA256 | ee4cff0acd93a0eafd4bdd34b593be1b31b071d4e439b64a949dcbedcdeb6d75 |
| SHA512 | 156bfa93fa77b6c08cde191ece595136ed5638bb05ceddafa0b1b239eae4276099f04bf71eb27ef764aba4383b2f282c6b9ffcd91747dff79bdb56150982bdeb |
Analysis: behavioral4
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:01
Platform
debian9-mipsel-20240226-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/META-INF/com/google/android/update-binary
[/tmp/META-INF/com/google/android/update-binary]
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
144s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:00
Platform
debian12-armhf-20240418-en
Max time kernel
0s
Max time network
4s
Command Line
Signatures
Processes
/tmp/tools/fec
[/tmp/tools/fec]
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Max time network
158s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/tools/httools_static | N/A |
Processes
/tmp/tools/httools_static
[/tmp/tools/httools_static]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-5 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-5 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-5 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-5 | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Max time network
146s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /tmp/tools/lptools_static | N/A |
Processes
/tmp/tools/lptools_static
[/tmp/tools/lptools_static]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-3 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-3 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-3 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-3 | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Max time network
180s
Command Line
Signatures
Processes
/tmp/tools/magiskboot
[/tmp/tools/magiskboot]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:01
Platform
debian12-armhf-20240221-en
Max time kernel
0s
Max time network
45s
Command Line
Signatures
Processes
/tmp/tools/magiskpolicy
[/tmp/tools/magiskpolicy]
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:01
Platform
debian9-mipsbe-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/META-INF/com/google/android/update-binary
[/tmp/META-INF/com/google/android/update-binary]
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-08-31 16:00
Reported
2024-08-31 16:03
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
157s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |