Overview
overview
4Static
static
1META-INF/c...binary
ubuntu-18.04-amd64
META-INF/c...binary
debian-9-armhf
META-INF/c...binary
debian-9-mips
META-INF/c...binary
debian-9-mipsel
anykernel.sh
windows7-x64
3anykernel.sh
windows10-2004-x64
3tools/ak3-core.sh
windows7-x64
3tools/ak3-core.sh
windows10-2004-x64
3tools/busybox
debian-12-armhf
3tools/fec
debian-12-armhf
tools/httools_static
debian-12-armhf
4tools/lptools_static
debian-12-armhf
4tools/magiskboot
debian-12-armhf
1tools/magiskpolicy
debian-12-armhf
tools/snap...static
debian-12-armhf
4Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
31-08-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
META-INF/com/google/android/update-binary
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
META-INF/com/google/android/update-binary
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
META-INF/com/google/android/update-binary
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
META-INF/com/google/android/update-binary
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral5
Sample
anykernel.sh
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
anykernel.sh
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
tools/ak3-core.sh
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
tools/ak3-core.sh
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
tools/busybox
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral10
Sample
tools/fec
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral11
Sample
tools/httools_static
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral12
Sample
tools/lptools_static
Resource
debian12-armhf-20240729-en
Behavioral task
behavioral13
Sample
tools/magiskboot
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral14
Sample
tools/magiskpolicy
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral15
Sample
tools/snapshotupdater_static
Resource
debian12-armhf-20240221-en
General
-
Target
anykernel.sh
-
Size
2KB
-
MD5
ed25066be2a371fde5f04c7987e381d4
-
SHA1
2fb8674b548f733a0b89b4e94c0ef8076411d771
-
SHA256
b329867225a723df3d8b78011f0532db2db2a1d2bc27de509b12db348a1e29b1
-
SHA512
217068f3611ac5f21bad75ec11a3c0d910f99c50787f3c381b41d7fbfb68d2b7d66233ab67ee82ea5e4165435ebbef5e5acc4d9a0e4702e1e72ce4473a141612
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.sh rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2556 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2556 AcroRd32.exe 2556 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2764 2748 cmd.exe 31 PID 2748 wrote to memory of 2764 2748 cmd.exe 31 PID 2748 wrote to memory of 2764 2748 cmd.exe 31 PID 2764 wrote to memory of 2556 2764 rundll32.exe 32 PID 2764 wrote to memory of 2556 2764 rundll32.exe 32 PID 2764 wrote to memory of 2556 2764 rundll32.exe 32 PID 2764 wrote to memory of 2556 2764 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh1⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anykernel.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\anykernel.sh"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5bff61c3b699a92a66688a255e97b56b9
SHA158d1f3f49e58cfe16f9f39bbd9d6fd946d7da1d7
SHA2560a69f44203496ec0cec9f9a29b0c3f47114fc191782ab24b63e323d1a0710b8c
SHA5121ff9f92938d4c325f2679eb84b765712631f243f0dc3a7f33d568617691522af7577ac7ceba8babfc674141c390f8e3d709df1a4cd4c57252194aa12b3ce699c