Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-24.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
71007BF65F8..._ARM64
ubuntu-18.04-amd64
1007BF65F8..._ARM64
debian-9-armhf
1007BF65F8..._ARM64
debian-9-mips
1007BF65F8..._ARM64
debian-9-mipsel
1007BF65F8..._ARMV5
debian-9-armhf
81007BF65F8..._ARMV7
debian-9-armhf
81007BF65F8..._AMD64
ubuntu-24.04-amd64
1007BF65F8...X_I386
ubuntu-22.04-amd64
1007BF65F8...UX_X64
ubuntu-22.04-amd64
81007BF65F8...r_MIPS
debian-9-mips
8Analysis
-
max time kernel
9s -
max time network
132s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
19-12-2024 22:25
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
1007BF65F80311D2/locker_ARM64
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral24
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral25
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral26
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral27
Sample
1007BF65F80311D2/locker_ARMV5
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral28
Sample
1007BF65F80311D2/locker_ARMV7
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral29
Sample
1007BF65F80311D2/locker_FREEBSD_AMD64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral30
Sample
1007BF65F80311D2/locker_LINUX_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral31
Sample
1007BF65F80311D2/locker_LINUX_X64
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
329D6F9DDBF138D4/locker_ESXI_X64
-
Size
93KB
-
MD5
b76b092f5188ccc8a046ffb4659c3641
-
SHA1
82e19d8b7bc5379528feb9c3a335d70d79358229
-
SHA256
dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55
-
SHA512
bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f
-
SSDEEP
1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya
Malware Config
Signatures
-
Traces remote process 1 IoCs
pid Process 2825 locker_ESXI_X64 -
Reads AppArmor ptrace settings 1 TTPs 1 IoCs
Discovery of allowed ptrace capabilities by AppArmor.
description ioc Process File opened for reading /sys/kernel/security/apparmor/features/ptrace locker_ESXI_X64 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/power locker_ESXI_X64 -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc Process File opened for reading /sys/devices/virtual/net/lo/queues locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/statistics locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/power locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits locker_ESXI_X64 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo ps -
Reads CPU attributes 1 TTPs 16 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/cpuidle locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/vulnerabilities locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/hotplug locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/power locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/power locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/smt locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpufreq locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/cache locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/hotplug locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/topology locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/possible ps -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_unshare locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_forget locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_listxattr locker_ESXI_X64 File opened for reading /sys/bus/container/devices locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/alarmtimer/alarmtimer_cancel locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_reboot locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_listxattr locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_process_mrelease locker_ESXI_X64 File opened for reading /sys/bus/nd locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events locker_ESXI_X64 File opened for reading /sys/devices/pnp0/00:04/00:04:0/00:04:0.0/tty locker_ESXI_X64 File opened for reading /sys/devices/platform/serial8250/serial8250:0/serial8250:0.1/tty locker_ESXI_X64 File opened for reading /sys/devices/virtual/vc/vcsa2/power locker_ESXI_X64 File opened for reading /sys/fs/cgroup/system.slice/snap-gnome\x2d42\x2d2204-176.mount locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/cfg80211/rdev_set_cqm_rssi_config locker_ESXI_X64 File opened for reading /sys/kernel/debug/sync locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata8/link8/dev8.0/ata_device/dev8.0 locker_ESXI_X64 File opened for reading /sys/kernel/slab/radix_tree_node locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/jbd2/jbd2_commit_flushing locker_ESXI_X64 File opened for reading /sys/devices/uprobe/power locker_ESXI_X64 File opened for reading /sys/devices/virtual/vc/vcs1 locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_rt_sigreturn locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_inotify_rm_watch locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/percpu/percpu_alloc_percpu_fail locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_eventfd2 locker_ESXI_X64 File opened for reading /sys/bus/hid/devices locker_ESXI_X64 File opened for reading /sys/module/eisa_bus/parameters locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_rt_sigqueueinfo locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_lseek locker_ESXI_X64 File opened for reading /sys/kernel/slab/kmalloc-rnd-09-128 locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/io_uring/io_uring_task_work_run locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/filelock/locks_remove_posix locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/regulator/regulator_enable locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/mq locker_ESXI_X64 File opened for reading /sys/devices/virtual/tty locker_ESXI_X64 File opened for reading /sys/bus/pnp locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:04.0/ata3/link3/dev3.0/power locker_ESXI_X64 File opened for reading /sys/devices/virtual/block/loop5/power locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_readlinkat locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_add_key locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/amd_cpu locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_open_by_handle_at locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_kcmp locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/vmscan/mm_vmscan_lru_shrink_inactive locker_ESXI_X64 File opened for reading /sys/bus/pci-epf/devices locker_ESXI_X64 File opened for reading /sys/devices/parport0/power locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/sock/inet_sk_error_report locker_ESXI_X64 File opened for reading /sys/kernel/debug/block/loop0/rqos locker_ESXI_X64 File opened for reading /sys/devices/system/clockevents locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_mprotect locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_sync_fs locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/integrity locker_ESXI_X64 File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0b locker_ESXI_X64 File opened for reading /sys/module/polyval_generic/holders locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/page_pool/page_pool_state_release locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/cfg80211/cfg80211_return_bss locker_ESXI_X64 File opened for reading /sys/kernel/slab/:0001264 locker_ESXI_X64 File opened for reading /sys/module/ghash_clmulni_intel/sections locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_quotactl_fd locker_ESXI_X64 File opened for reading /sys/module/secretmem/parameters locker_ESXI_X64 File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:0d/power locker_ESXI_X64 File opened for reading /sys/module/lp/notes locker_ESXI_X64 File opened for reading /sys/module/psmouse/drivers locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_geteuid locker_ESXI_X64 -
description ioc Process File opened for reading /proc/2244/attr/smack locker_ESXI_X64 File opened for reading /proc/2523/task/2551/net/dev_snmp6 locker_ESXI_X64 File opened for reading /proc/39/task/39/attr/apparmor locker_ESXI_X64 File opened for reading /proc/377/task/377/attr/smack locker_ESXI_X64 File opened for reading /proc/2209/task/2217 locker_ESXI_X64 File opened for reading /proc/2489/task/2536/attr/smack locker_ESXI_X64 File opened for reading /proc/2559/map_files locker_ESXI_X64 File opened for reading /proc/31/net/stat locker_ESXI_X64 File opened for reading /proc/728/task/850/ns locker_ESXI_X64 File opened for reading /proc/2597/task/2599/attr locker_ESXI_X64 File opened for reading /proc/2825/ns locker_ESXI_X64 File opened for reading /proc/186/status ps File opened for reading /proc/80/task/80/attr/smack locker_ESXI_X64 File opened for reading /proc/190/net locker_ESXI_X64 File opened for reading /proc/22/stat ps File opened for reading /proc/2325/status ps File opened for reading /proc/2036/task/2044/fd locker_ESXI_X64 File opened for reading /proc/2150/fd locker_ESXI_X64 File opened for reading /proc/746/task/799 locker_ESXI_X64 File opened for reading /proc/1068/task/1068/net locker_ESXI_X64 File opened for reading /proc/1399/task/1399/fd locker_ESXI_X64 File opened for reading /proc/2212/task/2212/fd locker_ESXI_X64 File opened for reading /proc/2278/task/2295/attr locker_ESXI_X64 File opened for reading /proc/50/cmdline ps File opened for reading /proc/57/task/57 locker_ESXI_X64 File opened for reading /proc/198/task/198/net/dev_snmp6 locker_ESXI_X64 File opened for reading /proc/2334/task/2481/net/netfilter locker_ESXI_X64 File opened for reading /proc/416/attr/apparmor locker_ESXI_X64 File opened for reading /proc/736/task/763/ns locker_ESXI_X64 File opened for reading /proc/198/task/198/net/stat locker_ESXI_X64 File opened for reading /proc/2523/task/2549/attr/smack locker_ESXI_X64 File opened for reading /proc/2148/environ ps File opened for reading /proc/44/task/44/net locker_ESXI_X64 File opened for reading /proc/181/attr/apparmor locker_ESXI_X64 File opened for reading /proc/2260/task/2261/net/stat locker_ESXI_X64 File opened for reading /proc/2489/task/2535/attr locker_ESXI_X64 File opened for reading /proc/2038/ctty ps File opened for reading /proc/431/task/431/ns locker_ESXI_X64 File opened for reading /proc/1096/task/1102/ns locker_ESXI_X64 File opened for reading /proc/2244/map_files locker_ESXI_X64 File opened for reading /proc/53/environ ps File opened for reading /proc/883/cmdline ps File opened for reading /proc/43/task/43/attr/smack locker_ESXI_X64 File opened for reading /proc/52/task/52/fdinfo locker_ESXI_X64 File opened for reading /proc/2289/task/2289/ns locker_ESXI_X64 File opened for reading /proc/2572/task/2574/net locker_ESXI_X64 File opened for reading /proc/33/task/33/net/stat locker_ESXI_X64 File opened for reading /proc/762/task locker_ESXI_X64 File opened for reading /proc/2822/fdinfo locker_ESXI_X64 File opened for reading /proc/2260/task/2261/fd locker_ESXI_X64 File opened for reading /proc/2608/task/2610/net/dev_snmp6 locker_ESXI_X64 File opened for reading /proc/2502/task/2502/fdinfo locker_ESXI_X64 File opened for reading /proc/1119 locker_ESXI_X64 File opened for reading /proc/2322/task/2477 locker_ESXI_X64 File opened for reading /proc/2589/task/2590/net/stat locker_ESXI_X64 File opened for reading /proc/36/net/dev_snmp6 locker_ESXI_X64 File opened for reading /proc/2309/task/2309/ns locker_ESXI_X64 File opened for reading /proc/1250/attr locker_ESXI_X64 File opened for reading /proc/23/cmdline ps File opened for reading /proc/200/ns locker_ESXI_X64 File opened for reading /proc/736/task/769/fdinfo locker_ESXI_X64 File opened for reading /proc/2036/task/2037/net/stat locker_ESXI_X64 File opened for reading /proc/2313/task/2399/net/dev_snmp6 locker_ESXI_X64 File opened for reading /proc/2334/task/2484/fd locker_ESXI_X64
Processes
-
/tmp/329D6F9DDBF138D4/locker_ESXI_X64/tmp/329D6F9DDBF138D4/locker_ESXI_X641⤵
- Traces remote process
- Reads AppArmor ptrace settings
- Reads hardware information
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2825 -
/bin/shsh -c -- "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"2⤵PID:2826
-
/usr/bin/grepgrep cpuModel3⤵PID:2828
-
-
/usr/bin/cutcut -d "\"" -f23⤵PID:2829
-
-
-
/bin/shsh -c -- "esxcli storage filesystem list | tail -n +3"2⤵PID:2830
-
/usr/bin/tailtail -n +33⤵PID:2832
-
-
-
/bin/shsh -c -- "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"2⤵PID:2833
-
/usr/bin/lsblklsblk -io "KNAME,TYPE,SIZE,MODEL"3⤵PID:2834
-
-
/usr/bin/tailtail -n +23⤵PID:2835
-
-
-
/bin/shsh -c -- "uname -a"2⤵PID:2836
-
/usr/bin/unameuname -a3⤵PID:2837
-
-
-
/bin/shsh -c -- "vmware -v"2⤵PID:2838
-
-
/bin/shsh -c -- "ls -alR /vmfs/"2⤵PID:2839
-
/usr/bin/lsls -alR /vmfs/3⤵PID:2840
-
-
-
/bin/shsh -c -- "ps auxf"2⤵PID:2841
-
/usr/bin/psps auxf3⤵
- Checks CPU configuration
- Reads CPU attributes
- Reads runtime system information
PID:2842
-
-