6a955c1c8cf439187b32439f76bc55ad96e9586a2cf6c251d4c8755a5672f9f6

Analysis

max time kernel
149s
max time network
130s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
01/09/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smartsynchronize/jre/bin/rmiregistry
Size

12KB
MD5

d2fc10c84b8781856273e6879f10ffd7
SHA1

6f2d5e2b515b3cb68d68b18ca1f3903af545e5c8
SHA256

3c9b4192f11b5ef7cd6825f808f078da3bc8c1754875ac4ee2326fe47ceb90f9
SHA512

7d2b8cf150760199bcc4b9368bff5331a906c09249dad8c24795ebe5a3c7a48a07c4d45e99374cd5b4a24a6cb4e0bd71c3b7f1e68840ae4c942a8e356519ac29
SSDEEP

96:RCWT+KFq8cgBXBRFKPo7DPPll2X37u3F6qYfoi2N3kNc/up7/XEV8cgBXB/t6UAD:RjZL1dKAHPH2X3EYqs2WpTD1/6/

Score

4^/10

antivm

Malware Config

Signatures

Changes its process name 13 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	VM Thread	2502
Changes the process name, possibly in an attempt to hide itself	Reference Handl	2503
Changes the process name, possibly in an attempt to hide itself	Finalizer	2504
Changes the process name, possibly in an attempt to hide itself	Signal Dispatch	2505
Changes the process name, possibly in an attempt to hide itself	Service Thread	2506
Changes the process name, possibly in an attempt to hide itself	Monitor Deflati	2507
Changes the process name, possibly in an attempt to hide itself	C2 CompilerThre	2508
Changes the process name, possibly in an attempt to hide itself	C1 CompilerThre	2509
Changes the process name, possibly in an attempt to hide itself	Sweeper thread	2510
Changes the process name, possibly in an attempt to hide itself	Notification Th	2514
Changes the process name, possibly in an attempt to hide itself	VM Periodic Tas	2515
Changes the process name, possibly in an attempt to hide itself	Common-Cleaner	2516
Changes the process name, possibly in an attempt to hide itself	RMI TCP Accept-	2517

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	rmiregistry

Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/possible	rmiregistry
File opened for reading	/sys/devices/system/cpu/online	rmiregistry

Reads system network configuration 1 TTPs 1 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

description	ioc	Process
File opened for reading	/proc/net/if_inet6	rmiregistry

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/cgroup/system.slice/agent.service/memory.max	rmiregistry
File opened for reading	/sys/fs/cgroup/system.slice/agent.service/cpu.max	rmiregistry

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/vm/overcommit_memory	rmiregistry
File opened for reading	/proc/2501	rmiregistry
File opened for reading	/proc/stat	rmiregistry
File opened for reading	/proc/cgroups	rmiregistry
File opened for reading	/proc/self/cgroup	rmiregistry
File opened for reading	/proc/self/mountinfo	rmiregistry
File opened for reading	/proc/self/coredump_filter	rmiregistry

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/hsperfdata_root/2499	rmiregistry

/tmp/smartsynchronize/jre/bin/rmiregistry
/tmp/smartsynchronize/jre/bin/rmiregistry
1⤵
- Checks CPU configuration
- Reads CPU attributes
- Reads system network configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to tmp directory
PID:2499

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/hsperfdata_root/2499

Filesize
28KB

MD5
2b55842f2d55ed3e6af74c56e109cbb7

SHA1
b5f5e545253bd8cc9ad1dd96c123e822d0029036

SHA256
492feb0d5117b61692e3618e41c5900c74e8ba1268da2564545a56b82de3b66e

SHA512
08fa77e7b333519b9b7f14afeee64ed673baab9ad1a046583878a1db9ebe78ca73ccbb05094ee455203602024e110754f271af7f6364aac82f21c9086f498522

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads