Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-24.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
71007BF65F8..._ARM64
ubuntu-18.04-amd64
1007BF65F8..._ARM64
debian-9-armhf
1007BF65F8..._ARM64
debian-9-mips
1007BF65F8..._ARM64
debian-9-mipsel
1007BF65F8..._ARMV5
debian-9-armhf
81007BF65F8..._ARMV7
debian-9-armhf
81007BF65F8..._AMD64
ubuntu-24.04-amd64
1007BF65F8...X_I386
ubuntu-22.04-amd64
1007BF65F8...UX_X64
ubuntu-22.04-amd64
81007BF65F8...r_MIPS
debian-9-mips
8Analysis
-
max time kernel
2s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
19-12-2024 22:25
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
1007BF65F80311D2/locker_ARM64
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral24
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral25
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral26
Sample
1007BF65F80311D2/locker_ARM64
Resource
debian9-mipsel-20240729-en
Behavioral task
behavioral27
Sample
1007BF65F80311D2/locker_ARMV5
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral28
Sample
1007BF65F80311D2/locker_ARMV7
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral29
Sample
1007BF65F80311D2/locker_FREEBSD_AMD64
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral30
Sample
1007BF65F80311D2/locker_LINUX_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral31
Sample
1007BF65F80311D2/locker_LINUX_X64
Resource
ubuntu2204-amd64-20240729-en
General
-
Target
1007BF65F80311D2/locker_ARMV7
-
Size
87KB
-
MD5
89d3236f0129595a919cc70728b9316e
-
SHA1
107f6e9ab0cb01247f2c5d65388dad8fb67d4804
-
SHA256
cfc9ba36d03736d01a6208e0c9cc3cd7db29c1f8e531f53ae7dce812f19c08bb
-
SHA512
ca23b1285131eacc437f44961e8bb71c52932f399a3aee35069ee2e490fc1cf8e53c0656701e938afb8930640447b0b8ecdb6885fe908a312a11ed29c8eb4466
-
SSDEEP
1536:BcwSL24h5CJB/bfDZv3v+AToZTZ7rnCWz6J6nqPfBoU+Vq+Eauk2rVSx731fHBze:KFLr5CJBwHZTZaWuJt5oDVq+Eauk2rVN
Malware Config
Signatures
-
Traces remote process 1 IoCs
pid Process 655 locker_ARMV7 -
Checks system information (zLinux) 1 TTPs 1 IoCs
Check system information on IBM zSystems which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/sysinfo lscpu -
Reads network interface configuration 2 TTPs 6 IoCs
Fetches information about one or more active network interfaces.
description ioc Process File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 locker_ARMV7 File opened for reading /sys/devices/virtual/net/lo/statistics locker_ARMV7 File opened for reading /sys/devices/virtual/net/lo/power locker_ARMV7 File opened for reading /sys/devices/virtual/net/lo/queues locker_ARMV7 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 locker_ARMV7 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits locker_ARMV7 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo lscpu -
Reads CPU attributes 1 TTPs 15 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/cpu0/topology/thread_siblings lscpu File opened for reading /sys/devices/system/cpu/cpufreq locker_ARMV7 File opened for reading /sys/devices/system/cpu/kernel_max lscpu File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id lscpu File opened for reading /sys/devices/system/cpu/cpu0/power locker_ARMV7 File opened for reading /sys/devices/system/cpu/cpu0/topology locker_ARMV7 File opened for reading /sys/devices/system/cpu/possible lscpu File opened for reading /sys/devices/system/cpu/present lscpu File opened for reading /sys/devices/system/cpu/online lscpu File opened for reading /sys/devices/system/cpu/power locker_ARMV7 File opened for reading /sys/devices/system/cpu/hotplug locker_ARMV7 File opened for reading /sys/devices/system/cpu/cpu0/hotplug locker_ARMV7 File opened for reading /sys/devices/system/cpu/cpu0/topology/core_siblings lscpu File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id lscpu File opened for reading /sys/devices/system/cpu/cpu0 locker_ARMV7 -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_mq_unlink locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_timer_delete locker_ARMV7 File opened for reading /sys/devices/platform/a000e00.virtio_mmio/power locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/spi/spi_message_start locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/timer/itimer_state locker_ARMV7 File opened for reading /sys/fs/cgroup/blkio/init.scope locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_statfs locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_restart_syscall locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_setdomainname locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/ipi locker_ARMV7 File opened for reading /sys/fs/cgroup/systemd/system.slice/rsyslog.service locker_ARMV7 File opened for reading /sys/kernel/irq/54 locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_adjtimex locker_ARMV7 File opened for reading /sys/bus/platform/drivers/pwmss locker_ARMV7 File opened for reading /sys/module/tpm/parameters locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_sendto locker_ARMV7 File opened for reading /sys/devices/virtual/misc/cpu_dma_latency/power locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_symlinkat locker_ARMV7 File opened for reading /sys/devices/virtual/misc/network_throughput/power locker_ARMV7 File opened for reading /sys/devices/virtual/tty/tty1 locker_ARMV7 File opened for reading /sys/devices/virtual/vc/vcsa1/power locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/regulator/regulator_enable_delay locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_fsetxattr locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/compaction/mm_compaction_kcompactd_sleep locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_prctl locker_ARMV7 File opened for reading /sys/firmware/devicetree/base/fw-cfg@9020000 locker_ARMV7 File opened for reading /sys/bus/clockevents locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_fallocate_exit locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/clk/clk_set_phase_complete locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_llseek locker_ARMV7 File opened for reading /sys/devices/virtual/misc/psaux locker_ARMV7 File opened for reading /sys/fs/cgroup/systemd/system.slice/systemd-journald.service locker_ARMV7 File opened for reading /sys/module/stahp/sections locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/rcu/rcu_utilization locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_shmdt locker_ARMV7 File opened for reading /sys/bus/spi/devices locker_ARMV7 File opened for reading /sys/module/crc32c_generic/notes locker_ARMV7 File opened for reading /sys/module/ip_tables/notes locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_fcntl64 locker_ARMV7 File opened for reading /sys/bus/platform/drivers/bcm2835-dma locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_getegid16 locker_ARMV7 File opened for reading /sys/module/virtio_mmio locker_ARMV7 File opened for reading /sys/module/ip_tables/holders locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_nfs_commit_metadata locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_sync locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_init_module locker_ARMV7 File opened for reading /sys/devices/virtual/tty/tty33 locker_ARMV7 File opened for reading /sys/module/mmcblk locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/net/netif_rx_entry locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/sched/sched_kthread_stop_ret locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/vb2/vb2_dqbuf locker_ARMV7 File opened for reading /sys/module/mousedev/parameters locker_ARMV7 File opened for reading /sys/devices/platform/a001e00.virtio_mmio locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_read locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_munlockall locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/raw_syscalls locker_ARMV7 File opened for reading /sys/class/pci_bus locker_ARMV7 File opened for reading /sys/class/input locker_ARMV7 File opened for reading /sys/fs/cgroup/devices/system.slice/-.mount locker_ARMV7 File opened for reading /sys/bus/amba/drivers/uart-pl010 locker_ARMV7 File opened for reading /sys/module/mt20xx locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_ext_load_extent locker_ARMV7 File opened for reading /sys/kernel/debug/tracing/events/writeback/sb_mark_inode_writeback locker_ARMV7 File opened for reading /sys/devices/virtual/tty/tty62 locker_ARMV7 -
description ioc Process File opened for reading /proc/irq/53 locker_ARMV7 File opened for reading /proc/filesystems lsblk File opened for reading /proc/fs/ext4 locker_ARMV7 File opened for reading /proc/irq/50/virtio0 locker_ARMV7 File opened for reading /proc/irq/54/uart-pl011 locker_ARMV7 File opened for reading /proc/irq/58 locker_ARMV7 File opened for reading /proc/bus/pci/devices lscpu File opened for reading /proc/fs locker_ARMV7 File opened for reading /proc/fs/jbd2 locker_ARMV7 File opened for reading /proc/fs/nfsd locker_ARMV7 File opened for reading /proc/bus locker_ARMV7 File opened for reading /proc/irq/18 locker_ARMV7 File opened for reading /proc/irq/58/GPIO Key Poweroff locker_ARMV7 File opened for reading /proc/sys/dev locker_ARMV7 File opened for reading /proc/device-tree/compatible lscpu File opened for reading /proc/self/status lscpu File opened for reading /proc/sys/fs/binfmt_misc locker_ARMV7 File opened for reading /proc/irq/53/rtc-pl031 locker_ARMV7 File opened for reading /proc/sys/fs locker_ARMV7 File opened for reading /proc/fs/ext4/vda1 locker_ARMV7 File opened for reading /proc/fs/jbd2/vda1-8 locker_ARMV7 File opened for reading /proc/sys locker_ARMV7 File opened for reading /proc/sys/debug locker_ARMV7 File opened for reading /proc/bus/input locker_ARMV7 File opened for reading /proc/irq/51/virtio1 locker_ARMV7 File opened for reading /proc/irq/50 locker_ARMV7 File opened for reading /proc/bus/pci locker_ARMV7 File opened for reading /proc/irq/17 locker_ARMV7 File opened for reading /proc/irq/51 locker_ARMV7 File opened for reading /proc/sys/dev/tty locker_ARMV7 File opened for reading /proc/sys/kernel/osrelease lscpu File opened for reading /proc/irq/19 locker_ARMV7 File opened for reading /proc/irq locker_ARMV7 File opened for reading /proc/irq/16 locker_ARMV7 File opened for reading /proc/irq/54 locker_ARMV7 File opened for reading /proc/efi/systab lscpu File opened for reading /proc/cpu locker_ARMV7
Processes
-
/tmp/1007BF65F80311D2/locker_ARMV7/tmp/1007BF65F80311D2/locker_ARMV71⤵
- Traces remote process
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:655 -
/bin/shsh -c "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"2⤵PID:657
-
/bin/grepgrep cpuModel3⤵PID:660
-
-
/usr/bin/cutcut -d "\"" -f23⤵PID:661
-
-
-
/bin/shsh -c "lscpu | grep \"Model name\" | cut -d ':' -f2"2⤵PID:663
-
/usr/bin/lscpulscpu3⤵
- Checks system information (zLinux)
- Checks CPU configuration
- Reads CPU attributes
- Reads runtime system information
PID:666
-
-
/bin/grepgrep "Model name"3⤵PID:667
-
-
/usr/bin/cutcut -d : -f23⤵PID:668
-
-
-
/bin/shsh -c "esxcli storage filesystem list | tail -n +3"2⤵PID:670
-
/usr/bin/tailtail -n +33⤵PID:674
-
-
-
/bin/shsh -c "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"2⤵PID:676
-
/bin/lsblklsblk -io "KNAME,TYPE,SIZE,MODEL"3⤵
- Reads runtime system information
PID:678
-
-
/usr/bin/tailtail -n +23⤵PID:679
-
-
-
/bin/shsh -c "uname -a"2⤵PID:682
-
/bin/unameuname -a3⤵PID:683
-
-
-
/bin/shsh -c "vmware -v"2⤵PID:684
-