3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6

Resubmissions

02-01-2025 21:27

250102-1arsfawnat 10

21-12-2024 14:36

241221-ryt32a1mhx 10

Analysis

max time kernel
3s
max time network
131s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
02-01-2025 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

329D6F9DDBF138D4/locker_ESXI_X64
Size

93KB
MD5

b76b092f5188ccc8a046ffb4659c3641
SHA1

82e19d8b7bc5379528feb9c3a335d70d79358229
SHA256

dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55
SHA512

bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f
SSDEEP

1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya

Score

8^/10

discovery

Malware Config

Signatures

Traces remote process 1 IoCs

pid	Process
1566	locker_ESXI_X64

Reads AppArmor ptrace settings 1 TTPs 1 IoCs

Discovery of allowed ptrace capabilities by AppArmor.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/security/apparmor/features/ptrace	locker_ESXI_X64

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/power	locker_ESXI_X64

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/statistics	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/power	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	locker_ESXI_X64

Reads CPU attributes 1 TTPs 16 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpuidle	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/topology	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpufreq	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/vulnerabilities	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/hotplug	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/smt	locker_ESXI_X64

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/cgroup/system.slice/systemd-journald.service	locker_ESXI_X64
File opened for reading	/sys/bus/mmc	locker_ESXI_X64
File opened for reading	/sys/module/scsi_dh_alua/holders	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_evict_inode	locker_ESXI_X64
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:06/wakeup/wakeup5	locker_ESXI_X64
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS5/power	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:01.1/power	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/block/loop3/mq/0/cpu0	locker_ESXI_X64
File opened for reading	/sys/module/libahci/holders	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/cgroup	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_time	locker_ESXI_X64
File opened for reading	/sys/devices/system	locker_ESXI_X64
File opened for reading	/sys/module/syscopyarea	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/hwmon/hwmon_attr_show	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_signalfd4	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:0000040	locker_ESXI_X64
File opened for reading	/sys/module/virtio_dma_buf/holders	locker_ESXI_X64
File opened for reading	/sys/devices/breakpoint/power	locker_ESXI_X64
File opened for reading	/sys/bus/rapidio/drivers	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/net/netif_receive_skb_entry	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_msync	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_socketpair	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_quotactl_fd	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/regulator/reg-dummy-regulator-dummy	locker_ESXI_X64
File opened for reading	/sys/module/srcutree/parameters	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/filemap/mm_filemap_add_to_page_cache	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/timer/hrtimer_cancel	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_getpgrp	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/block/sr0/rqos	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/writeback/writeback_queue	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_lgetxattr	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_fc_track_unlink	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_memfd_secret	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/request_sock_TCP	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/irq_vectors/spurious_apic_entry	locker_ESXI_X64
File opened for reading	/sys/block/loop6/dev	lsblk
File opened for reading	/sys/kernel/tracing/events/gpio/gpio_value	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_unshare	locker_ESXI_X64
File opened for reading	/sys/module/drm_kms_helper/parameters	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/filelock/locks_remove_posix	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:0000048	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_vhangup	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_setreuid	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/names_cache	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/mdio/mdio_access	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_request_blocks	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sigaltstack	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/x86_fpu/x86_fpu_regs_activated	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_newfstat	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata6/host5/power	locker_ESXI_X64
File opened for reading	/sys/module/gpiolib_acpi/parameters	locker_ESXI_X64
File opened for reading	/sys/module/floppy	locker_ESXI_X64
File opened for reading	/sys/module/kdb	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata8/ata_port	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata8/ata_port/ata8	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/bpf_trace/bpf_trace_printk	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:a-0000104	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_clock_adjtime	locker_ESXI_X64
File opened for reading	/sys/fs/cgroup/system.slice/gdm.service	locker_ESXI_X64
File opened for reading	/sys/module/acpi_cpufreq/parameters	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/spi	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_begin_ordered_truncate	locker_ESXI_X64
File opened for reading	/sys/fs/cgroup/system.slice/power-profiles-daemon.service	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/filemap/filemap_set_wb_err	locker_ESXI_X64

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1382/task/1384/net	locker_ESXI_X64
File opened for reading	/proc/585/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/1259/task/1269/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1289/fdinfo	locker_ESXI_X64
File opened for reading	/proc/1352/task/1356/fdinfo	locker_ESXI_X64
File opened for reading	/proc/97/net/stat	locker_ESXI_X64
File opened for reading	/proc/218/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/1382/task/1382/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/1164/task	locker_ESXI_X64
File opened for reading	/proc/416/task/419/net	locker_ESXI_X64
File opened for reading	/proc/416/task/424/net/stat	locker_ESXI_X64
File opened for reading	/proc/1100/task/1100/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/1100/task/1102/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/10/task/10/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/638/task/665/attr/smack	locker_ESXI_X64
File opened for reading	/proc/24/net	locker_ESXI_X64
File opened for reading	/proc/415/ns	locker_ESXI_X64
File opened for reading	/proc/1042/task/1043/fdinfo	locker_ESXI_X64
File opened for reading	/proc/1066/task/1105/net	locker_ESXI_X64
File opened for reading	/proc/20/net	locker_ESXI_X64
File opened for reading	/proc/23/task/23/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/82/map_files	locker_ESXI_X64
File opened for reading	/proc/1255/task/1271	locker_ESXI_X64
File opened for reading	/proc/426/task/426/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/irq/29/ahci[0000:00:04.0]	locker_ESXI_X64
File opened for reading	/proc/1048/cmdline	ps
File opened for reading	/proc/7/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/197/net	locker_ESXI_X64
File opened for reading	/proc/208/attr	locker_ESXI_X64
File opened for reading	/proc/1168/task/1194/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/588/status	ps
File opened for reading	/proc/8/task/8/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/515/task/515/net/stat	locker_ESXI_X64
File opened for reading	/proc/783/fd	locker_ESXI_X64
File opened for reading	/proc/1162/task/1211/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/742/task/742/ns	locker_ESXI_X64
File opened for reading	/proc/1149/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/315/status	ps
File opened for reading	/proc/25/fdinfo	locker_ESXI_X64
File opened for reading	/proc/98/attr/smack	locker_ESXI_X64
File opened for reading	/proc/204/task/204/ns	locker_ESXI_X64
File opened for reading	/proc/585/attr/smack	locker_ESXI_X64
File opened for reading	/proc/18/fdinfo	locker_ESXI_X64
File opened for reading	/proc/1098/task/1119/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/1239/task/1390/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/634/task/654/attr	locker_ESXI_X64
File opened for reading	/proc/775/task/775/ns	locker_ESXI_X64
File opened for reading	/proc/94/task/94/net/stat	locker_ESXI_X64
File opened for reading	/proc/1096/task/1096/fd	locker_ESXI_X64
File opened for reading	/proc/724/status	ps
File opened for reading	/proc/1487/task/1487/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/89/task/89/attr/smack	locker_ESXI_X64
File opened for reading	/proc/749/task/749/attr	locker_ESXI_X64
File opened for reading	/proc/1100/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/1166/task/1214/net/stat	locker_ESXI_X64
File opened for reading	/proc/992/task/998	locker_ESXI_X64
File opened for reading	/proc/1166/task/1213/net/stat	locker_ESXI_X64
File opened for reading	/proc/1255/attr/smack	locker_ESXI_X64
File opened for reading	/proc/6/task/6/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/12/task/12/net/stat	locker_ESXI_X64
File opened for reading	/proc/23/task/23/attr/smack	locker_ESXI_X64
File opened for reading	/proc/113/task/113/fd	locker_ESXI_X64
File opened for reading	/proc/1098/net/dev_snmp6	locker_ESXI_X64

/tmp/329D6F9DDBF138D4/locker_ESXI_X64
/tmp/329D6F9DDBF138D4/locker_ESXI_X64
1⤵
- Traces remote process
- Reads AppArmor ptrace settings
- Reads hardware information
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1566
- /bin/sh
  sh -c "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"
  2⤵
  PID:1567
- - /usr/bin/cut
    cut -d "\"" -f2
    3⤵
    PID:1570
- - /usr/bin/grep
    grep cpuModel
    3⤵
    PID:1569
- /bin/sh
  sh -c "esxcli storage filesystem list | tail -n +3"
  2⤵
  PID:1571
- - /usr/bin/tail
    tail -n +3
    3⤵
    PID:1573
- /bin/sh
  sh -c "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"
  2⤵
  PID:1574
- - /usr/bin/tail
    tail -n +2
    3⤵
    PID:1576
- - /usr/bin/lsblk
    lsblk -io "KNAME,TYPE,SIZE,MODEL"
    3⤵
    - Enumerates kernel/hardware configuration
    PID:1575
- /bin/sh
  sh -c "uname -a"
  2⤵
  PID:1577
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1578
- /bin/sh
  sh -c "vmware -v"
  2⤵
  PID:1579
- /bin/sh
  sh -c "ls -alR /vmfs/"
  2⤵
  PID:1589
- - /usr/bin/ls
    ls -alR /vmfs/
    3⤵
    PID:1590
- /bin/sh
  sh -c "ps auxf"
  2⤵
  PID:1591
- - /usr/bin/ps
    ps auxf
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads