3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6

Resubmissions

02/01/2025, 21:27

250102-1arsfawnat 10

21/12/2024, 14:36

241221-ryt32a1mhx 10

Analysis

max time kernel
5s
max time network
128s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
02/01/2025, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

329D6F9DDBF138D4/locker_ESXI_X64
Size

93KB
MD5

b76b092f5188ccc8a046ffb4659c3641
SHA1

82e19d8b7bc5379528feb9c3a335d70d79358229
SHA256

dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55
SHA512

bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f
SSDEEP

1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya

Score

8^/10

antivm discovery

Malware Config

Signatures

Traces remote process 1 IoCs

pid	Process
2472	locker_ESXI_X64

Reads AppArmor ptrace settings 1 TTPs 1 IoCs

Discovery of allowed ptrace capabilities by AppArmor.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/security/apparmor/features/ptrace	locker_ESXI_X64

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/power	locker_ESXI_X64

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/statistics	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/power	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	locker_ESXI_X64

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	ps

Reads CPU attributes 1 TTPs 16 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/vulnerabilities	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpuidle	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/smt	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpufreq	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/topology	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/hotplug	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/power	locker_ESXI_X64

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/debug/pinctrl	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/kmalloc-rnd-12-256	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_splice	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_lsm_list_modules	locker_ESXI_X64
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:20	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_rt_sigpending	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_newuname	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/oom/compact_retry	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/btrfs/alloc_extent_state	locker_ESXI_X64
File opened for reading	/sys/devices/platform/serial8250/serial8250:0/serial8250:0.8/tty/ttyS8	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/usb1-port3	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/context_tracking/user_enter	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/dma-kmalloc-64	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getpid	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_sched_rr_get_interval	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_nanosleep	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/iommu	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_pidfd_send_signal	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/xhci-hcd/xhci_get_port_status	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/udp/udp_fail_queue_rcv_skb	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_newfstat	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/sock/inet_sk_error_report	locker_ESXI_X64
File opened for reading	/sys/fs/cgroup/user.slice/user-0.slice/[email protected]/init.scope	locker_ESXI_X64
File opened for reading	/sys/bus/edac	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_write	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_fallocate_exit	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/irq/softirq_exit	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/mdio/mdio_access	locker_ESXI_X64
File opened for reading	/sys/devices/pnp0/00:04/00:04:0	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:01.1	locker_ESXI_X64
File opened for reading	/sys/bus/acpi/drivers	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_fremovexattr	locker_ESXI_X64
File opened for reading	/sys/devices/platform/serial8250/serial8250:0/serial8250:0.22/tty/ttyS22	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_mb_discard_preallocations	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/cfg80211/rdev_add_link_station	locker_ESXI_X64
File opened for reading	/sys/firmware/acpi/hotplug/processor	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/power/dev_pm_qos_remove_request	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/cfg80211/cfg80211_cac_event	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/kmalloc-rnd-11-512	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/irq_vectors/vector_teardown	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/handshake	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/hyperv	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/bdi/7:0	locker_ESXI_X64
File opened for reading	/sys/module/intel_rapl_common/holders	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/sock_inode_cache	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_preadv	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_es_shrink_count	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_mb_new_inode_pa	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/cfg80211/cfg80211_tdls_oper_request	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/kmalloc-rnd-12-192	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/csd/csd_queue_cpu	locker_ESXI_X64
File opened for reading	/sys/bus/platform/drivers/bxt_whiskey_cove_pmic	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/handshake/handshake_submit	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/fs_dax/dax_insert_mapping	locker_ESXI_X64
File opened for reading	/sys/kernel/debug	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getattr	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mount	locker_ESXI_X64
File opened for reading	/sys/devices/platform/serial8250/serial8250:0/serial8250:0.24/tty/ttyS24/power	locker_ESXI_X64
File opened for reading	/sys/module/kgdb_nmi/parameters	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_getresuid	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/proc_dir_entry	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_es_find_extent_range_exit	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/btrfs/btrfs_qgroup_account_extent	locker_ESXI_X64

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/5/task/5/net	locker_ESXI_X64
File opened for reading	/proc/779/task/795/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/821/task/854/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/828/attr	locker_ESXI_X64
File opened for reading	/proc/34/environ	ps
File opened for reading	/proc/irq/29/ahci[0000:00:04.0]	locker_ESXI_X64
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/1877/stat	ps
File opened for reading	/proc/2199/status	ps
File opened for reading	/proc/17/net	locker_ESXI_X64
File opened for reading	/proc/389/task/406/ns	locker_ESXI_X64
File opened for reading	/proc/1801/task/1801/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1949/task/2019/net	locker_ESXI_X64
File opened for reading	/proc/2294/task/2297/fd	locker_ESXI_X64
File opened for reading	/proc/1909/task/1920/ns	locker_ESXI_X64
File opened for reading	/proc/1990/task/1990/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/47/status	ps
File opened for reading	/proc/14/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/1126	locker_ESXI_X64
File opened for reading	/proc/1917/task/1952/attr/smack	locker_ESXI_X64
File opened for reading	/proc/2178/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/2267	locker_ESXI_X64
File opened for reading	/proc/2142/task/2142/attr/smack	locker_ESXI_X64
File opened for reading	/proc/385/task/385/attr/smack	locker_ESXI_X64
File opened for reading	/proc/791/task/820/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/2222/task/2224/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/1068/stat	ps
File opened for reading	/proc/1667/task/1670/ns	locker_ESXI_X64
File opened for reading	/proc/1687/task/1688/ns	locker_ESXI_X64
File opened for reading	/proc/182/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/729/stat	ps
File opened for reading	/proc/783/task/783/ns	locker_ESXI_X64
File opened for reading	/proc/1909/task/1926/fdinfo	locker_ESXI_X64
File opened for reading	/proc/1997/task/2123/ns	locker_ESXI_X64
File opened for reading	/proc/2120/task/2120/ns	locker_ESXI_X64
File opened for reading	/proc/2126/task/2126	locker_ESXI_X64
File opened for reading	/proc/33/task/33/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/585/task/585/fdinfo	locker_ESXI_X64
File opened for reading	/proc/2145/task/2170/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/11/fd	locker_ESXI_X64
File opened for reading	/proc/417/task/417/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/752/task/790/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/1091/task/1095/net	locker_ESXI_X64
File opened for reading	/proc/1801/task/1813/fdinfo	locker_ESXI_X64
File opened for reading	/proc/11/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1126/net	locker_ESXI_X64
File opened for reading	/proc/1921/task/1933/net/stat	locker_ESXI_X64
File opened for reading	/proc/2206/environ	ps
File opened for reading	/proc/511/status	ps
File opened for reading	/proc/69/task/69/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/80/ns	locker_ESXI_X64
File opened for reading	/proc/192/task/192/net	locker_ESXI_X64
File opened for reading	/proc/1801/task/1811/net/stat	locker_ESXI_X64
File opened for reading	/proc/1909/task/1911	locker_ESXI_X64
File opened for reading	/proc/1858/status	ps
File opened for reading	/proc/1891/status	ps
File opened for reading	/proc/self/maps	grep
File opened for reading	/proc/47/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/191/task/191/net/stat	locker_ESXI_X64
File opened for reading	/proc/1917/task/1964/fdinfo	locker_ESXI_X64
File opened for reading	/proc/2129/task/2176	locker_ESXI_X64
File opened for reading	/proc/510/task/510/ns	locker_ESXI_X64
File opened for reading	/proc/1855/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/2213/status	ps

/tmp/329D6F9DDBF138D4/locker_ESXI_X64
/tmp/329D6F9DDBF138D4/locker_ESXI_X64
1⤵
- Traces remote process
- Reads AppArmor ptrace settings
- Reads hardware information
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:2472
- /bin/sh
  sh -c -- "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"
  2⤵
  PID:2473
- - /usr/bin/grep
    grep cpuModel
    3⤵
    - Reads runtime system information
    PID:2475
- - /usr/bin/cut
    cut -d "\"" -f2
    3⤵
    PID:2477
- /bin/sh
  sh -c -- "esxcli storage filesystem list | tail -n +3"
  2⤵
  PID:2478
- - /usr/bin/tail
    tail -n +3
    3⤵
    PID:2480
- /bin/sh
  sh -c -- "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"
  2⤵
  PID:2481
- - /usr/bin/lsblk
    lsblk -io "KNAME,TYPE,SIZE,MODEL"
    3⤵
    PID:2482
- - /usr/bin/tail
    tail -n +2
    3⤵
    PID:2483
- /bin/sh
  sh -c -- "uname -a"
  2⤵
  PID:2484
- - /usr/bin/uname
    uname -a
    3⤵
    PID:2485
- /bin/sh
  sh -c -- "vmware -v"
  2⤵
  PID:2486
- /bin/sh
  sh -c -- "ls -alR /vmfs/"
  2⤵
  PID:2507
- - /usr/bin/ls
    ls -alR /vmfs/
    3⤵
    PID:2508
- /bin/sh
  sh -c -- "ps auxf"
  2⤵
  PID:2509
- - /usr/bin/ps
    ps auxf
    3⤵
    - Checks CPU configuration
    - Reads CPU attributes
    - Reads runtime system information
    PID:2510

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads