Resubmissions
21-10-2024 12:12
241021-pdcl5stbje 1021-10-2024 11:59
241021-n55xbsshjb 1019-10-2024 11:43
241019-nvrlyswdrn 1019-10-2024 03:15
241019-drzs2swcrr 1019-10-2024 03:03
241019-dj7tpavhrp 1018-10-2024 09:09
241018-k4fdhaycqc 10Analysis
-
max time kernel
1799s -
max time network
1792s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
19-10-2024 11:43
Behavioral task
behavioral1
Sample
iptable_reject
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
7 signatures
1800 seconds
Behavioral task
behavioral2
Sample
kermine
Resource
ubuntu2404-amd64-20240523-en
xmrig_linuxcredential_accessdefense_evasiondiscoveryevasionexecutionminerprivilege_escalationrootkit
ubuntu-24.04-amd64
13 signatures
1800 seconds
General
-
Target
iptable_reject
-
Size
8.4MB
-
MD5
7db2c9ec53c09e42724f6314401b906c
-
SHA1
0b781d565d784b4d22aa9be874518b8b4c40bfcf
-
SHA256
f99f857e388a386f4461917ec46781c539ee1f0e9d2b5039b282fa0754c1c750
-
SHA512
74dcf160137fe29a2e68d66b503f0ec2fe6c0f0900356076d528e3387cf497557157da1c95d65d9fad8c7d7d647a21c93d7655270f9df06823ffbdcf7d26a2f5
-
SSDEEP
196608:hVJq0MCjhe6WB42fcpuAJr+Q1lHGJqu82NwuN4zs:hDq0MCjhe6WaycpuA51lHOvKuN4
Malware Config
Signatures
-
Checks hardware identifiers (DMI) 1 TTPs 4 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
iptable_rejectdescription ioc Process File opened for reading /sys/devices/virtual/dmi/id/sys_vendor iptable_reject File opened for reading /sys/devices/virtual/dmi/id/product_name iptable_reject File opened for reading /sys/devices/virtual/dmi/id/board_vendor iptable_reject File opened for reading /sys/devices/virtual/dmi/id/bios_vendor iptable_reject -
Reads hardware information 1 TTPs 14 IoCs
Accesses system info like serial numbers, manufacturer names etc.
Processes:
iptable_rejectdescription ioc Process File opened for reading /sys/devices/virtual/dmi/id/product_serial iptable_reject File opened for reading /sys/devices/virtual/dmi/id/board_version iptable_reject File opened for reading /sys/devices/virtual/dmi/id/bios_version iptable_reject File opened for reading /sys/devices/virtual/dmi/id/product_uuid iptable_reject File opened for reading /sys/devices/virtual/dmi/id/board_name iptable_reject File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag iptable_reject File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag iptable_reject File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor iptable_reject File opened for reading /sys/devices/virtual/dmi/id/chassis_type iptable_reject File opened for reading /sys/devices/virtual/dmi/id/chassis_version iptable_reject File opened for reading /sys/devices/virtual/dmi/id/product_version iptable_reject File opened for reading /sys/devices/virtual/dmi/id/board_serial iptable_reject File opened for reading /sys/devices/virtual/dmi/id/chassis_serial iptable_reject File opened for reading /sys/devices/virtual/dmi/id/bios_date iptable_reject -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
iptable_rejectdescription ioc Process File opened for reading /proc/cpuinfo iptable_reject -
Reads CPU attributes 1 TTPs 45 IoCs
Processes:
iptable_rejectdescription ioc Process File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/id iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cpu_capacity iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cpufreq/base_frequency iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map iptable_reject File opened for reading /sys/devices/system/cpu/possible iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/topology/die_cpus iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/topology/package_cpus iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/id iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/topology/core_cpus iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets iptable_reject File opened for reading /sys/devices/system/cpu/online iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/topology/cluster_cpus iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/id iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/id iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size iptable_reject File opened for reading /sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map iptable_reject -
Enumerates kernel/hardware configuration 1 TTPs 24 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
iptable_rejectdescription ioc Process File opened for reading /sys/fs/cgroup/cgroup.controllers iptable_reject File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages iptable_reject File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages iptable_reject File opened for reading /sys/devices/system/node/node0/hugepages iptable_reject File opened for reading /sys/devices/system/node/node0/access1/initiators iptable_reject File opened for reading /sys/devices/system/node/node0/access0/initiators/write_bandwidth iptable_reject File opened for reading /sys/firmware/dmi/tables/smbios_entry_point iptable_reject File opened for reading /sys/fs/cgroup/cpuset.cpus.effective iptable_reject File opened for reading /sys/devices/system/node/online iptable_reject File opened for reading /sys/devices/system/node/node0/cpumap iptable_reject File opened for reading /sys/devices/system/node/node0/access0/initiators/write_latency iptable_reject File opened for reading /sys/devices/virtual/dmi/id iptable_reject File opened for reading /sys/firmware/dmi/tables/DMI iptable_reject File opened for reading /sys/devices/system/node/node0/access0/initiators/read_latency iptable_reject File opened for reading /sys/fs/cgroup/cpuset.mems.effective iptable_reject File opened for reading /sys/devices/system/cpu iptable_reject File opened for reading /sys/kernel/mm/hugepages iptable_reject File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages iptable_reject File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages iptable_reject File opened for reading /sys/devices/system/node/node0/access0/initiators iptable_reject File opened for reading /sys/devices/system/node/node0/access0/initiators/read_bandwidth iptable_reject File opened for reading /sys/devices/system/node/node0/meminfo iptable_reject File opened for reading /sys/bus/dax/devices iptable_reject File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages iptable_reject -
Processes:
iptable_rejectdescription ioc Process File opened for reading /proc/self/cpuset iptable_reject File opened for reading /proc/meminfo iptable_reject File opened for reading /proc/driver/nvidia/gpus iptable_reject File opened for reading /proc/sys/vm/nr_hugepages iptable_reject File opened for reading /proc/mounts iptable_reject -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
iptable_rejectpid Process 1570 iptable_reject