963b06d98c115aa44fff216ee477e49d66072df33838be1bb1f141dedf6c4d02

Analysis

max time kernel
6s
max time network
122s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
28/03/2025, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resources/app/bin/lpm_downgrade.sh
Size

486B
MD5

c2913650e886be90c3dc3464cf257124
SHA1

5f3a2794a1c3be209f5074d73a6485b48a4e98ba
SHA256

c00ee8c9bf0002b7b3a5cbc7c25f3dd7d2846950826f70a79ed66ad8d180d202
SHA512

e7528a5266b8a1c8fb895656bb6dfea67eb7e094a442e93ab51d3a01f4bf3c48048a729a84a8a0a12223fd021bcf773055115533fe6590850fb4ab0b5aec717d

Score

4^/10

antivm discovery

Malware Config

Signatures

Changes its process name 2 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	npm	798	node
Changes the process name, possibly in an attempt to hide itself	npm root	798	node

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	node
File opened for reading	/proc/cpuinfo	curl

Reads CPU attributes 1 TTPs 1 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	node

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/cgroup/memory/memory.limit_in_bytes	node

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/meminfo	node
File opened for reading	/proc/sys/vm/overcommit_memory	node
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

/tmp/resources/app/bin/lpm_downgrade.sh
/tmp/resources/app/bin/lpm_downgrade.sh
1⤵
PID:779

/usr/local/sbin/bash
bash /tmp/resources/app/bin/lpm_downgrade.sh
1⤵
PID:779

/usr/local/bin/bash
bash /tmp/resources/app/bin/lpm_downgrade.sh
1⤵
PID:779

/usr/sbin/bash
bash /tmp/resources/app/bin/lpm_downgrade.sh
1⤵
PID:779

/usr/bin/bash
bash /tmp/resources/app/bin/lpm_downgrade.sh
1⤵
PID:779

/sbin/bash
bash /tmp/resources/app/bin/lpm_downgrade.sh
1⤵
PID:779

/bin/bash
bash /tmp/resources/app/bin/lpm_downgrade.sh
1⤵
PID:779
- /usr/bin/dirname
  dirname /tmp/resources/app/bin/lpm_downgrade.sh
  2⤵
  PID:780
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:782
- /bin/date
  date "+%s000"
  2⤵
  PID:784
- /bin/uname
  uname -r
  2⤵
  PID:788
- /usr/bin/tr
  tr -dc a-zA-Z0-9
  2⤵
  PID:793
- /usr/bin/head
  head -1
  2⤵
  PID:795
- /usr/bin/head
  head -80 /dev/urandom
  2⤵
  PID:792
- /usr/bin/fold
  fold -w 32
  2⤵
  PID:794
- /bin/uname
  uname -s
  2⤵
  PID:797
- /usr/bin/npm
  npm root -g
  2⤵
  PID:798
- /usr/local/sbin/node
  node /usr/bin/npm root -g
  2⤵
  PID:798
- /usr/local/bin/node
  node /usr/bin/npm root -g
  2⤵
  PID:798
- /usr/sbin/node
  node /usr/bin/npm root -g
  2⤵
  PID:798
- /usr/bin/node
  node /usr/bin/npm root -g
  2⤵
  - Changes its process name
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:798
- /bin/date
  date "+%s"
  2⤵
  PID:810
- /usr/bin/curl
  curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_cert.downgrade_no_backup" --data "{\"uuid\": \"MAMVpthgtPoYv2QjBttOS6K0Q6vFznQ5\", \"timestamp\": \"1743162076\", \"ver\": \"%VER%\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743162076\", \"c_up_ts\": \"1743162070000\", \"note\": \"\", \"lum\": 0, \"root\":1, \"os_release\":\"4.9.0-13-armmp-lpae\"}}" -H "Content-Type: application/json"
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:811

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.npm/_logs/2025-03-28T11_41_15_477Z-debug-0.log

Filesize
1KB

MD5
3f740d552d9e46e16392c437998d946f

SHA1
822f9b506de8f3c6830af4dffe29002e1e73c197

SHA256
ebcdd0e6ad7c9dde2d7bcf48805ec79b24b77b50a6aeed5ae1fbf0b8c1e42038

SHA512
e35a65778e6ab0dc0c9b0719835156cabfa5a5bcfadbcbc4c81b202469e768a1d148d20d9f7ab75361ba1b5901113c9cc6bb6f5b3a49127f9f0024e9ff1ac2d0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads