Malware Analysis Report

2025-04-03 19:18

Sample ID 241029-sagngaxmbr
Target bash.elf
SHA256 acfaf7b28cec71707f0d85422c361621cd86580c7b90d680eaaacdb885844fdb
Tags
upx antivm discovery evasion
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

acfaf7b28cec71707f0d85422c361621cd86580c7b90d680eaaacdb885844fdb

Threat Level: Shows suspicious behavior

The file bash.elf was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx antivm discovery evasion

Checks hardware identifiers (DMI)

Reads MAC address of network interface

Reads hardware information

UPX packed file

Checks CPU configuration

Reads CPU attributes

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 14:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 14:55

Reported

2024-10-29 14:57

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/bash.elf]

Signatures

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/product_name /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_vendor /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_vendor /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/sys_vendor /tmp/bash.elf N/A

Reads MAC address of network interface

evasion discovery
Description Indicator Process Target
File opened for reading /sys/class/net/ens3/address /tmp/bash.elf N/A

Reads hardware information

discovery
Description Indicator Process Target
File opened for reading /sys/devices/virtual/dmi/id/bios_version /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/bios_date /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/product_serial /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/product_uuid /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_name /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_type /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_serial /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/product_version /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_serial /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_version /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/board_version /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag /tmp/bash.elf N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /tmp/bash.elf N/A

Reads CPU attributes

discovery
Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/online /tmp/bash.elf N/A
File opened for reading /sys/devices/system/cpu/types /tmp/bash.elf N/A
File opened for reading /sys/devices/system/cpu/possible /tmp/bash.elf N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq /tmp/bash.elf N/A
File opened for reading /sys/bus/node/devices/node0/hugepages /tmp/bash.elf N/A
File opened for reading /sys/class/block/sr0/size /tmp/bash.elf N/A
File opened for reading /sys/class/block/fd0/device/devtype /tmp/bash.elf N/A
File opened for reading /sys/fs/cgroup/cgroup.controllers /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/physical_package_id /tmp/bash.elf N/A
File opened for reading /sys/class/infiniband /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map /tmp/bash.elf N/A
File opened for reading /sys/bus/node/devices/node0/access1/initiators /tmp/bash.elf N/A
File opened for reading /sys/devices/virtual/dmi/id /tmp/bash.elf N/A
File opened for reading /sys/class/dax /tmp/bash.elf N/A
File opened for reading /sys/class/block /tmp/bash.elf N/A
File opened for reading /sys/class/net /tmp/bash.elf N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/local_cpus /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map /tmp/bash.elf N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_bandwidth /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets /tmp/bash.elf N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/local_cpus /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index1/level /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map /tmp/bash.elf N/A
File opened for reading /sys/bus/dax/devices/target_node /tmp/bash.elf N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators /tmp/bash.elf N/A
File opened for reading /sys/fs/cgroup/cpuset.mems.effective /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition /tmp/bash.elf N/A
File opened for reading /sys/class/block/vda/device/devtype /tmp/bash.elf N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages /tmp/bash.elf N/A
File opened for reading /sys/bus/node/devices/node0/access0/initiators/read_latency /tmp/bash.elf N/A
File opened for reading /sys/class/block/fd0/device/local_cpus /tmp/bash.elf N/A
File opened for reading /sys/fs/cgroup/cpuset.cpus.effective /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level /tmp/bash.elf N/A
File opened for reading /sys/bus/node/devices/node0/meminfo /tmp/bash.elf N/A
File opened for reading /sys/class/block/fd0/queue/hw_sector_size /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/base_frequency /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition /tmp/bash.elf N/A
File opened for reading /sys/bus/dax/target_node /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets /tmp/bash.elf N/A
File opened for reading /sys/class/block/vda/size /tmp/bash.elf N/A
File opened for reading /sys/class/block/sr0/dev /tmp/bash.elf N/A
File opened for reading /sys/class/block/fd0/dev /tmp/bash.elf N/A
File opened for reading /sys/class/block/vda/dev /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size /tmp/bash.elf N/A
File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages /tmp/bash.elf N/A
File opened for reading /sys/devices/system/cpu /tmp/bash.elf N/A
File opened for reading /sys/class/block/vda/queue/hw_sector_size /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/level /tmp/bash.elf N/A
File opened for reading /sys/bus/dax/devices /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map /tmp/bash.elf N/A
File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/type /tmp/bash.elf N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/local_cpus /tmp/bash.elf N/A
File opened for reading /sys/devices/system/node/online /tmp/bash.elf N/A
File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages /tmp/bash.elf N/A
File opened for reading /sys/class/block/sr0/device/devtype /tmp/bash.elf N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/self/exe /tmp/bash.elf N/A
File opened for reading /proc/mounts /tmp/bash.elf N/A
File opened for reading /proc/self/cpuset /tmp/bash.elf N/A
File opened for reading /proc/meminfo /tmp/bash.elf N/A
File opened for reading /proc/driver/nvidia/gpus /tmp/bash.elf N/A

Processes

/tmp/bash.elf

[/tmp/bash.elf]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

memory/2435-1-0x0000000000400000-0x0000000000acf8b8-memory.dmp