Analysis
-
max time kernel
149s -
max time network
158s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
-
submitted
28/03/2025, 13:17
General
-
Target
resources/app/bin/index.js
-
Size
514B
-
MD5
2ffac93c1e0896cf98f1514f70fe8637
-
SHA1
22fa46c684b079fae1a9921a87b3e6c63cc6e373
-
SHA256
15cb73537b76df1b820056767dae3e8730cd91e1798bbd56e04075e8e677382b
-
SHA512
cdc66c2d890c8edc558ffac76b46a3e63bb0b8d95e254860f18bca8c03c72fec51133fbcd7e8983219ef0a707614c9f4aed02f640d8d9afa25ff7e1fea00a4f4
Malware Config
Signatures
-
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies Bash startup script 2 TTPs 1 IoCs
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 7 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs 4 IoCs
Execution via JavaScript.
-
Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs
Execute scripts via Unix Shell.
-
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
Processes
-
/tmp/resources/app/bin/index.js/tmp/resources/app/bin/index.js1⤵
-
/usr/local/sbin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
-
/usr/local/bin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
-
/usr/sbin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
-
/usr/bin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
- Enumerates kernel/hardware configuration
-
/usr/bin/node/usr/bin/node "--max-http-header-size=80000" /tmp/resources/app/bin/lum_node.js2⤵
- Creates/modifies environment variables
- Modifies Bash startup script
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/sh/bin/sh -c "curl_add_ip(){ if ((\$2)); then PORT=\$2 else PORT=22999 fi ENDPOINT=\"http://127.0.0.1:\$PORT/api/add_whitelist_ip\" DATA=\"ip=\"\$1 curl \$ENDPOINT -X POST -d \$DATA --post301 -L -k }"3⤵
-
-
/bin/sh/bin/sh -c "alias lpm_whitelist_ip='curl_add_ip'"3⤵
- Command and Scripting Interpreter: Unix Shell
- System Network Configuration Discovery
-
-
/usr/local/sbin/psps awwxo "pid,comm"3⤵
-
-
/usr/local/bin/psps awwxo "pid,comm"3⤵
-
-
/usr/sbin/psps awwxo "pid,comm"3⤵
-
-
/usr/bin/psps awwxo "pid,comm"3⤵
-
-
/sbin/psps awwxo "pid,comm"3⤵
-
-
/bin/psps awwxo "pid,comm"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,args"3⤵
-
-
/usr/local/bin/psps awwxo "pid,args"3⤵
-
-
/usr/sbin/psps awwxo "pid,args"3⤵
-
-
/usr/bin/psps awwxo "pid,args"3⤵
-
-
/sbin/psps awwxo "pid,args"3⤵
-
-
/bin/psps awwxo "pid,args"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,ppid"3⤵
-
-
/usr/local/bin/psps awwxo "pid,ppid"3⤵
-
-
/usr/sbin/psps awwxo "pid,ppid"3⤵
-
-
/usr/bin/psps awwxo "pid,ppid"3⤵
-
-
/sbin/psps awwxo "pid,ppid"3⤵
-
-
/bin/psps awwxo "pid,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,uid"3⤵
-
-
/usr/local/bin/psps awwxo "pid,uid"3⤵
-
-
/usr/sbin/psps awwxo "pid,uid"3⤵
-
-
/usr/bin/psps awwxo "pid,uid"3⤵
-
-
/sbin/psps awwxo "pid,uid"3⤵
-
-
/bin/psps awwxo "pid,uid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,%cpu"3⤵
-
-
/usr/local/bin/psps awwxo "pid,%cpu"3⤵
-
-
/usr/sbin/psps awwxo "pid,%cpu"3⤵
-
-
/usr/bin/psps awwxo "pid,%cpu"3⤵
-
-
/sbin/psps awwxo "pid,%cpu"3⤵
-
-
/bin/psps awwxo "pid,%cpu"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,%mem"3⤵
-
-
/usr/local/bin/psps awwxo "pid,%mem"3⤵
-
-
/usr/sbin/psps awwxo "pid,%mem"3⤵
-
-
/usr/bin/psps awwxo "pid,%mem"3⤵
-
-
/sbin/psps awwxo "pid,%mem"3⤵
-
-
/bin/psps awwxo "pid,%mem"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/node/usr/bin/node "--max-http-header-size=80000" "--max-old-space-size=1024" "--max-http-header-size=80000" /tmp/resources/app/lib/worker.js --dir /root/proxy_manager3⤵
- Enumerates kernel/hardware configuration
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Defense Evasion
Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
415B
MD578a970cd22646528b326c1fcd60a742a
SHA1c1d479ac754fb985a1204a406887c86fb7953196
SHA256cae5fbec574f4215a34aaee3d2af103daefabebf09987c65275408833035107a
SHA512e6429c74189d6996bdc24c157119df725d50cca71f2b602840d4872859f863210fd5ddf129f40e78bb7e438fe46b81431561d97cc58c00cb39e964df6ca95617
-
Filesize
36B
MD5b0452fb154dbf16d4160bfb591c623a6
SHA19d376982d1432892a65afff9461398b7f33614aa
SHA256c623df9a980051d85830c43a20219ac7e7cb1c23d04a039a2134753de1f07fba
SHA512b739c266dcf03087ca17a7036ddaf394a0bd8dad52ab75ebbe70a5807ce51793bc13c9688dbd35e30eda3b306355de449d9b00744c2d82ac5a35f53ba88ee028
-
Filesize
1KB
MD5bd2ee96c4dba0a05b4b257d8204efb9a
SHA13355dad1ed0f65ad5c8abad3a758ca9c19775070
SHA256110f43dcbe2d96ee5edcb6a367f3ab4972cd82389bd7a0a19f267193a322f702
SHA512d6313617047037b537b02d19244c071fc987eb03b4e1fe976b58abf18666efc9db1898c9dcebaee4b165568dcba9ba344fc897cbbbeea757a3151a9c5b202a89