Analysis

  • max time kernel
    2s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    19-12-2024 22:25

General

  • Target

    1007BF65F80311D2/locker_ARMV7

  • Size

    87KB

  • MD5

    89d3236f0129595a919cc70728b9316e

  • SHA1

    107f6e9ab0cb01247f2c5d65388dad8fb67d4804

  • SHA256

    cfc9ba36d03736d01a6208e0c9cc3cd7db29c1f8e531f53ae7dce812f19c08bb

  • SHA512

    ca23b1285131eacc437f44961e8bb71c52932f399a3aee35069ee2e490fc1cf8e53c0656701e938afb8930640447b0b8ecdb6885fe908a312a11ed29c8eb4466

  • SSDEEP

    1536:BcwSL24h5CJB/bfDZv3v+AToZTZ7rnCWz6J6nqPfBoU+Vq+Eauk2rVSx731fHBze:KFLr5CJBwHZTZaWuJt5oDVq+Eauk2rVN

Score
8/10

Malware Config

Signatures

  • Traces remote process 1 IoCs
  • Checks system information (zLinux) 1 TTPs 1 IoCs

    Check system information on IBM zSystems which indicate if the system is a virtual machine.

  • Reads network interface configuration 2 TTPs 6 IoCs

    Fetches information about one or more active network interfaces.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 15 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 37 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/1007BF65F80311D2/locker_ARMV7
    /tmp/1007BF65F80311D2/locker_ARMV7
    1⤵
    • Traces remote process
    • Reads network interface configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    PID:655
    • /bin/sh
      sh -c "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"
      2⤵
        PID:657
        • /bin/grep
          grep cpuModel
          3⤵
            PID:660
          • /usr/bin/cut
            cut -d "\"" -f2
            3⤵
              PID:661
          • /bin/sh
            sh -c "lscpu | grep \"Model name\" | cut -d ':' -f2"
            2⤵
              PID:663
              • /usr/bin/lscpu
                lscpu
                3⤵
                • Checks system information (zLinux)
                • Checks CPU configuration
                • Reads CPU attributes
                • Reads runtime system information
                PID:666
              • /bin/grep
                grep "Model name"
                3⤵
                  PID:667
                • /usr/bin/cut
                  cut -d : -f2
                  3⤵
                    PID:668
                • /bin/sh
                  sh -c "esxcli storage filesystem list | tail -n +3"
                  2⤵
                    PID:670
                    • /usr/bin/tail
                      tail -n +3
                      3⤵
                        PID:674
                    • /bin/sh
                      sh -c "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"
                      2⤵
                        PID:676
                        • /bin/lsblk
                          lsblk -io "KNAME,TYPE,SIZE,MODEL"
                          3⤵
                          • Reads runtime system information
                          PID:678
                        • /usr/bin/tail
                          tail -n +2
                          3⤵
                            PID:679
                        • /bin/sh
                          sh -c "uname -a"
                          2⤵
                            PID:682
                            • /bin/uname
                              uname -a
                              3⤵
                                PID:683
                            • /bin/sh
                              sh -c "vmware -v"
                              2⤵
                                PID:684

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads