Analysis
-
max time kernel
148s -
max time network
281s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
28/03/2025, 12:35
General
-
Target
resources/app/bin/index.js
-
Size
514B
-
MD5
2ffac93c1e0896cf98f1514f70fe8637
-
SHA1
22fa46c684b079fae1a9921a87b3e6c63cc6e373
-
SHA256
15cb73537b76df1b820056767dae3e8730cd91e1798bbd56e04075e8e677382b
-
SHA512
cdc66c2d890c8edc558ffac76b46a3e63bb0b8d95e254860f18bca8c03c72fec51133fbcd7e8983219ef0a707614c9f4aed02f640d8d9afa25ff7e1fea00a4f4
Malware Config
Signatures
-
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies Bash startup script 2 TTPs 1 IoCs
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 10 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs 4 IoCs
Execution via JavaScript.
-
Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs
Execute scripts via Unix Shell.
-
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
Processes
-
/tmp/resources/app/bin/index.js/tmp/resources/app/bin/index.js1⤵
-
/usr/local/sbin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
-
/usr/local/bin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
-
/usr/sbin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
-
/usr/bin/nodenode /tmp/resources/app/bin/index.js1⤵
- Checks CPU configuration
- Reads CPU attributes
- Command and Scripting Interpreter: JavaScript
- Enumerates kernel/hardware configuration
-
/usr/bin/node/usr/bin/node "--max-http-header-size=80000" /tmp/resources/app/bin/lum_node.js2⤵
- Creates/modifies environment variables
- Modifies Bash startup script
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/sh/bin/sh -c "curl_add_ip(){ if ((\$2)); then PORT=\$2 else PORT=22999 fi ENDPOINT=\"http://127.0.0.1:\$PORT/api/add_whitelist_ip\" DATA=\"ip=\"\$1 curl \$ENDPOINT -X POST -d \$DATA --post301 -L -k }"3⤵
-
-
/bin/sh/bin/sh -c "alias lpm_whitelist_ip='curl_add_ip'"3⤵
- Command and Scripting Interpreter: Unix Shell
- System Network Configuration Discovery
-
-
/usr/local/sbin/psps awwxo "pid,comm"3⤵
-
-
/usr/local/bin/psps awwxo "pid,comm"3⤵
-
-
/usr/sbin/psps awwxo "pid,comm"3⤵
-
-
/usr/bin/psps awwxo "pid,comm"3⤵
-
-
/sbin/psps awwxo "pid,comm"3⤵
-
-
/bin/psps awwxo "pid,comm"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,args"3⤵
-
-
/usr/local/bin/psps awwxo "pid,args"3⤵
-
-
/usr/sbin/psps awwxo "pid,args"3⤵
-
-
/usr/bin/psps awwxo "pid,args"3⤵
-
-
/sbin/psps awwxo "pid,args"3⤵
-
-
/bin/psps awwxo "pid,args"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,ppid"3⤵
-
-
/usr/local/bin/psps awwxo "pid,ppid"3⤵
-
-
/usr/sbin/psps awwxo "pid,ppid"3⤵
-
-
/usr/bin/psps awwxo "pid,ppid"3⤵
-
-
/sbin/psps awwxo "pid,ppid"3⤵
-
-
/bin/psps awwxo "pid,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,uid"3⤵
-
-
/usr/local/bin/psps awwxo "pid,uid"3⤵
-
-
/usr/sbin/psps awwxo "pid,uid"3⤵
-
-
/usr/bin/psps awwxo "pid,uid"3⤵
-
-
/sbin/psps awwxo "pid,uid"3⤵
-
-
/bin/psps awwxo "pid,uid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,%cpu"3⤵
-
-
/usr/local/bin/psps awwxo "pid,%cpu"3⤵
-
-
/usr/sbin/psps awwxo "pid,%cpu"3⤵
-
-
/usr/bin/psps awwxo "pid,%cpu"3⤵
-
-
/sbin/psps awwxo "pid,%cpu"3⤵
-
-
/bin/psps awwxo "pid,%cpu"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,%mem"3⤵
-
-
/usr/local/bin/psps awwxo "pid,%mem"3⤵
-
-
/usr/sbin/psps awwxo "pid,%mem"3⤵
-
-
/usr/bin/psps awwxo "pid,%mem"3⤵
-
-
/sbin/psps awwxo "pid,%mem"3⤵
-
-
/bin/psps awwxo "pid,%mem"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/node/usr/bin/node "--max-http-header-size=80000" "--max-old-space-size=1024" "--max-http-header-size=80000" /tmp/resources/app/lib/worker.js --dir /root/proxy_manager3⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Defense Evasion
Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
415B
MD5214093e5b3f6b62b375a3d25b7fd5c81
SHA18e923057ec93af40113c65e5dd1b2dd6a4aee0af
SHA2567a03ae13f2b31daf01ee5ead7202fed3b105fae3a218ea5b15d6d12735711d09
SHA51216036ae1f543516448ceaef5d4fcd8dfea671c2abc0caec71702b2a0aedcb853ceb4edcbb4c86c612d689afc72b3302a5f8cc44c39cff8fd8c36d8533bb47d46
-
Filesize
36B
MD5c883df830b62c021eb1fd421d44e6037
SHA13dc3dab54c9645ad26a363375bfcc5ed688c529d
SHA256731cf8df624fe863294c1741c1af970ecc2c3602be718d701810b49c404dd29a
SHA512b59a0fc9e67767af0ef74ad6ef509fee1741e63c6f0ca166c8f53b7a95a461e86ae45529776f1b1fd19397f23d79298518d65725c29a16111319c86462e3292e
-
Filesize
7KB
MD51c7b4bc5e90f9d34d9010c875cde2eea
SHA1fd3af175f4e48fe104bdd58485a3db98b95237ac
SHA25603d7b98ad4b28769d0d5f70bc2911057cd5d8df3680de2c3149ceed557607dc9
SHA5128a172b42d8b487d85e2ed2c076e03628032c78e8c24c1e127ac9c5cf71e20ef97d31d621846ce160be87374382e0c472a21af5bbd35c542f87ceab278ccb1ed6
-
Filesize
2KB
MD5306d0f06cf985c504165e6e15c00c90f
SHA13390cbe446b4e9169b8be2f3acd0dc45c501a335
SHA256ae511709194337bd29b5b5b58ccbc6e2201893af67d6fa707c067653b4448859
SHA5121d2b0ac986a3c968c932a1efc55fb8fb84d1d1e6f57e75b716a3ca191b0452e40639d562cf8289d286fb823fa63234daf4065aa63725aeae105448c614a9fd27
-
Filesize
2.9MB
MD57d527ded0181af6413a4a5350a99b3cf
SHA1e51e467fda74901730c7c1cba6cfa8846b212662
SHA25673a1059a8db4cc0b05a6c7e980aca23e159ba224939fb6e82070767785233fe2
SHA512d81762d6257f4b74b8f96eda6967f1165e1b6fa41aabd04ab42c3ec40c9c9314faba0659a32243740825590776b3c9ee54eeada2378d603b71a71eb643b95b15