Malware Analysis Report

2025-05-06 04:16

Sample ID 241024-sgjreawapn
Target node-linux
SHA256 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17
Tags
antivm credential_access defense_evasion discovery execution persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17

Threat Level: Shows suspicious behavior

The file node-linux was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm credential_access defense_evasion discovery execution persistence privilege_escalation

File and Directory Permissions Modification

OS Credential Dumping

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Checks CPU configuration

Creates .desktop file

Reads runtime system information

Command and Scripting Interpreter: Unix Shell

Enumerates kernel/hardware configuration

Peripheral Device Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-24 15:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-24 15:05

Reported

2024-10-24 15:08

Platform

ubuntu2204-amd64-20240611-en

Max time kernel

146s

Max time network

149s

Command Line

[/tmp/node-linux]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/chmod N/A

OS Credential Dumping

credential_access
Description Indicator Process Target
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A
File opened for reading /etc/shadow /usr/bin/sudo N/A

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

privilege_escalation defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A
N/A N/A /usr/bin/sudo N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/node-linux N/A

Creates .desktop file

persistence execution
Description Indicator Process Target
File opened for modification /root/.config/autostart/startup-script.desktop /tmp/node-linux N/A

Command and Scripting Interpreter: Unix Shell

execution
Description Indicator Process Target
N/A N/A /bin/sh N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/bus/pci/devices/0000:00:05.0/config /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/vendor /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/device /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/config /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/config /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/class /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/config /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/device /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/config /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/vendor /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/class /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/config /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/class /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/device /usr/bin/lspci N/A
File opened for reading /sys/fs/cgroup/memory/memory.limit_in_bytes /tmp/node-linux N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/vendor /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/device /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/device /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/class /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/config /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/class /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/class /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/class /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/device /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/device /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/config /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/vendor /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/vendor /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/class /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/device /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/vendor /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/class /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/vendor /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/device /usr/bin/lspci N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/config /usr/bin/lspci N/A

Peripheral Device Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/lspci N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/sudo N/A
File opened for reading /proc/self/stat /usr/bin/sudo N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/sudo N/A
File opened for reading /proc/self/stat /usr/bin/sudo N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/sudo N/A
File opened for reading /proc/filesystems /usr/bin/sudo N/A
File opened for reading /proc/1/limits /usr/bin/sudo N/A
File opened for reading /proc/filesystems /usr/bin/cp N/A
File opened for reading /proc/meminfo /tmp/node-linux N/A
File opened for reading /proc/self/maps /tmp/node-linux N/A
File opened for reading /proc/filesystems /usr/bin/sudo N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/sudo N/A
File opened for reading /proc/self/stat /usr/bin/sudo N/A
File opened for reading /proc/filesystems /usr/bin/sudo N/A
File opened for reading /proc/filesystems /usr/bin/sudo N/A
File opened for reading /proc/self/stat /usr/bin/sudo N/A
File opened for reading /proc/1/limits /usr/bin/sudo N/A
File opened for reading /proc/stat /tmp/node-linux N/A
File opened for reading /proc/self/maps /usr/bin/grep N/A
File opened for reading /proc/1/limits /usr/bin/sudo N/A
File opened for reading /proc/1/limits /usr/bin/sudo N/A
File opened for reading /proc/filesystems /usr/bin/mkdir N/A

Processes

/tmp/node-linux

[/tmp/node-linux]

/bin/sh

[/bin/sh -c sudo -n true]

/usr/bin/sudo

[sudo -n true]

/usr/bin/true

[true]

/bin/sh

[/bin/sh -c sudo mkdir -p "/opt" && sudo cp "/tmp/node-linux" "/opt/node-linux" && sudo chmod +x "/opt/node-linux"]

/usr/bin/sudo

[sudo mkdir -p /opt]

/usr/bin/mkdir

[mkdir -p /opt]

/usr/bin/sudo

[sudo cp /tmp/node-linux /opt/node-linux]

/usr/bin/cp

[cp /tmp/node-linux /opt/node-linux]

/usr/bin/sudo

/usr/bin/chmod

[chmod +x /opt/node-linux]

/bin/sh

[/bin/sh -c chmod +x /root/.config/autostart/startup-script.desktop]

/usr/bin/chmod

[chmod +x /root/.config/autostart/startup-script.desktop]

/bin/sh

[/bin/sh -c lspci | grep VGA]

/usr/bin/grep

[grep VGA]

/usr/bin/lspci

[lspci]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 api.etherscan.io udp
US 8.8.8.8:53 api.etherscan.io udp
US 8.8.8.8:53 eth-mainnet.alchemyapi.io udp
US 8.8.8.8:53 eth-mainnet.alchemyapi.io udp
US 217.79.240.58:443 api.etherscan.io tcp
US 8.8.8.8:53 ethereum-mainnet.core.chainstack.com udp
US 8.8.8.8:53 ethereum-mainnet.core.chainstack.com udp
US 8.8.8.8:53 cloudflare-eth.com udp
US 8.8.8.8:53 cloudflare-eth.com udp
US 104.16.33.243:443 eth-mainnet.alchemyapi.io tcp
US 8.8.8.8:53 mainnet.infura.io udp
US 8.8.8.8:53 mainnet.infura.io udp
US 104.18.4.35:443 ethereum-mainnet.core.chainstack.com tcp
US 8.8.8.8:53 ethers.quiknode.pro udp
US 8.8.8.8:53 ethers.quiknode.pro udp
US 104.18.11.112:443 cloudflare-eth.com tcp
US 8.8.8.8:53 monorepo-production-edge-alb-985829473.us-east-1.elb.amazonaws.com udp
GB 141.147.104.155:443 ethers.quiknode.pro tcp
US 18.214.115.73:443 mainnet.infura.io tcp
US 8.8.8.8:53 monorepo-production-edge-alb-985829473.us-east-1.elb.amazonaws.com udp
US 104.18.11.112:443 cloudflare-eth.com tcp
US 67.202.55.58:443 mainnet.infura.io tcp
US 8.8.8.8:53 ethers.quiknode.pro udp
US 104.18.4.35:443 ethereum-mainnet.core.chainstack.com tcp
GB 141.147.104.155:443 ethers.quiknode.pro tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp
EE 193.233.201.21:3001 193.233.201.21 tcp

Files

/opt/node-linux

MD5 532091f563565f41017aee62ebb321ef
SHA1 88971cc3b72775b230a67f51c534059db97c1f2a
SHA256 66db1c560a489b5df573009823bc2462e1bd827d2d12c64a372bd9b6bba59c47
SHA512 0432ed954f69c0741b29675f9390e3089bae25c22d1bf192cfb01a51575bbbc4b870ec65b11bfa40696e8750a29d943e3811566e46d6a0ed72be3acfdff1da0b

/root/.config/autostart/startup-script.desktop

MD5 d5fa1fdabc16eac09c0af61aa8f614d8
SHA1 df01c4c06f80a6acf53e8806f1a82b32c2094311
SHA256 2d33b970ef01e6e893305bcacd823b4c37754ce64a826c65945461a4aec48de1
SHA512 0e05b494fb3fcf1cf06394076308577e5c1fea6fb465697af83158c71b1baf6f549d37dc71d6b85a7a09e0838635221689decb8dd237240dfb3269adb83eba0e