Analysis Overview
SHA256
da46e5b2a4a7fb855ec7ca2d53247ab30f87c4cae8b284f2e793c0f716848fe4
Threat Level: Shows suspicious behavior
The file c2-3.4.0.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Renames itself
Loads a kernel module
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates kernel/hardware configuration
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 18:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:09
Platform
debian12-armhf-20240221-en
Max time kernel
2s
Max time network
197s
Command Line
Signatures
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/c2-3.4.0_armv6_linux | N/A |
| N/A | N/A | /tmp/c2-3.4.0_armv6_linux | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/c2-3.4.0_armv6_linux | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/c2-3.4.0_armv6_linux | N/A |
Processes
/tmp/c2-3.4.0_armv6_linux
[/tmp/c2-3.4.0_armv6_linux]
/tmp/c2-3.4.0_armv6_linux
[/tmp/c2-3.4.0_armv6_linux]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:09
Platform
debian12-armhf-20240221-en
Max time kernel
1s
Max time network
226s
Command Line
Signatures
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/c2-3.4.0_armv7_linux | N/A |
| N/A | N/A | /tmp/c2-3.4.0_armv7_linux | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/c2-3.4.0_armv7_linux | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/c2-3.4.0_armv7_linux | N/A |
Processes
/tmp/c2-3.4.0_armv7_linux
[/tmp/c2-3.4.0_armv7_linux]
/tmp/c2-3.4.0_armv7_linux
[/tmp/c2-3.4.0_armv7_linux]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240221-en-4 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:05
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
2s
Command Line
Signatures
Processes
/tmp/c2-3.4.0_armv8_linux
[/tmp/c2-3.4.0_armv8_linux]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.1.91:443 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:08
Platform
macos-20241106-en
Max time kernel
69s
Max time network
128s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_amd64_darwin"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_amd64_darwin"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/c2-3.4.0_amd64_darwin]
/bin/zsh
[/bin/zsh -c /Users/run/c2-3.4.0_amd64_darwin]
/Users/run/c2-3.4.0_amd64_darwin
[/Users/run/c2-3.4.0_amd64_darwin]
/Users/run/c2-3.4.0_amd64_darwin
[/Users/run/c2-3.4.0_amd64_darwin]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
Files
/Users/run/c2-3.4.0_amd64_darwin
| MD5 | 191cce9f1f9ba0f36c58ca139f3cba79 |
| SHA1 | 267ed388d89f7a3d717967852b0a125fdaf9f26b |
| SHA256 | 752b696841027c3767aa5d6582c03111e7fe0ab05f63905313ae7ce089e8e584 |
| SHA512 | a082f0cb0c565fcc54a01d47189daa1121f62d0797a67cd5aee2f85c899fd2930dca44bbb30200db4fd87acbcebfb873a4833fb19a9cb197d74bf810835c7471 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:08
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/c2-3.4.0_amd64_linux | N/A |
| N/A | N/A | /tmp/c2-3.4.0_amd64_linux | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/c2-3.4.0_amd64_linux | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/c2-3.4.0_amd64_linux | N/A |
Processes
/tmp/c2-3.4.0_amd64_linux
[/tmp/c2-3.4.0_amd64_linux]
/tmp/c2-3.4.0_amd64_linux
[/tmp/c2-3.4.0_amd64_linux]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | _http._tcp.security.ubuntu.com | udp |
| US | 8.8.8.8:53 | _http._tcp.se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | security.ubuntu.com | udp |
| US | 8.8.8.8:53 | se.archive.ubuntu.com | udp |
| US | 8.8.8.8:53 | se.archive.ubuntu.com | udp |
| US | 91.189.91.82:80 | security.ubuntu.com | tcp |
| SE | 194.71.11.163:80 | se.archive.ubuntu.com | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:08
Platform
macos-20241101-en
Max time kernel
44s
Max time network
127s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_arm64_darwin"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/c2-3.4.0_arm64_darwin"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/c2-3.4.0_arm64_darwin]
/bin/zsh
[/bin/zsh -c /Users/run/c2-3.4.0_arm64_darwin]
/Users/run/c2-3.4.0_arm64_darwin
[/Users/run/c2-3.4.0_arm64_darwin]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:06
Platform
debian9-mipsbe-20240611-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/c2-3.4.0_armv8_linux
[/tmp/c2-3.4.0_armv8_linux]
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:06
Platform
debian9-mipsel-20240611-en
Max time kernel
1s
Command Line
Signatures
Processes
/tmp/c2-3.4.0_armv8_linux
[/tmp/c2-3.4.0_armv8_linux]
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:08
Platform
ubuntu2404-amd64-20240523-en
Max time kernel
0s
Max time network
130s
Command Line
Signatures
Loads a kernel module
Processes
/tmp/c2-3.4.0_i386_linux
[/tmp/c2-3.4.0_i386_linux]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:08
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
159s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe
"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:08
Platform
win7-20241010-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe
"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:06
Platform
debian9-armhf-20240729-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/c2-3.4.0_armv8_linux
[/tmp/c2-3.4.0_armv8_linux]
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:08
Platform
win7-20240903-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe
"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_i386_windows.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:08
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
158s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe
"C:\Users\Admin\AppData\Local\Temp\c2-3.4.0_amd64_windows.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-19 18:04
Reported
2024-11-19 18:08
Platform
debian9-armhf-20240418-en
Max time kernel
1s
Command Line
Signatures
Renames itself
| Description | Indicator | Process | Target |
| N/A | N/A | /tmp/c2-3.4.0_armv5_linux | N/A |
| N/A | N/A | /tmp/c2-3.4.0_armv5_linux | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/c2-3.4.0_armv5_linux | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /tmp/c2-3.4.0_armv5_linux | N/A |
Processes
/tmp/c2-3.4.0_armv5_linux
[/tmp/c2-3.4.0_armv5_linux]
/tmp/c2-3.4.0_armv5_linux
[/tmp/c2-3.4.0_armv5_linux]