Overview
overview
4Static
static
1META-INF/c...binary
ubuntu-18.04-amd64
META-INF/c...binary
debian-9-armhf
META-INF/c...binary
debian-9-mips
META-INF/c...binary
debian-9-mipsel
anykernel.sh
windows7-x64
3anykernel.sh
windows10-2004-x64
3tools/ak3-core.sh
windows7-x64
3tools/ak3-core.sh
windows10-2004-x64
3tools/busybox
debian-12-armhf
3tools/fec
debian-12-armhf
tools/httools_static
debian-12-armhf
4tools/lptools_static
debian-12-armhf
4tools/magiskboot
debian-12-armhf
1tools/magiskpolicy
debian-12-armhf
tools/snap...static
debian-12-armhf
4Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31-08-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
META-INF/com/google/android/update-binary
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
META-INF/com/google/android/update-binary
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
META-INF/com/google/android/update-binary
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
META-INF/com/google/android/update-binary
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral5
Sample
anykernel.sh
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
anykernel.sh
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
tools/ak3-core.sh
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
tools/ak3-core.sh
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
tools/busybox
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral10
Sample
tools/fec
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral11
Sample
tools/httools_static
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral12
Sample
tools/lptools_static
Resource
debian12-armhf-20240729-en
Behavioral task
behavioral13
Sample
tools/magiskboot
Resource
debian12-armhf-20240418-en
Behavioral task
behavioral14
Sample
tools/magiskpolicy
Resource
debian12-armhf-20240221-en
Behavioral task
behavioral15
Sample
tools/snapshotupdater_static
Resource
debian12-armhf-20240221-en
General
-
Target
tools/ak3-core.sh
-
Size
32KB
-
MD5
273e5ec7fcf39c7b5141c70258aa3506
-
SHA1
7baa42a0c313b9eb71424267595cadb08e909e51
-
SHA256
1537bb4c91d3c0d3983bec077f9306daf1959caeae685b0937a37cbdfbafcc57
-
SHA512
11d04760fcfb947c1d59edfb50e6db2cb0fcd4975a40961210a1df275feeac40cb243aa6d7a6573aa6f12b5b682d36a15ef89d3ce60da190c43a18403c92d480
-
SSDEEP
768:8dDlySKKreeJIzYv78vn5vK4HO9Ex0xe53E3QG027ZLMI0kGD1IzpcLZg:/aeeJIzfD1Izv
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sh rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sh\ = "sh_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell\Read rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2808 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2808 AcroRd32.exe 2808 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2984 2268 cmd.exe 31 PID 2268 wrote to memory of 2984 2268 cmd.exe 31 PID 2268 wrote to memory of 2984 2268 cmd.exe 31 PID 2984 wrote to memory of 2808 2984 rundll32.exe 32 PID 2984 wrote to memory of 2808 2984 rundll32.exe 32 PID 2984 wrote to memory of 2808 2984 rundll32.exe 32 PID 2984 wrote to memory of 2808 2984 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5566c3f84361ecb41f89fb51b5ba2f782
SHA1d51958265a40096b16f797907afa25c60429faf4
SHA256b4f71fe2a309266979debe1e78ee68a68dcc99cc27051e3a5a32353e9576e723
SHA512cf9f72064993fd26290aedfb93fd6d1323bf6b7b5f7a8bce54136bd38bf0aebeec5c4f97ef97be1d579b17932a56d25964f822fb7e7b51e7ca27d75cba81238f