Overview

overview

7

Static

static

3

luminati-p...up.exe

windows7-x64

4

luminati-p...up.exe

windows10-2004-x64

6

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

4

Proxy Manager.exe

windows10-2004-x64

6

d3dcompiler_47.dll

windows10-2004-x64

3

ffmpeg.dll

windows10-2004-x64

3

libEGL.dll

windows10-2004-x64

3

libGLESv2.dll

windows10-2004-x64

3

resources/...-CN.js

windows7-x64

3

resources/...-CN.js

windows10-2004-x64

3

resources/...gen.sh

ubuntu-18.04-amd64

3

resources/...gen.sh

debian-9-armhf

3

resources/...gen.sh

debian-9-mips

resources/...gen.sh

debian-9-mipsel

3

resources/...dex.js

ubuntu-18.04-amd64

6

resources/...dex.js

debian-9-armhf

6

resources/...dex.js

debian-9-mips

3

resources/...dex.js

debian-9-mipsel

3

resources/...ade.sh

ubuntu-18.04-amd64

4

resources/...ade.sh

debian-9-armhf

4

resources/...ade.sh

debian-9-mips

1

resources/...ade.sh

debian-9-mipsel

3

resources/...all.sh

ubuntu-18.04-amd64

7

resources/...all.sh

debian-9-armhf

7

resources/...all.sh

debian-9-mips

7

Analysis

  • max time kernel
    1s
  • max time network
    130s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28/03/2025, 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    resources/app/bin/lpm_downgrade.sh

  • Size

    486B

  • MD5

    c2913650e886be90c3dc3464cf257124

  • SHA1

    5f3a2794a1c3be209f5074d73a6485b48a4e98ba

  • SHA256

    c00ee8c9bf0002b7b3a5cbc7c25f3dd7d2846950826f70a79ed66ad8d180d202

  • SHA512

    e7528a5266b8a1c8fb895656bb6dfea67eb7e094a442e93ab51d3a01f4bf3c48048a729a84a8a0a12223fd021bcf773055115533fe6590850fb4ab0b5aec717d

Score
4/10
discovery

Malware Config

Signatures

  • Changes its process name 2 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/resources/app/bin/lpm_downgrade.sh
    /tmp/resources/app/bin/lpm_downgrade.sh
    1⤵
      PID:1518
    • /usr/local/sbin/bash
      bash /tmp/resources/app/bin/lpm_downgrade.sh
      1⤵
        PID:1518
      • /usr/local/bin/bash
        bash /tmp/resources/app/bin/lpm_downgrade.sh
        1⤵
          PID:1518
        • /usr/sbin/bash
          bash /tmp/resources/app/bin/lpm_downgrade.sh
          1⤵
            PID:1518
          • /usr/bin/bash
            bash /tmp/resources/app/bin/lpm_downgrade.sh
            1⤵
              PID:1518
            • /sbin/bash
              bash /tmp/resources/app/bin/lpm_downgrade.sh
              1⤵
                PID:1518
              • /bin/bash
                bash /tmp/resources/app/bin/lpm_downgrade.sh
                1⤵
                  PID:1518
                  • /usr/bin/dirname
                    dirname /tmp/resources/app/bin/lpm_downgrade.sh
                    2⤵
                      PID:1519
                    • /usr/bin/id
                      id -u
                      2⤵
                      • Reads runtime system information
                      PID:1521
                    • /bin/date
                      date "+%s000"
                      2⤵
                        PID:1523
                      • /bin/uname
                        uname -r
                        2⤵
                          PID:1525
                        • /usr/bin/head
                          head -1
                          2⤵
                            PID:1530
                          • /usr/bin/tr
                            tr -dc a-zA-Z0-9
                            2⤵
                              PID:1528
                            • /usr/bin/fold
                              fold -w 32
                              2⤵
                                PID:1529
                              • /usr/bin/head
                                head -80 /dev/urandom
                                2⤵
                                  PID:1527
                                • /bin/uname
                                  uname -s
                                  2⤵
                                    PID:1532
                                  • /usr/bin/npm
                                    npm root -g
                                    2⤵
                                      PID:1533
                                    • /usr/local/sbin/node
                                      node /usr/bin/npm root -g
                                      2⤵
                                        PID:1533
                                      • /usr/local/bin/node
                                        node /usr/bin/npm root -g
                                        2⤵
                                          PID:1533
                                        • /usr/sbin/node
                                          node /usr/bin/npm root -g
                                          2⤵
                                            PID:1533
                                          • /usr/bin/node
                                            node /usr/bin/npm root -g
                                            2⤵
                                            • Changes its process name
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:1533
                                          • /bin/date
                                            date "+%s"
                                            2⤵
                                              PID:1548
                                            • /usr/bin/curl
                                              curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_cert.downgrade_no_backup" --data "{\"uuid\": \"GeD3M00maSY5wCaWZoU4BVMZZfZo4GQw\", \"timestamp\": \"1743161949\", \"ver\": \"%VER%\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743161949\", \"c_up_ts\": \"1743161948000\", \"note\": \"\", \"lum\": 0, \"root\":1, \"os_release\":\"4.15.0-213-generic\"}}" -H "Content-Type: application/json"
                                              2⤵
                                                PID:1549

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • /root/.npm/_logs/2025-03-28T11_39_08_811Z-debug-0.log
                                              Filesize

                                              1KB

                                              MD5

                                              9c3916e46b1064fdef9d53d4dca64867

                                              SHA1

                                              6e7b9caa42d7b3f1aefaf5e811e767f755ac3338

                                              SHA256

                                              f0db6a123401e634cbec778434b79abee215555a3e641ba1239664e8f173218b

                                              SHA512

                                              046a0eaa1158e82ddce757ecf48d301cedb99fba90aa7933617547eadf340225b11084774fc1ba2a40b6caea90075a166ddb3f29df2b6489d04e0087d6848040

                                              Download Submit