54189c71781c412ef7103f17df89a1bbf6e1b608b4f16479374191e3262d32ed

Analysis

max time kernel
2s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
03-12-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zapret-win-bundle-master/blockcheck/zapret/blockcheck.sh
Size

51KB
MD5

9ddbecaf77d9c20696b679d3bda5bd95
SHA1

188bb0b81445b9cdcfd470a9e594fbc97e2cbbc2
SHA256

c8ca0e27212487656edce27cc26e5cdf25c2237c717ef9d90722ff54ac4ebcee
SHA512

d4accbe38147545186bbf67936ac131dd6e879fc59a502dafd55385180babb8541797da5b250745affa22e5ea6f0325c6277a74f8e45fefed979c9bd1328b854
SSDEEP

1536:nQ3Ds3LsiRjSpercIfjur6BdrfrtwWLlQLMnxXi1vIbIksApwmjx:VRjljurEdbrjjx

Score

6^/10

discovery

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 2 IoCs

discovery

System Information Discovery

T1082

Processes:

pgreppgrep

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pgreppgrepsedid

description	ioc	Process
File opened for reading	/proc/16/status	pgrep
File opened for reading	/proc/21/cmdline	pgrep
File opened for reading	/proc/105/status	pgrep
File opened for reading	/proc/137/status	pgrep
File opened for reading	/proc/17/cmdline	pgrep
File opened for reading	/proc/105/cmdline	pgrep
File opened for reading	/proc/297/cmdline	pgrep
File opened for reading	/proc/107/cmdline	pgrep
File opened for reading	/proc/132/status	pgrep
File opened for reading	/proc/592/status	pgrep
File opened for reading	/proc/19/cmdline	pgrep
File opened for reading	/proc/596/cmdline	pgrep
File opened for reading	/proc/20/cmdline	pgrep
File opened for reading	/proc/600/status	pgrep
File opened for reading	/proc/708/status	pgrep
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/76/status	pgrep
File opened for reading	/proc/306/status	pgrep
File opened for reading	/proc/29/status	pgrep
File opened for reading	/proc/208/status	pgrep
File opened for reading	/proc/28/status	pgrep
File opened for reading	/proc/97/cmdline	pgrep
File opened for reading	/proc/208/cmdline	pgrep
File opened for reading	/proc/6/status	pgrep
File opened for reading	/proc/8/status	pgrep
File opened for reading	/proc/704/status	pgrep
File opened for reading	/proc/7/cmdline	pgrep
File opened for reading	/proc/169/cmdline	pgrep
File opened for reading	/proc/599/status	pgrep
File opened for reading	/proc/24/cmdline	pgrep
File opened for reading	/proc/149/status	pgrep
File opened for reading	/proc/272/status	pgrep
File opened for reading	/proc/698/cmdline	pgrep
File opened for reading	/proc/699/cmdline	pgrep
File opened for reading	/proc/42/cmdline	pgrep
File opened for reading	/proc/271/status	pgrep
File opened for reading	/proc/1/cmdline	pgrep
File opened for reading	/proc/734/status	pgrep
File opened for reading	/proc/25/cmdline	pgrep
File opened for reading	/proc/105/cmdline	pgrep
File opened for reading	/proc/9/status	pgrep
File opened for reading	/proc/107/status	pgrep
File opened for reading	/proc/600/cmdline	pgrep
File opened for reading	/proc/22/status	pgrep
File opened for reading	/proc/23/cmdline	pgrep
File opened for reading	/proc/271/status	pgrep
File opened for reading	/proc/1/cmdline	sed
File opened for reading	/proc/filesystems	pgrep
File opened for reading	/proc/132/status	pgrep
File opened for reading	/proc/579/cmdline	pgrep
File opened for reading	/proc/715/status	pgrep
File opened for reading	/proc/6/cmdline	pgrep
File opened for reading	/proc/599/cmdline	pgrep
File opened for reading	/proc/42/status	pgrep
File opened for reading	/proc/272/cmdline	pgrep
File opened for reading	/proc/579/status	pgrep
File opened for reading	/proc/259/cmdline	pgrep
File opened for reading	/proc/275/cmdline	pgrep
File opened for reading	/proc/329/cmdline	pgrep
File opened for reading	/proc/735/cmdline	pgrep
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	pgrep
File opened for reading	/proc/27/status	pgrep
File opened for reading	/proc/76/cmdline	pgrep

/tmp/zapret-win-bundle-master/blockcheck/zapret/blockcheck.sh
/tmp/zapret-win-bundle-master/blockcheck/zapret/blockcheck.sh
1⤵
PID:704
- /usr/bin/dirname
  dirname /tmp/zapret-win-bundle-master/blockcheck/zapret/blockcheck.sh
  2⤵
  PID:705
- /bin/sleep
  sleep 0.001
  2⤵
  PID:709
- /bin/grep
  grep -Fxq /usr/sbin
  2⤵
  PID:714
- /bin/grep
  grep -Fxq /sbin
  2⤵
  PID:717
- /bin/uname
  uname
  2⤵
  PID:720
- /bin/sed
  sed "s/\\x0/\\n/g" /proc/1/cmdline
  2⤵
  - Reads runtime system information
  PID:723
- /usr/bin/head
  head -n 1
  2⤵
  PID:724
- /bin/readlink
  readlink /sbin/init
  2⤵
  PID:725
- /usr/bin/basename
  basename /lib/systemd/systemd
  2⤵
  PID:727
- /bin/sed
  sed -nre "s/^Linux version ([0-9]+)\\.[0-9]+.*\$/\\1/p" /proc/version
  2⤵
  PID:729
- /bin/sed
  sed -nre "s/^Linux version [0-9]+\\.([0-9]+).*\$/\\1/p" /proc/version
  2⤵
  PID:730
- /usr/bin/pgrep
  pgrep "^nfqws\$"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:732
- /usr/bin/pgrep
  pgrep "^tpws\$"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:734
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads