Overview
overview
10Static
static
10329D6F9DDB...I_I386
ubuntu-22.04-amd64
329D6F9DDB...XI_X64
ubuntu-24.04-amd64
8LBB.exe
windows7-x64
9LBB.exe
windows10-2004-x64
9LBB_PS1.ps1
windows7-x64
5LBB_PS1.ps1
windows10-2004-x64
9LBB_PS1_ob...ed.ps1
windows7-x64
3LBB_PS1_ob...ed.ps1
windows10-2004-x64
3LBB_PS1_pass.ps1
windows7-x64
10LBB_PS1_pass.ps1
windows10-2004-x64
10LBB_Reflec...in.dll
windows7-x64
9LBB_Reflec...in.dll
windows10-2004-x64
7LBB_Rundll32.dll
windows7-x64
3LBB_Rundll32.dll
windows10-2004-x64
3LBB_Rundll32_pass.dll
windows7-x64
10LBB_Rundll32_pass.dll
windows10-2004-x64
10LBB_pass.exe
windows7-x64
10LBB_pass.exe
windows10-2004-x64
10FC8E43EC21...32.exe
windows7-x64
7FC8E43EC21...32.exe
windows10-2004-x64
7FC8E43EC21...64.exe
windows7-x64
7FC8E43EC21...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
4s -
max time network
128s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240729-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240729-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
21-12-2024 14:36
Behavioral task
behavioral1
Sample
329D6F9DDBF138D4/locker_ESXI_I386
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral2
Sample
329D6F9DDBF138D4/locker_ESXI_X64
Resource
ubuntu2404-amd64-20240729-en
Behavioral task
behavioral3
Sample
LBB.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
LBB.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
LBB_PS1.ps1
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
LBB_PS1.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
LBB_PS1_obfuscated.ps1
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
LBB_PS1_obfuscated.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
LBB_PS1_pass.ps1
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
LBB_PS1_pass.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
LBB_ReflectiveDll_DllMain.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
LBB_Rundll32.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
LBB_Rundll32.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
LBB_Rundll32_pass.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
LBB_Rundll32_pass.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
LBB_pass.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
LBB_pass.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
FC8E43EC21BE9047/lbg32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
FC8E43EC21BE9047/lbg64.exe
Resource
win10v2004-20241007-en
General
-
Target
329D6F9DDBF138D4/locker_ESXI_X64
-
Size
93KB
-
MD5
b76b092f5188ccc8a046ffb4659c3641
-
SHA1
82e19d8b7bc5379528feb9c3a335d70d79358229
-
SHA256
dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55
-
SHA512
bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f
-
SSDEEP
1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya
Malware Config
Signatures
-
Traces remote process 1 IoCs
pid Process 2515 locker_ESXI_X64 -
Reads AppArmor ptrace settings 1 TTPs 1 IoCs
Discovery of allowed ptrace capabilities by AppArmor.
description ioc Process File opened for reading /sys/kernel/security/apparmor/features/ptrace locker_ESXI_X64 -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.
description ioc Process File opened for reading /sys/devices/virtual/dmi/id/power locker_ESXI_X64 -
Reads network interface configuration 2 TTPs 12 IoCs
Fetches information about one or more active network interfaces.
description ioc Process File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/statistics locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/power locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/queues locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/queues/rx-0 locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0 locker_ESXI_X64 File opened for reading /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 locker_ESXI_X64 -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo ps -
Reads CPU attributes 1 TTPs 16 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/cpu0/cache/index3 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/possible ps File opened for reading /sys/devices/system/cpu/cpu0/power locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/cache locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/cache/index1 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/smt locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/hotplug locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/vulnerabilities locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpuidle locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/power locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/topology locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/cache/index2 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpu0/cache/index0 locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/hotplug locker_ESXI_X64 File opened for reading /sys/devices/system/cpu/cpufreq locker_ESXI_X64 -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/kernel/debug/tracing/events/page_pool/page_pool_state_hold locker_ESXI_X64 File opened for reading /sys/devices/pci0000:00/0000:00:06.0/power locker_ESXI_X64 File opened for reading /sys/module/keyboard/parameters locker_ESXI_X64 File opened for reading /sys/devices/platform/i8042/serio0 locker_ESXI_X64 File opened for reading /sys/devices/virtual/vc/vcs4 locker_ESXI_X64 File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1c locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/ksm locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/ext4/ext4_mb_new_group_pa locker_ESXI_X64 File opened for reading /sys/kernel/debug/pinctrl locker_ESXI_X64 File opened for reading /sys/devices/virtual/tty/tty40 locker_ESXI_X64 File opened for reading /sys/bus/acpi/drivers/ec locker_ESXI_X64 File opened for reading /sys/module/pata_acpi/drivers locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/clk/clk_rate_request_start locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/ipi locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/cfg80211/rdev_update_mesh_config locker_ESXI_X64 File opened for reading /sys/devices/virtual/workqueue/scsi_tmf_7 locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/ext4/ext4_load_inode_bitmap locker_ESXI_X64 File opened for reading /sys/class/scsi_generic locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_linkat locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_open_tree locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/cfg80211/rdev_tdls_oper locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/btrfs/btrfs_add_unused_block_group locker_ESXI_X64 File opened for reading /sys/kernel/slab/:A-0000016 locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/power/wakeup_source_activate locker_ESXI_X64 File opened for reading /sys/kernel/debug/block/vda/hctx0/cpu0 locker_ESXI_X64 File opened for reading /sys/devices/platform/floppy.0 locker_ESXI_X64 File opened for reading /sys/module/virtio_net locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_futex_requeue locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_fsetxattr locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_enter_munlockall locker_ESXI_X64 File opened for reading /sys/devices/virtual/bdi locker_ESXI_X64 File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:04/wakeup locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_getpgrp locker_ESXI_X64 File opened for reading /sys/devices/virtual/graphics locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/module/module_get locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/xhci-hcd/xhci_dbc_alloc_request locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_readlink locker_ESXI_X64 File opened for reading /sys/devices/virtual/workqueue/raid5wq locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_exit_mlockall locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/workqueue locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/cfg80211/rdev_set_pmk locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_seccomp locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_faccessat locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/cfg80211/rdev_add_nan_func locker_ESXI_X64 File opened for reading /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:00/wakeup locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/io_uring/io_uring_short_write locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/gpio locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/cfg80211/rdev_mgmt_tx_cancel_wait locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_get_mempolicy locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/nmi/nmi_handler locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/syscalls/sys_enter_sysfs locker_ESXI_X64 File opened for reading /sys/module/ip_tables/sections locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_write locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_listen locker_ESXI_X64 File opened for reading /sys/devices/system/machinecheck/machinecheck0/power locker_ESXI_X64 File opened for reading /sys/bus/platform/drivers/simple-framebuffer locker_ESXI_X64 File opened for reading /sys/module/polyval_generic/holders locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/writeback/wbc_writepage locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/hyperv/hyperv_nested_flush_guest_mapping locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/block/block_io_start locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/iommu locker_ESXI_X64 File opened for reading /sys/kernel/tracing/events/hwmon/hwmon_attr_store locker_ESXI_X64 File opened for reading /sys/kernel/debug/tracing/events/syscalls/sys_exit_utime locker_ESXI_X64 File opened for reading /sys/kernel/slab/kmalloc-rnd-02-192 locker_ESXI_X64 -
description ioc Process File opened for reading /proc/8/task/8 locker_ESXI_X64 File opened for reading /proc/34 locker_ESXI_X64 File opened for reading /proc/275/task/275/fd locker_ESXI_X64 File opened for reading /proc/1976/task/2114/net/netfilter locker_ESXI_X64 File opened for reading /proc/14/stat ps File opened for reading /proc/1136/task locker_ESXI_X64 File opened for reading /proc/1864/task/1864/ns locker_ESXI_X64 File opened for reading /proc/2029/task/2091/net/netfilter locker_ESXI_X64 File opened for reading /proc/2277/task/2279/net/netfilter locker_ESXI_X64 File opened for reading /proc/2322 locker_ESXI_X64 File opened for reading /proc/1833/task/1841/ns locker_ESXI_X64 File opened for reading /proc/2340/task/2343/fdinfo locker_ESXI_X64 File opened for reading /proc/11/environ ps File opened for reading /proc/2029/task/2092/net/dev_snmp6 locker_ESXI_X64 File opened for reading /proc/2233/task/2238/attr/smack locker_ESXI_X64 File opened for reading /proc/2288/task/2290/fd locker_ESXI_X64 File opened for reading /proc/29/task/29/net/stat locker_ESXI_X64 File opened for reading /proc/56/attr/apparmor locker_ESXI_X64 File opened for reading /proc/512/task/512/fdinfo locker_ESXI_X64 File opened for reading /proc/1071/net locker_ESXI_X64 File opened for reading /proc/1977/task/2021/fd locker_ESXI_X64 File opened for reading /proc/2311/task/2314/net/netfilter locker_ESXI_X64 File opened for reading /proc/2/ns locker_ESXI_X64 File opened for reading /proc/2553/environ ps File opened for reading /proc/tty locker_ESXI_X64 File opened for reading /proc/1353/task/1359/fd locker_ESXI_X64 File opened for reading /proc/1410/task/1412 locker_ESXI_X64 File opened for reading /proc/2055/task/2145/net/netfilter locker_ESXI_X64 File opened for reading /proc/2362/attr/smack locker_ESXI_X64 File opened for reading /proc/192/task/192/net locker_ESXI_X64 File opened for reading /proc/592/task/593/net/netfilter locker_ESXI_X64 File opened for reading /proc/1890/task/1893/fdinfo locker_ESXI_X64 File opened for reading /proc/2322/map_files locker_ESXI_X64 File opened for reading /proc/7/attr/apparmor locker_ESXI_X64 File opened for reading /proc/53/task/53/attr/apparmor locker_ESXI_X64 File opened for reading /proc/202/task/202/net locker_ESXI_X64 File opened for reading /proc/2269/status ps File opened for reading /proc/433/task/433/net/netfilter locker_ESXI_X64 File opened for reading /proc/1833/ns locker_ESXI_X64 File opened for reading /proc/1911/task/1918/net/dev_snmp6 locker_ESXI_X64 File opened for reading /proc/1970/net/stat locker_ESXI_X64 File opened for reading /proc/2007 locker_ESXI_X64 File opened for reading /proc/1054/task/1054/attr/smack locker_ESXI_X64 File opened for reading /proc/1977/attr/apparmor locker_ESXI_X64 File opened for reading /proc/2288/task/2290 locker_ESXI_X64 File opened for reading /proc/17/task/17/attr/apparmor locker_ESXI_X64 File opened for reading /proc/18/attr/smack locker_ESXI_X64 File opened for reading /proc/1353/task/1358/attr/apparmor locker_ESXI_X64 File opened for reading /proc/1711/task/1712/attr locker_ESXI_X64 File opened for reading /proc/13/task/13/net/stat locker_ESXI_X64 File opened for reading /proc/190/task/190/attr locker_ESXI_X64 File opened for reading /proc/1970/task/2052/net locker_ESXI_X64 File opened for reading /proc/2277/map_files locker_ESXI_X64 File opened for reading /proc/30/environ ps File opened for reading /proc/1831/task/1835/net/netfilter locker_ESXI_X64 File opened for reading /proc/irq/4 locker_ESXI_X64 File opened for reading /proc/33/task/33/fdinfo locker_ESXI_X64 File opened for reading /proc/1101/task/1101/net locker_ESXI_X64 File opened for reading /proc/1410/task/1411/net locker_ESXI_X64 File opened for reading /proc/1719/task/1726/attr/smack locker_ESXI_X64 File opened for reading /proc/19/task/19/net/stat locker_ESXI_X64 File opened for reading /proc/20/map_files locker_ESXI_X64 File opened for reading /proc/45/task/45/net/stat locker_ESXI_X64 File opened for reading /proc/2160/task/2196 locker_ESXI_X64
Processes
-
/tmp/329D6F9DDBF138D4/locker_ESXI_X64/tmp/329D6F9DDBF138D4/locker_ESXI_X641⤵
- Traces remote process
- Reads AppArmor ptrace settings
- Reads hardware information
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2515 -
/bin/shsh -c -- "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"2⤵PID:2516
-
/usr/bin/grepgrep cpuModel3⤵PID:2519
-
-
/usr/bin/cutcut -d "\"" -f23⤵PID:2520
-
-
-
/bin/shsh -c -- "esxcli storage filesystem list | tail -n +3"2⤵PID:2521
-
/usr/bin/tailtail -n +33⤵PID:2523
-
-
-
/bin/shsh -c -- "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"2⤵PID:2524
-
/usr/bin/lsblklsblk -io "KNAME,TYPE,SIZE,MODEL"3⤵PID:2525
-
-
/usr/bin/tailtail -n +23⤵PID:2526
-
-
-
/bin/shsh -c -- "uname -a"2⤵PID:2527
-
/usr/bin/unameuname -a3⤵PID:2528
-
-
-
/bin/shsh -c -- "vmware -v"2⤵PID:2529
-
-
/bin/shsh -c -- "ls -alR /vmfs/"2⤵PID:2551
-
/usr/bin/lsls -alR /vmfs/3⤵PID:2552
-
-
-
/bin/shsh -c -- "ps auxf"2⤵PID:2553
-
/usr/bin/psps auxf3⤵
- Checks CPU configuration
- Reads CPU attributes
- Reads runtime system information
PID:2554
-
-