Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    ubuntu-22.04_amd64
  • resource
    ubuntu2204-amd64-20240729-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2204-amd64-20240729-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
  • submitted
    19-12-2024 22:25

General

  • Target

    1007BF65F80311D2/locker_LINUX_X64

  • Size

    89KB

  • MD5

    194a218bb7c8593df0621789488f6907

  • SHA1

    89a60bc4e8b7c8188b8f3e96e799f2e455791f87

  • SHA256

    6c5252c6653d82e1ff9f57cc0dc98e6d6c7a8c3405ffc418c5b94cc7e47cf057

  • SHA512

    c9f32b7cdf3692a62a6e727148577bbdd753bac8df09f7c97075c50fd564ae780079ec3478e136c198027523b60767ab0d298ca01476361d299dc4eea9c0435b

  • SSDEEP

    1536:h23bmHSlAhb6eo1xrac08UGNnPnEsT9VxU+tqRAsemhgYBzvI:4rmHSlAhbx+K8UUnPEsBVxDtqR19gAI

Score
8/10

Malware Config

Signatures

  • Traces remote process 1 IoCs
  • Reads AppArmor ptrace settings 1 TTPs 1 IoCs

    Discovery of allowed ptrace capabilities by AppArmor.

  • Checks system information (zLinux) 1 TTPs 1 IoCs

    Check system information on IBM zSystems which indicate if the system is a virtual machine.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads hardware information 1 TTPs 1 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads network interface configuration 2 TTPs 12 IoCs

    Fetches information about one or more active network interfaces.

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 64 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 1 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/1007BF65F80311D2/locker_LINUX_X64
    /tmp/1007BF65F80311D2/locker_LINUX_X64
    1⤵
    • Traces remote process
    • Reads AppArmor ptrace settings
    • Reads hardware information
    • Reads network interface configuration
    • Reads CPU attributes
    • Enumerates kernel/hardware configuration
    • Reads runtime system information
    • Writes file to shm directory
    • Writes file to tmp directory
    PID:1567
    • /bin/sh
      sh -c "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"
      2⤵
        PID:1568
        • /usr/bin/cut
          cut -d "\"" -f2
          3⤵
            PID:1571
          • /usr/bin/grep
            grep cpuModel
            3⤵
              PID:1570
          • /bin/sh
            sh -c "lscpu | grep \"Model name\" | cut -d ':' -f2"
            2⤵
              PID:1572
              • /usr/bin/cut
                cut -d : -f2
                3⤵
                  PID:1575
                • /usr/bin/grep
                  grep "Model name"
                  3⤵
                    PID:1574
                  • /usr/bin/lscpu
                    lscpu
                    3⤵
                    • Checks system information (zLinux)
                    • Checks CPU configuration
                    • Reads CPU attributes
                    PID:1573
                • /bin/sh
                  sh -c "esxcli storage filesystem list | tail -n +3"
                  2⤵
                    PID:1576
                    • /usr/bin/tail
                      tail -n +3
                      3⤵
                        PID:1578
                    • /bin/sh
                      sh -c "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"
                      2⤵
                        PID:1579
                        • /usr/bin/tail
                          tail -n +2
                          3⤵
                            PID:1581
                          • /usr/bin/lsblk
                            lsblk -io "KNAME,TYPE,SIZE,MODEL"
                            3⤵
                              PID:1580
                          • /bin/sh
                            sh -c "uname -a"
                            2⤵
                              PID:1587
                              • /usr/bin/uname
                                uname -a
                                3⤵
                                  PID:1589
                              • /bin/sh
                                sh -c "vmware -v"
                                2⤵
                                  PID:1590
                                • /bin/sh
                                  sh -c "ls -alR /vmfs/"
                                  2⤵
                                    PID:1594
                                    • /usr/bin/ls
                                      ls -alR /vmfs/
                                      3⤵
                                        PID:1595
                                    • /bin/sh
                                      sh -c "ps auxf"
                                      2⤵
                                        PID:1596
                                        • /usr/bin/ps
                                          ps auxf
                                          3⤵
                                          • Reads CPU attributes
                                          • Reads runtime system information
                                          PID:1597
                                      • /bin/sh
                                        sh -c "df -h"
                                        2⤵
                                          PID:1598
                                          • /usr/bin/df
                                            df -h
                                            3⤵
                                              PID:1599

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • /dev/shm/file93L7SH

                                          Filesize

                                          982.0MB

                                          MD5

                                          b93ada4d395684f6c56ce4043f7896cd

                                          SHA1

                                          a5582603cc3e1c7e83a230e8fdf9b6bf5d429981

                                          SHA256

                                          428a7be92fd3968c482d1892787083250b314c300556286367960718c4601b2d

                                          SHA512

                                          607507db929a5eccd05b015723199bbae5ee59037455bd6f479f8fb16b9225baae0579562559586cb55cb312622ccc508a772fadb166c9a8f59c770341a56d8d

                                        • /run/filemzXFy1

                                          Filesize

                                          195.1MB

                                          MD5

                                          e913c3f0000059bf0e0a16c7de883c1f

                                          SHA1

                                          907bb08debfb4318a6c0605c719cbe93f09ddcee

                                          SHA256

                                          e71b6f3d055f3af24851b4958307577e35fbd7df1f9420c16192f322022451f6

                                          SHA512

                                          c3229bc858e81f53ea24c34267c9f4bc1edb4e3ee5a46249735f11c46729d591d05202eaee29f05825104042add15d4e6e09d90fc7a176c64ffc4cc48e98057a

                                        • /run/lock/fileo9ZB9a

                                          Filesize

                                          5.0MB

                                          MD5

                                          5f363e0e58a95f06cbe9bbc662c5dfb6

                                          SHA1

                                          2e95d7582c53583fa8afb54e0fe7a2597c92cbba

                                          SHA256

                                          c036cbb7553a909f8b8877d4461924307f27ecb66cff928eeeafd569c3887e29

                                          SHA512

                                          f1e554807f6e927530f7461e2ed5e8e3509c0245e082b2db5c88763a3764d1278b88d0d220f8b7050a71b2677e463fb7a3ad1d5b0fe6588c6ff18fddf977864c

                                        • /run/user/0/fileyC8RNv

                                          Filesize

                                          196.2MB

                                          MD5

                                          7f2177279877f038d9a3d563ce547beb

                                          SHA1

                                          c9a0a684b93fc486a40878ffe9ca2e940fed2183

                                          SHA256

                                          8cfacede3d9d1fcd38090020aa51f70f2e67df931bd3ab12293bef771f3e9656

                                          SHA512

                                          5d221ef7ede3f7ab1fd3a4b981240c43a4d1ee5c477b10e555896b16f5b24385aa163ec0cec2941bf5e8feabb0a331b9a02df27bc5d5a35684026c7a229dc2a0

                                        • /tmp/filecgHKJL

                                          Filesize

                                          499.8MB

                                          MD5

                                          9385aaf5ee1c19b95599271a2b30007f

                                          SHA1

                                          25ee50fc5aa6f533c435436533b0cf1dc0b6fff4

                                          SHA256

                                          6200aaf23f7f00ea8b441d5a88f422519ec97e4a91cb2c1b5aeaa12a323826f6

                                          SHA512

                                          60c65a64e3c22e8074af39b3dfebc4876db9c18b5b3a5fc6d56b53ad143c101ef10188467514830054c110aa85e53f8453d21624f07da244034d07fb5b0ad6ab

                                        • /tmp/filexv79OA

                                          Filesize

                                          500.4MB

                                          MD5

                                          1b2de90ae958041699c550e457b02e6d

                                          SHA1

                                          915e92833b424ffb50fa7d63f87921869d8032cf

                                          SHA256

                                          0db6ed529ea411053639ed2cf3ebd069dd08c715839b825a0f5481e8c590baa7

                                          SHA512

                                          66d7fb5b9ea92865c9c215ea7f34e6c63ab0601065bc78dcabb8011aec0f83019868484b06ae63f306f3a55052215ceef6c8b82b1eff84513e9bfffa7ca2c732