f9b34255399925fcae10f34e78275446f9a90263afd3b825e889d5e631a74d0e

Resubmissions

28/03/2025, 06:04

250328-gsw1bsswcx 8

27/12/2024, 01:42

241227-b4yqeaylan 8

Analysis

max time kernel
6s
max time network
131s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
27/12/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
Size

89KB
MD5

3589e9b7abdf6e89063977847351173b
SHA1

a95652971f89587cf5f717c99c894ca2122101a0
SHA256

f9b34255399925fcae10f34e78275446f9a90263afd3b825e889d5e631a74d0e
SHA512

90550b2e8e9ddabbccf5d35907d40282db65876da1efb6e0e864ec8e8e8e1a92f2da0082b64d286f8c05087f417caa2470da1bc89f8ad55e8bd168305c7e2155
SSDEEP

1536:h23bmHSlAhb6eo1xrac08UGNnPnEsT9VxU+tqRAsemhgYBzvI:4rmHSlAhbx+K8UUnPEsBVxDtqR19gAI

Score

8^/10

antivm discovery

Malware Config

Signatures

Traces remote process 1 IoCs

pid	Process
1596	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Reads AppArmor ptrace settings 1 TTPs 1 IoCs

Discovery of allowed ptrace capabilities by AppArmor.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/security/apparmor/features/ptrace	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Checks system information (zLinux) 1 TTPs 1 IoCs

Check system information on IBM zSystems which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/sysinfo	lscpu

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/statistics	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/queues	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	lscpu

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/vulnerabilities/spectre_v2	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology/drawer_siblings	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	lscpu
File opened for reading	/sys/devices/system/cpu/online	lscpu
File opened for reading	/sys/devices/system/cpu/dispatching	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities	lscpu
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/write_policy	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	lscpu
File opened for reading	/sys/devices/system/cpu/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/vulnerabilities/spec_store_bypass	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/write_policy	lscpu
File opened for reading	/sys/devices/system/cpu/cpuidle	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/kernel_max	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology/book_id	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	lscpu
File opened for reading	/sys/devices/system/cpu/cpufreq/boost	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/write_policy	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/ways_of_associativity	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/possible	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities/itlb_multihit	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/write_policy	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology/drawer_id	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/number_of_sets	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/allocation_policy	lscpu
File opened for reading	/sys/devices/system/cpu/present	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities/retbleed	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/physical_line_partition	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	lscpu
File opened for reading	/sys/devices/system/cpu/hotplug	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/vulnerabilities/spectre_v1	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/ways_of_associativity	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/coherency_line_size	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities/tsx_async_abort	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/ways_of_associativity	lscpu
File opened for reading	/sys/devices/system/cpu/cpufreq	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	lscpu

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/tracing/events/ftrace/branch	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/writeback/writeback_dirty_inode_enqueue	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_recvfrom	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/fs/ext4/features	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/software_nodes	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/bpf_test_run/bpf_test_finish	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/i2c/i2c_reply	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/xhci-hcd/xhci_handle_cmd_set_deq_ep	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/mce	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/bus/clockevents/drivers	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/md_mod	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/serio_raw/holders	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_faccessat2	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/osnoise/softirq_noise	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/class/hwmon	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/libahci/holders	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_rt_sigqueueinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/tty/ptmx/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/block/dm-0/integrity	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/sock/inet_sk_error_report	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/kmem/kmalloc	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/xdp/xdp_cpumap_kthread	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sync_file_range	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_epoll_pwait2	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata6/link6/ata_link/link6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/mptcp/ack_update_msk	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/bridge/br_fdb_update	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_sendmsg	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/module/module_get	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/mmap	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/jbd2/jbd2_drop_transaction	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/tty/tty63/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/xhci-hcd/xhci_setup_addressable_virt_device	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/clk/clk_disable_complete	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_da_reserve_space	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/uprobe	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/block/loop3/hctx0/cpu0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_eventfd2	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_close_range	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/block/block_dirty_buffer	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mq_open	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_pwrite64	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_fc_track_create	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/ftrace/timerlat	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/class/dax	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/intel_iommu/qi_submit	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/module/module_load	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/platform/i8042/serio0/input/input1/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:1f/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/block/loop2/dev	lsblk
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_sched_getattr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/net/net_dev_xmit_timeout	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_handle_event	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/ghash_clmulni_intel/holders	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/btrfs/btrfs_find_cluster	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_io_pgetevents	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/tty/tty34	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/fs/cgroup/system.slice/rtkit-daemon.service	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/i8042/parameters	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_fcntl	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/ftrace/funcgraph_exit	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/tty/tty27	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:05/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/92/task/92/net/netfilter	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/98/attr/smack	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/748/task/748/net/netfilter	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1162/map_files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1182/task/1182/attr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1294/task/1300/net/stat	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1345/task/1351/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1162/cmdline	ps
File opened for reading	/proc/956/task/960/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/983/task/986/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1090/task/1097/fdinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1158/task/1158/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1197/task	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1/task/1/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1162/task/1214/attr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1617/task/1617/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1581/cmdline	ps
File opened for reading	/proc/1134/task/1134/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1063/task/1081/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1469/status	ps
File opened for reading	/proc/79/task	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/425/task/425/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/991/map_files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1185/task/1185/fdinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/211/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/971/task/971/fdinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1177/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1431/task/1436/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/90/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/757/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/991/task/1619/attr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/603/task/608/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/780/task/780/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/841/task/841/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1202/task/1223/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1617/task/1622/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/73/task/73/net/stat	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1114/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1419/task/1419	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1040/task/1043/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/409/task/409/net/netfilter	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/585/net/netfilter	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1596/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/9/net/netfilter	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/24/task/24/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/983/task/986	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1085/task/1091/fdinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1294/task/1298/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/93/attr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/224/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/629/task/646	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1105/task/1108	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1302/task/1362	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1614/task/1616/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/212/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1176/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1320/task/1350/net/stat	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1345/task/1351/net/stat	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1419/task/1441/attr/smack	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1585/cmdline	ps
File opened for reading	/proc/75/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/91/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1046/task/1050	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

/tmp/2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
/tmp/2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
1⤵
- Traces remote process
- Reads AppArmor ptrace settings
- Reads hardware information
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1596
- /bin/sh
  sh -c "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"
  2⤵
  PID:1597
- - /usr/bin/cut
    cut -d "\"" -f2
    3⤵
    PID:1600
- - /usr/bin/grep
    grep cpuModel
    3⤵
    PID:1599
- /bin/sh
  sh -c "lscpu | grep \"Model name\" | cut -d ':' -f2"
  2⤵
  PID:1601
- - /usr/bin/cut
    cut -d : -f2
    3⤵
    PID:1604
- - /usr/bin/grep
    grep "Model name"
    3⤵
    PID:1603
- - /usr/bin/lscpu
    lscpu
    3⤵
    - Checks system information (zLinux)
    - Checks CPU configuration
    - Reads CPU attributes
    PID:1602
- /bin/sh
  sh -c "esxcli storage filesystem list | tail -n +3"
  2⤵
  PID:1605
- - /usr/bin/tail
    tail -n +3
    3⤵
    PID:1607
- /bin/sh
  sh -c "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"
  2⤵
  PID:1608
- - /usr/bin/tail
    tail -n +2
    3⤵
    PID:1610
- - /usr/bin/lsblk
    lsblk -io "KNAME,TYPE,SIZE,MODEL"
    3⤵
    - Enumerates kernel/hardware configuration
    PID:1609
- /bin/sh
  sh -c "uname -a"
  2⤵
  PID:1611
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1612
- /bin/sh
  sh -c "vmware -v"
  2⤵
  PID:1613
- /bin/sh
  sh -c "ls -alR /vmfs/"
  2⤵
  PID:1633
- - /usr/bin/ls
    ls -alR /vmfs/
    3⤵
    PID:1634
- /bin/sh
  sh -c "ps auxf"
  2⤵
  PID:1635
- - /usr/bin/ps
    ps auxf
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads