f9b34255399925fcae10f34e78275446f9a90263afd3b825e889d5e631a74d0e

Resubmissions

28/03/2025, 06:04

250328-gsw1bsswcx 8

27/12/2024, 01:42

241227-b4yqeaylan 8

Analysis

max time kernel
3s
max time network
128s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20250307-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20250307-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
28/03/2025, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
Size

89KB
MD5

3589e9b7abdf6e89063977847351173b
SHA1

a95652971f89587cf5f717c99c894ca2122101a0
SHA256

f9b34255399925fcae10f34e78275446f9a90263afd3b825e889d5e631a74d0e
SHA512

90550b2e8e9ddabbccf5d35907d40282db65876da1efb6e0e864ec8e8e8e1a92f2da0082b64d286f8c05087f417caa2470da1bc89f8ad55e8bd168305c7e2155
SSDEEP

1536:h23bmHSlAhb6eo1xrac08UGNnPnEsT9VxU+tqRAsemhgYBzvI:4rmHSlAhbx+K8UUnPEsBVxDtqR19gAI

Score

8^/10

antivm credential_access discovery spyware stealer

Malware Config

Signatures

Traces remote process 1 IoCs

pid	Process
1572	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Reads user data of web browsers 3 TTPs 28 IoCs

Reads stored browser data which can include saved credentials.

spyware stealer credential_access discovery

Data from Local System

T1005

Credentials from Web Browsers

T1555.003

Browser Information Discovery

T1217

description	ioc	Process
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage/permanent/chrome/idb/1451318868ntouromlalnodry--epcr.files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage/permanent/chrome/idb/3561288849sdhlie.files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/minidumps	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/security_state	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/datareporting	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/datareporting/glean/events	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/crashes	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage/permanent/chrome/idb/2823318777ntouromlalnodry--naod.files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/extension-store	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/bookmarkbackups	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage/permanent/chrome/idb/1657114595AmcateirvtiSty.files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/Pending Pings	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/3ctuzfky.default	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/Crash Reports	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/extension-store-menus	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/datareporting/glean	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/datareporting/glean/pending_pings	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/datareporting/glean/tmp	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/datareporting/glean/db	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/crashes/events	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/Crash Reports/events	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage/permanent	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage/permanent/chrome	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage/permanent/chrome/idb	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/root/.mozilla/firefox/8ze1o738.default-release/storage/permanent/chrome/idb/2918063365piupsah.files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Reads AppArmor ptrace settings 1 TTPs 1 IoCs

Discovery of allowed ptrace capabilities by AppArmor.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/security/apparmor/features/ptrace	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Checks system information (zLinux) 1 TTPs 1 IoCs

Check system information on IBM zSystems which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/sysinfo	lscpu

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/statistics	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/queues	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	lscpu

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/ways_of_associativity	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	lscpu
File opened for reading	/sys/devices/system/cpu/cpuidle	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/topology/drawer_siblings	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/ways_of_associativity	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/write_policy	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/allocation_policy	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/dispatching	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/coherency_line_size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/possible	lscpu
File opened for reading	/sys/devices/system/cpu/present	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities/mds	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/ways_of_associativity	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/write_policy	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/vulnerabilities/spectre_v2	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/allocation_policy	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/vulnerabilities/itlb_multihit	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities/srbds	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/number_of_sets	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	lscpu
File opened for reading	/sys/devices/system/cpu/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/vulnerabilities	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/online	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities/spectre_v1	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/allocation_policy	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	lscpu
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/write_policy	lscpu
File opened for reading	/sys/devices/system/cpu/cpufreq	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/cpu0/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/system/cpu/vulnerabilities/gather_data_sampling	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	lscpu
File opened for reading	/sys/devices/system/cpu/kernel_max	lscpu
File opened for reading	/sys/devices/system/cpu/vulnerabilities/retbleed	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/topology/book_id	lscpu
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq	lscpu

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_rm_watch	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_insert_range	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_getfsmap_mapping	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_splice	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_setfsuid	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/xen/xen_mc_flush	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_address_ctrl_ctx	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/usb1-port2	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:00/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/cpuhp	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/resctrl/pseudo_lock_l2	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_quotactl_fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_mount	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_mknod	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/slab/:A-0000320	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/xen/xen_mc_entry	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/block/fd0/hctx0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/rtc/rtc_timer_dequeue	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_mq_unlink	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_stop_device	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata3/host2/scsi_host	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/jbd2/jbd2_write_superblock	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_prefetch_bitmaps	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/slab/dma-kmalloc-512	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/slab/:0000256	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/filelock/time_out_leases	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/fs_dax	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/tty/tty4	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/bus/platform/drivers/intel_pmc_core	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/ext4/ext4_ext_rm_idx	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/irq_matrix/irq_matrix_reserve	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_inc_deq	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/irq_vectors/deferred_error_apic_exit	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:01.0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata6/ata_port	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/tty/tty24/power	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/mac_hid/holders	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/clk/clk_set_parent	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_sync	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_open_tree	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_pkey_free	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS1	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:01	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/raid10/notes	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/floppy/notes	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/vc/vcsa3	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/bus/i2c/drivers/max8998	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/drm_kms_helper/sections	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_utimensat	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/xen/xen_mmu_pgd_pin	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/btrfs/add_delayed_ref_head	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mbind	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/pci0000:00/0000:00:01.1/ata1/link1/dev1.0/ata_device/dev1.0	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/devices/virtual/block/dm-0/holders	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/io_uring	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_mkdir	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/slab/kmalloc-rcl-1k	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_add_endpoint	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/timer/hrtimer_cancel	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_listxattr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_readlinkat	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/module/sysimgblt/holders	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/sys/kernel/tracing/events/jbd2/jbd2_update_log_tail	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/913/task/919/net/stat	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1010/task/1046/attr/smack	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1127/task/1175/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1440/task	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/92/task/92	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/224/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/781/task/912/attr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/946	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1095/task/1095/attr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1111/fdinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1183/task/1199/attr/smack	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1311/task/1315/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/159/cmdline	ps
File opened for reading	/proc/90/status	ps
File opened for reading	/proc/1180/stat	ps
File opened for reading	/proc/76/fdinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/417/map_files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/788/task/788/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1127/cmdline	ps
File opened for reading	/proc/428/task/428/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/772/task/772/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/928/task/931/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1095/task/1095/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1098/map_files	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1411/task/1411/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/160/task/160/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/407/task/407	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/640/task/724/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1179/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1198/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/irq/26	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/21/fdinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1058/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1091/task/1166/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1218/status	ps
File opened for reading	/proc/594/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/613/task/618/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/24/net/stat	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/966/task/969/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1097/net	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/92/stat	ps
File opened for reading	/proc/26	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/225/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/86	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/977/task/978/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/644/task/644/attr/smack	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/644/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/928/net/dev_snmp6	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1095/ns	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1179/fdinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/913/stat	ps
File opened for reading	/proc/irq/29/ahci[0000:00:04.0]	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/25/fdinfo	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/983/attr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1091/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1096/task/1165/attr/smack	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1398/net/netfilter	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/119/task/119/net/netfilter	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1031/task/1033/attr/apparmor	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/99/stat	ps
File opened for reading	/proc/1560/stat	ps
File opened for reading	/proc/634/task/666/attr	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
File opened for reading	/proc/1024/task/1030/fd	2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit

/tmp/2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
/tmp/2024-12-27_3589e9b7abdf6e89063977847351173b_lockbit
1⤵
- Traces remote process
- Reads user data of web browsers
- Reads AppArmor ptrace settings
- Reads hardware information
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1572
- /bin/sh
  sh -c "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"
  2⤵
  PID:1573
- - /usr/bin/grep
    grep cpuModel
    3⤵
    PID:1575
- - /usr/bin/cut
    cut -d "\"" -f2
    3⤵
    PID:1576
- /bin/sh
  sh -c "lscpu | grep \"Model name\" | cut -d ':' -f2"
  2⤵
  PID:1577
- - /usr/bin/cut
    cut -d : -f2
    3⤵
    PID:1580
- - /usr/bin/grep
    grep "Model name"
    3⤵
    PID:1579
- - /usr/bin/lscpu
    lscpu
    3⤵
    - Checks system information (zLinux)
    - Checks CPU configuration
    - Reads CPU attributes
    PID:1578
- /bin/sh
  sh -c "esxcli storage filesystem list | tail -n +3"
  2⤵
  PID:1581
- - /usr/bin/tail
    tail -n +3
    3⤵
    PID:1583
- /bin/sh
  sh -c "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"
  2⤵
  PID:1584
- - /usr/bin/tail
    tail -n +2
    3⤵
    PID:1586
- - /usr/bin/lsblk
    lsblk -io "KNAME,TYPE,SIZE,MODEL"
    3⤵
    PID:1585
- /bin/sh
  sh -c "uname -a"
  2⤵
  PID:1587
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1588
- /bin/sh
  sh -c "vmware -v"
  2⤵
  PID:1589
- /bin/sh
  sh -c "ls -alR /vmfs/"
  2⤵
  PID:1593
- - /usr/bin/ls
    ls -alR /vmfs/
    3⤵
    PID:1594
- /bin/sh
  sh -c "ps auxf"
  2⤵
  PID:1595
- - /usr/bin/ps
    ps auxf
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1596