Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-24.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
71007BF65F8..._ARM64
ubuntu-18.04-amd64
1007BF65F8..._ARM64
debian-9-armhf
1007BF65F8..._ARM64
debian-9-mips
1007BF65F8..._ARM64
debian-9-mipsel
1007BF65F8..._ARMV5
debian-9-armhf
81007BF65F8..._ARMV7
debian-9-armhf
81007BF65F8..._AMD64
ubuntu-24.04-amd64
1007BF65F8...X_I386
ubuntu-22.04-amd64
1007BF65F8...UX_X64
ubuntu-22.04-amd64
81007BF65F8...r_MIPS
debian-9-mips
8Analysis
-
max time kernel
2s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
19-12-2024 22:25
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
1007BF65F80311D2/locker_ARM64
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral24
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral25
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral26
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral27
Sample
1007BF65F80311D2/locker_ARMV5
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral28
Sample
1007BF65F80311D2/locker_ARMV7
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral29
Sample
1007BF65F80311D2/locker_FREEBSD_AMD64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral30
Sample
1007BF65F80311D2/locker_LINUX_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral31
Sample
1007BF65F80311D2/locker_LINUX_X64
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
1007BF65F80311D2/locker_ARMV5
-
Size
103KB
-
MD5
516b79a3c994df308172aa67d353ff2f
-
SHA1
e312f14bc1544e20af0cd41a3571a2cbe1ebe582
-
SHA256
a60acd0adeccbe29ff8402db0e974eba25c9acf98a3af98940e518d465fb1bbe
-
SHA512
b7a1a3e7ee64f8d0f538fdba5cc693134c475c4ce760cc4b314c26d1298794ff350eafd28a772f9da98332accb7a92674791d361bac0a17feb63e27bd4c84462
-
SSDEEP
3072:0zmoAp+UN6YmA4pLCQJ91ToDVqNrPOzng:0zmbkUpmA4pFJ918DVqNrOzg
Malware Config
Signatures
-
Traces remote process 1 IoCs
pid Process 655 locker_ARMV5 -
Checks system information (zLinux) 1 TTPs 1 IoCs
Check system information on IBM zSystems which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/sysinfo lscpu -
Reads network interface configuration 2 TTPs 6 IoCs
Fetches information about one or more active network interfaces.
description ioc Process File opened for reading /sys/devices/virtual/net/lo/statistics locker_ARMV5 File opened for reading /sys/devices/virtual/net/lo/power locker_ARMV5 File opened for reading /sys/devices/virtual/net/lo/queues locker_ARMV5 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 locker_ARMV5 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits locker_ARMV5 File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 locker_ARMV5 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo lscpu -
Reads CPU attributes 1 TTPs 15 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/present lscpu File opened for reading /sys/devices/system/cpu/online lscpu File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id lscpu File opened for reading /sys/devices/system/cpu/hotplug locker_ARMV5 File opened for reading /sys/devices/system/cpu/cpu0 locker_ARMV5 File opened for reading /sys/devices/system/cpu/cpu0/power locker_ARMV5 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_siblings lscpu File opened for reading /sys/devices/system/cpu/cpu0/hotplug locker_ARMV5 File opened for reading /sys/devices/system/cpu/kernel_max lscpu File opened for reading /sys/devices/system/cpu/possible lscpu File opened for reading /sys/devices/system/cpu/cpu0/topology/thread_siblings lscpu File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id lscpu File opened for reading /sys/devices/system/cpu/power locker_ARMV5 File opened for reading /sys/devices/system/cpu/cpufreq locker_ARMV5 File opened for reading /sys/devices/system/cpu/cpu0/topology locker_ARMV5 -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/devices/virtual/tty/tty41 locker_ARMV5 File opened for reading /sys/fs/cgroup/devices/system.slice/systemd-update-utmp.service locker_ARMV5 File opened for reading /sys/kernel/irq/58 locker_ARMV5 File opened for reading /sys/kernel/debug/zswap locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/writeback locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_setreuid16 locker_ARMV5 File opened for reading /sys/devices/virtual/misc/cpu_dma_latency locker_ARMV5 File opened for reading /sys/fs/cgroup/pids/system.slice/dev-vda5.swap locker_ARMV5 File opened for reading /sys/fs/cgroup/systemd/user.slice/user-0.slice/[email protected] locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/cma/cma_release locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_setfsuid16 locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_kill locker_ARMV5 File opened for reading /sys/devices/virtual/vtconsole/vtcon0 locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_fstatfs64 locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_lgetxattr locker_ARMV5 File opened for reading /sys/devices/platform/a001400.virtio_mmio/power locker_ARMV5 File opened for reading /sys/devices/virtual/tty/tty55/power locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_journal_start locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_ext_rm_leaf locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/compaction/mm_compaction_end locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_semctl locker_ARMV5 File opened for reading /sys/bus/mdio_bus/drivers/Generic 10G PHY locker_ARMV5 File opened for reading /sys/bus/spi/drivers/da9052 locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_nfs_commit_metadata locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/filelock/locks_get_lock_context locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_gettid locker_ARMV5 File opened for reading /sys/bus/platform/drivers/as3722-regulator locker_ARMV5 File opened for reading /sys/devices/platform/alarmtimer/power locker_ARMV5 File opened for reading /sys/devices/system/clocksource locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/fib/fib_table_lookup_nh locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_getrandom locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_lstat64 locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_getpid locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_splice locker_ARMV5 File opened for reading /sys/devices/virtual/vc/vcsa5/power locker_ARMV5 File opened for reading /sys/module/ext4/notes locker_ARMV5 File opened for reading /sys/class/iommu locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/thermal/thermal_power_cpu_get_power locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_times locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_rt_tgsigqueueinfo locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_sigaltstack locker_ARMV5 File opened for reading /sys/module/vt/parameters locker_ARMV5 File opened for reading /sys/module/spidev/parameters locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/thermal/cdev_update locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/regmap/regmap_async_write_start locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/filelock/break_lease_unblock locker_ARMV5 File opened for reading /sys/fs/cgroup/systemd/system.slice/rsyslog.service locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_setsockopt locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/per_cpu/cpu0 locker_ARMV5 File opened for reading /sys/bus/platform/drivers/imx-gpc locker_ARMV5 File opened for reading /sys/bus/amba/drivers/pl320 locker_ARMV5 File opened for reading /sys/devices/platform/timer locker_ARMV5 File opened for reading /sys/devices/platform/a000000.virtio_mmio locker_ARMV5 File opened for reading /sys/devices/tracepoint/power locker_ARMV5 File opened for reading /sys/bus/amba/drivers/uart-pl011 locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sync_file_range2 locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sendfile locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setparam locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/kvm/kvm_entry locker_ARMV5 File opened for reading /sys/module/ip_tables/sections locker_ARMV5 File opened for reading /sys/fs/cgroup/systemd/system.slice/networking.service locker_ARMV5 File opened for reading /sys/kernel/irq/48 locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/gpio/gpio_value locker_ARMV5 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_mmap_pgoff locker_ARMV5 -
description ioc Process File opened for reading /proc/device-tree/compatible lscpu File opened for reading /proc/fs/ext4 locker_ARMV5 File opened for reading /proc/irq/16 locker_ARMV5 File opened for reading /proc/self/status lscpu File opened for reading /proc/irq/58/GPIO Key Poweroff locker_ARMV5 File opened for reading /proc/fs/ext4/vda1 locker_ARMV5 File opened for reading /proc/irq/54 locker_ARMV5 File opened for reading /proc/sys locker_ARMV5 File opened for reading /proc/irq/54/uart-pl011 locker_ARMV5 File opened for reading /proc/irq/58 locker_ARMV5 File opened for reading /proc/fs locker_ARMV5 File opened for reading /proc/bus/input locker_ARMV5 File opened for reading /proc/irq/50/virtio0 locker_ARMV5 File opened for reading /proc/sys/dev locker_ARMV5 File opened for reading /proc/sys/dev/tty locker_ARMV5 File opened for reading /proc/sys/fs locker_ARMV5 File opened for reading /proc/irq/51/virtio1 locker_ARMV5 File opened for reading /proc/sys/fs/binfmt_misc locker_ARMV5 File opened for reading /proc/efi/systab lscpu File opened for reading /proc/fs/jbd2 locker_ARMV5 File opened for reading /proc/fs/jbd2/vda1-8 locker_ARMV5 File opened for reading /proc/bus/pci locker_ARMV5 File opened for reading /proc/irq locker_ARMV5 File opened for reading /proc/irq/17 locker_ARMV5 File opened for reading /proc/sys/kernel/osrelease lscpu File opened for reading /proc/bus/pci/devices lscpu File opened for reading /proc/fs/nfsd locker_ARMV5 File opened for reading /proc/bus locker_ARMV5 File opened for reading /proc/irq/18 locker_ARMV5 File opened for reading /proc/sys/debug locker_ARMV5 File opened for reading /proc/irq/53/rtc-pl031 locker_ARMV5 File opened for reading /proc/filesystems lsblk File opened for reading /proc/cpu locker_ARMV5 File opened for reading /proc/irq/19 locker_ARMV5 File opened for reading /proc/irq/50 locker_ARMV5 File opened for reading /proc/irq/51 locker_ARMV5 File opened for reading /proc/irq/53 locker_ARMV5
Processes
-
/tmp/1007BF65F80311D2/locker_ARMV5/tmp/1007BF65F80311D2/locker_ARMV51⤵
- Traces remote process
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:655 -
/bin/shsh -c "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"2⤵PID:658
-
/bin/grepgrep cpuModel3⤵PID:660
-
-
/usr/bin/cutcut -d "\"" -f23⤵PID:661
-
-
-
/bin/shsh -c "lscpu | grep \"Model name\" | cut -d ':' -f2"2⤵PID:664
-
/usr/bin/lscpulscpu3⤵
- Checks system information (zLinux)
- Checks CPU configuration
- Reads CPU attributes
- Reads runtime system information
PID:666
-
-
/bin/grepgrep "Model name"3⤵PID:667
-
-
/usr/bin/cutcut -d : -f23⤵PID:668
-
-
-
/bin/shsh -c "esxcli storage filesystem list | tail -n +3"2⤵PID:671
-
/usr/bin/tailtail -n +33⤵PID:674
-
-
-
/bin/shsh -c "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"2⤵PID:677
-
/bin/lsblklsblk -io "KNAME,TYPE,SIZE,MODEL"3⤵
- Reads runtime system information
PID:679
-
-
/usr/bin/tailtail -n +23⤵PID:680
-
-
-
/bin/shsh -c "uname -a"2⤵PID:683
-
/bin/unameuname -a3⤵PID:684
-
-
-
/bin/shsh -c "vmware -v"2⤵PID:685
-