Malware Analysis Report

2024-12-07 13:54

Sample ID 241119-wn2scatqhk
Target c2-3.4.0.zip
SHA256 da46e5b2a4a7fb855ec7ca2d53247ab30f87c4cae8b284f2e793c0f716848fe4
Tags
discovery rootkit
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

da46e5b2a4a7fb855ec7ca2d53247ab30f87c4cae8b284f2e793c0f716848fe4

Threat Level: Shows suspicious behavior

The file c2-3.4.0.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery rootkit

Renames itself

Loads a kernel module

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates kernel/hardware configuration

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 18:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:09

Platform

debian12-armhf-20240221-en

Max time kernel

2s

Max time network

197s

Command Line

[/tmp/c2-3.4.0_armv6_linux]

Signatures

Renames itself

Description Indicator Process Target
N/A N/A /tmp/c2-3.4.0_armv6_linux N/A
N/A N/A /tmp/c2-3.4.0_armv6_linux N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/c2-3.4.0_armv6_linux N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/c2-3.4.0_armv6_linux N/A

Processes

/tmp/c2-3.4.0_armv6_linux

[/tmp/c2-3.4.0_armv6_linux]

/tmp/c2-3.4.0_armv6_linux

[/tmp/c2-3.4.0_armv6_linux]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:09

Platform

debian12-armhf-20240221-en

Max time kernel

1s

Max time network

226s

Command Line

[/tmp/c2-3.4.0_armv7_linux]

Signatures

Renames itself

Description Indicator Process Target
N/A N/A /tmp/c2-3.4.0_armv7_linux N/A
N/A N/A /tmp/c2-3.4.0_armv7_linux N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/c2-3.4.0_armv7_linux N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/c2-3.4.0_armv7_linux N/A

Processes

/tmp/c2-3.4.0_armv7_linux

[/tmp/c2-3.4.0_armv7_linux]

/tmp/c2-3.4.0_armv7_linux

[/tmp/c2-3.4.0_armv7_linux]

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp
US 1.1.1.1:53 debian12-armhf-20240221-en-4 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:05

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

2s

Command Line

[/tmp/c2-3.4.0_armv8_linux]

Signatures

N/A

Processes

/tmp/c2-3.4.0_armv8_linux

[/tmp/c2-3.4.0_armv8_linux]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.1.91:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:08

Platform

macos-20241106-en

Max time kernel

69s

Max time network

128s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_amd64_darwin"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_amd64_darwin"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_amd64_darwin"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/c2-3.4.0_amd64_darwin]

/bin/zsh

[/bin/zsh -c /Users/run/c2-3.4.0_amd64_darwin]

/Users/run/c2-3.4.0_amd64_darwin

[/Users/run/c2-3.4.0_amd64_darwin]

/Users/run/c2-3.4.0_amd64_darwin

[/Users/run/c2-3.4.0_amd64_darwin]

Network

Country Destination Domain Proto
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp

Files

/Users/run/c2-3.4.0_amd64_darwin

MD5 191cce9f1f9ba0f36c58ca139f3cba79
SHA1 267ed388d89f7a3d717967852b0a125fdaf9f26b
SHA256 752b696841027c3767aa5d6582c03111e7fe0ab05f63905313ae7ce089e8e584
SHA512 a082f0cb0c565fcc54a01d47189daa1121f62d0797a67cd5aee2f85c899fd2930dca44bbb30200db4fd87acbcebfb873a4833fb19a9cb197d74bf810835c7471

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:08

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/c2-3.4.0_amd64_linux]

Signatures

Renames itself

Description Indicator Process Target
N/A N/A /tmp/c2-3.4.0_amd64_linux N/A
N/A N/A /tmp/c2-3.4.0_amd64_linux N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/c2-3.4.0_amd64_linux N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/c2-3.4.0_amd64_linux N/A

Processes

/tmp/c2-3.4.0_amd64_linux

[/tmp/c2-3.4.0_amd64_linux]

/tmp/c2-3.4.0_amd64_linux

[/tmp/c2-3.4.0_amd64_linux]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 _http._tcp.security.ubuntu.com udp
US 8.8.8.8:53 _http._tcp.se.archive.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 security.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 8.8.8.8:53 se.archive.ubuntu.com udp
US 91.189.91.82:80 security.ubuntu.com tcp
SE 194.71.11.163:80 se.archive.ubuntu.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:08

Platform

macos-20241101-en

Max time kernel

44s

Max time network

127s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_arm64_darwin"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_arm64_darwin"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_arm64_darwin"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/c2-3.4.0_arm64_darwin]

/bin/zsh

[/bin/zsh -c /Users/run/c2-3.4.0_arm64_darwin]

/Users/run/c2-3.4.0_arm64_darwin

[/Users/run/c2-3.4.0_arm64_darwin]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

Network

Country Destination Domain Proto
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:06

Platform

debian9-mipsbe-20240611-en

Max time kernel

3s

Command Line

[/tmp/c2-3.4.0_armv8_linux]

Signatures

N/A

Processes

/tmp/c2-3.4.0_armv8_linux

[/tmp/c2-3.4.0_armv8_linux]

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:06

Platform

debian9-mipsel-20240611-en

Max time kernel

1s

Command Line

[/tmp/c2-3.4.0_armv8_linux]

Signatures

N/A

Processes

/tmp/c2-3.4.0_armv8_linux

[/tmp/c2-3.4.0_armv8_linux]

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:08

Platform

ubuntu2404-amd64-20240523-en

Max time kernel

0s

Max time network

130s

Command Line

[/tmp/c2-3.4.0_i386_linux]

Signatures

Loads a kernel module

rootkit
Description Indicator Process Target
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A
N/A N/A /tmp/c2-3.4.0_i386_linux N/A

Processes

/tmp/c2-3.4.0_i386_linux

[/tmp/c2-3.4.0_i386_linux]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:08

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe

"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:08

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe

"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:06

Platform

debian9-armhf-20240729-en

Max time kernel

0s

Command Line

[/tmp/c2-3.4.0_armv8_linux]

Signatures

N/A

Processes

/tmp/c2-3.4.0_armv8_linux

[/tmp/c2-3.4.0_armv8_linux]

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:08

Platform

win7-20240903-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe

"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:08

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe

"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-19 18:04

Reported

2024-11-19 18:08

Platform

debian9-armhf-20240418-en

Max time kernel

1s

Command Line

[/tmp/c2-3.4.0_armv5_linux]

Signatures

Renames itself

Description Indicator Process Target
N/A N/A /tmp/c2-3.4.0_armv5_linux N/A
N/A N/A /tmp/c2-3.4.0_armv5_linux N/A

Enumerates kernel/hardware configuration

discovery
Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/c2-3.4.0_armv5_linux N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /tmp/c2-3.4.0_armv5_linux N/A

Processes

/tmp/c2-3.4.0_armv5_linux

[/tmp/c2-3.4.0_armv5_linux]

/tmp/c2-3.4.0_armv5_linux

[/tmp/c2-3.4.0_armv5_linux]

Network

N/A

Files

N/A