Malware Analysis Report

2025-01-23 15:02

Sample ID 240831-tfnveasepj
Target LosKsu.zip
SHA256 298b54366fe0f86bf2e7713ebb6dd3ee9c4fff260c59768f8a913687aeffcdc7
Tags
antivm discovery
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

298b54366fe0f86bf2e7713ebb6dd3ee9c4fff260c59768f8a913687aeffcdc7

Threat Level: Likely benign

The file LosKsu.zip was found to be: Likely benign.

Malicious Activity Summary

antivm discovery

Checks CPU configuration

Enumerates physical storage devices

Reads runtime system information

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-31 16:00

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:01

Platform

debian9-armhf-20240611-en

Max time kernel

0s

Command Line

[/tmp/META-INF/com/google/android/update-binary]

Signatures

N/A

Processes

/tmp/META-INF/com/google/android/update-binary

[/tmp/META-INF/com/google/android/update-binary]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

win10v2004-20240802-en

Max time kernel

135s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:04

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

153s

Command Line

[/tmp/tools/snapshotupdater_static]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/tools/snapshotupdater_static N/A

Processes

/tmp/tools/snapshotupdater_static

[/tmp/tools/snapshotupdater_static]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-13 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:04

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

167s

Command Line

[/tmp/tools/busybox]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/stat /tmp/tools/busybox N/A

Processes

/tmp/tools/busybox

[/tmp/tools/busybox]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-7 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-7 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-7 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-7 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

debian12-armhf-20240418-en

Max time kernel

0s

Max time network

162s

Command Line

[/tmp/tools/magiskboot]

Signatures

N/A

Processes

/tmp/tools/magiskboot

[/tmp/tools/magiskboot]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240418-en-2 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-2 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-2 udp
US 1.1.1.1:53 debian12-armhf-20240418-en-2 udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:01

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

11s

Command Line

[/tmp/tools/magiskpolicy]

Signatures

N/A

Processes

/tmp/tools/magiskpolicy

[/tmp/tools/magiskpolicy]

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:01

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

0s

Max time network

0s

Command Line

[/tmp/META-INF/com/google/android/update-binary]

Signatures

N/A

Processes

/tmp/META-INF/com/google/android/update-binary

[/tmp/META-INF/com/google/android/update-binary]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:01

Platform

debian9-mipsel-20240729-en

Max time kernel

0s

Command Line

[/tmp/META-INF/com/google/android/update-binary]

Signatures

N/A

Processes

/tmp/META-INF/com/google/android/update-binary

[/tmp/META-INF/com/google/android/update-binary]

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

win7-20240708-en

Max time kernel

120s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.sh C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.sh\ = "sh_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\anykernel.sh

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\anykernel.sh

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\anykernel.sh"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 bff61c3b699a92a66688a255e97b56b9
SHA1 58d1f3f49e58cfe16f9f39bbd9d6fd946d7da1d7
SHA256 0a69f44203496ec0cec9f9a29b0c3f47114fc191782ab24b63e323d1a0710b8c
SHA512 1ff9f92938d4c325f2679eb84b765712631f243f0dc3a7f33d568617691522af7577ac7ceba8babfc674141c390f8e3d709df1a4cd4c57252194aa12b3ce699c

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:01

Platform

debian9-mipsbe-20240418-en

Max time kernel

0s

Command Line

[/tmp/META-INF/com/google/android/update-binary]

Signatures

N/A

Processes

/tmp/META-INF/com/google/android/update-binary

[/tmp/META-INF/com/google/android/update-binary]

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

win7-20240704-en

Max time kernel

118s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sh C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\.sh\ = "sh_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\sh_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\tools\ak3-core.sh"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 566c3f84361ecb41f89fb51b5ba2f782
SHA1 d51958265a40096b16f797907afa25c60429faf4
SHA256 b4f71fe2a309266979debe1e78ee68a68dcc99cc27051e3a5a32353e9576e723
SHA512 cf9f72064993fd26290aedfb93fd6d1323bf6b7b5f7a8bce54136bd38bf0aebeec5c4f97ef97be1d579b17932a56d25964f822fb7e7b51e7ca27d75cba81238f

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:02

Platform

debian12-armhf-20240221-en

Max time kernel

0s

Max time network

34s

Command Line

[/tmp/tools/fec]

Signatures

N/A

Processes

/tmp/tools/fec

[/tmp/tools/fec]

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:04

Platform

debian12-armhf-20240221-en

Max time kernel

1s

Max time network

182s

Command Line

[/tmp/tools/httools_static]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/tools/httools_static N/A

Processes

/tmp/tools/httools_static

[/tmp/tools/httools_static]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-0 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-31 16:00

Reported

2024-08-31 16:03

Platform

debian12-armhf-20240729-en

Max time kernel

0s

Max time network

155s

Command Line

[/tmp/tools/lptools_static]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/tools/lptools_static N/A

Processes

/tmp/tools/lptools_static

[/tmp/tools/lptools_static]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240729-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240729-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240729-en-13 udp
US 1.1.1.1:53 debian12-armhf-20240729-en-13 udp

Files

N/A