Analysis
-
max time kernel
149s -
max time network
292s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
28/03/2025, 13:17
General
-
Target
resources/app/bin/index.js
-
Size
514B
-
MD5
2ffac93c1e0896cf98f1514f70fe8637
-
SHA1
22fa46c684b079fae1a9921a87b3e6c63cc6e373
-
SHA256
15cb73537b76df1b820056767dae3e8730cd91e1798bbd56e04075e8e677382b
-
SHA512
cdc66c2d890c8edc558ffac76b46a3e63bb0b8d95e254860f18bca8c03c72fec51133fbcd7e8983219ef0a707614c9f4aed02f640d8d9afa25ff7e1fea00a4f4
Malware Config
Signatures
-
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Modifies Bash startup script 2 TTPs 1 IoCs
-
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 10 IoCs
-
Command and Scripting Interpreter: JavaScript 1 TTPs 4 IoCs
Execution via JavaScript.
-
Command and Scripting Interpreter: Unix Shell 1 TTPs 1 IoCs
Execute scripts via Unix Shell.
-
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
Processes
-
/tmp/resources/app/bin/index.js/tmp/resources/app/bin/index.js1⤵
-
/usr/local/sbin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
-
/usr/local/bin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
-
/usr/sbin/nodenode /tmp/resources/app/bin/index.js1⤵
- Command and Scripting Interpreter: JavaScript
-
/usr/bin/nodenode /tmp/resources/app/bin/index.js1⤵
- Checks CPU configuration
- Reads CPU attributes
- Command and Scripting Interpreter: JavaScript
- Enumerates kernel/hardware configuration
-
/usr/bin/node/usr/bin/node "--max-http-header-size=80000" /tmp/resources/app/bin/lum_node.js2⤵
- Creates/modifies environment variables
- Modifies Bash startup script
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/sh/bin/sh -c "curl_add_ip(){ if ((\$2)); then PORT=\$2 else PORT=22999 fi ENDPOINT=\"http://127.0.0.1:\$PORT/api/add_whitelist_ip\" DATA=\"ip=\"\$1 curl \$ENDPOINT -X POST -d \$DATA --post301 -L -k }"3⤵
-
-
/bin/sh/bin/sh -c "alias lpm_whitelist_ip='curl_add_ip'"3⤵
- Command and Scripting Interpreter: Unix Shell
- System Network Configuration Discovery
-
-
/usr/local/sbin/psps awwxo "pid,comm"3⤵
-
-
/usr/local/bin/psps awwxo "pid,comm"3⤵
-
-
/usr/sbin/psps awwxo "pid,comm"3⤵
-
-
/usr/bin/psps awwxo "pid,comm"3⤵
-
-
/sbin/psps awwxo "pid,comm"3⤵
-
-
/bin/psps awwxo "pid,comm"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,args"3⤵
-
-
/usr/local/bin/psps awwxo "pid,args"3⤵
-
-
/usr/sbin/psps awwxo "pid,args"3⤵
-
-
/usr/bin/psps awwxo "pid,args"3⤵
-
-
/sbin/psps awwxo "pid,args"3⤵
-
-
/bin/psps awwxo "pid,args"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,ppid"3⤵
-
-
/usr/local/bin/psps awwxo "pid,ppid"3⤵
-
-
/usr/sbin/psps awwxo "pid,ppid"3⤵
-
-
/usr/bin/psps awwxo "pid,ppid"3⤵
-
-
/sbin/psps awwxo "pid,ppid"3⤵
-
-
/bin/psps awwxo "pid,ppid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,uid"3⤵
-
-
/usr/local/bin/psps awwxo "pid,uid"3⤵
-
-
/usr/sbin/psps awwxo "pid,uid"3⤵
-
-
/usr/bin/psps awwxo "pid,uid"3⤵
-
-
/sbin/psps awwxo "pid,uid"3⤵
-
-
/bin/psps awwxo "pid,uid"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,%cpu"3⤵
-
-
/usr/local/bin/psps awwxo "pid,%cpu"3⤵
-
-
/usr/sbin/psps awwxo "pid,%cpu"3⤵
-
-
/usr/bin/psps awwxo "pid,%cpu"3⤵
-
-
/sbin/psps awwxo "pid,%cpu"3⤵
-
-
/bin/psps awwxo "pid,%cpu"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/local/sbin/psps awwxo "pid,%mem"3⤵
-
-
/usr/local/bin/psps awwxo "pid,%mem"3⤵
-
-
/usr/sbin/psps awwxo "pid,%mem"3⤵
-
-
/usr/bin/psps awwxo "pid,%mem"3⤵
-
-
/sbin/psps awwxo "pid,%mem"3⤵
-
-
/bin/psps awwxo "pid,%mem"3⤵
- Reads CPU attributes
- Reads runtime system information
-
-
/usr/bin/node/usr/bin/node "--max-http-header-size=80000" "--max-old-space-size=1024" "--max-http-header-size=80000" /tmp/resources/app/lib/worker.js --dir /root/proxy_manager3⤵
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Privilege Escalation
Boot or Logon Autostart Execution
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Defense Evasion
Hijack Execution Flow
1Path Interception by PATH Environment Variable
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
415B
MD5f2efefe906bcb1c767e5744ff916ae13
SHA12e4fc7b8c6a6ff1a0081517589b3b42314d76e55
SHA25671a86f203ceff8524588f4eafd3283b7c77eb5e341f6f624e8db6adfc54ab665
SHA512fd053d2a69b20361fd49482ee8d6ac64d4cae92515874435270c62141a11ed871c233bda8e528ba39166e2c3fc091f339bdde5016509f171770dd7714cafb987
-
Filesize
36B
MD50bb60bce9609b70c5e02dca122073794
SHA149ed0adc8fe3dd138f1f8e218c38fde5aa08b094
SHA256894e491a42287764653e93f24203541272dfd150524465732c34f2c667030d5e
SHA512a339863831cf5e881d86330d7e59613c50cba00007db5f6156f34dddc9bb82bba38db6b0a5e4011e08df617125a4ec2824aa469fc363a08f68b19352212a9e84
-
Filesize
7KB
MD51c7b4bc5e90f9d34d9010c875cde2eea
SHA1fd3af175f4e48fe104bdd58485a3db98b95237ac
SHA25603d7b98ad4b28769d0d5f70bc2911057cd5d8df3680de2c3149ceed557607dc9
SHA5128a172b42d8b487d85e2ed2c076e03628032c78e8c24c1e127ac9c5cf71e20ef97d31d621846ce160be87374382e0c472a21af5bbd35c542f87ceab278ccb1ed6
-
Filesize
2KB
MD5bf0f61a9892e44ebe77fcac4329d4e1a
SHA1f643ece4b787519ad01d8ffef7770c45beae6584
SHA25683a6745c0efea47387b9ac7a4a6fc9afa33b5b882cdca5563d0a9cc56de24ece
SHA51293376e2a4619bb610beb472f0402a42eac7418af0323b6881c103b11d7fbe4830c508a0d439c1537c7f643eb853571f509b1cd2997d308e4d2f02d557e8182f0
-
Filesize
2.9MB
MD57d527ded0181af6413a4a5350a99b3cf
SHA1e51e467fda74901730c7c1cba6cfa8846b212662
SHA25673a1059a8db4cc0b05a6c7e980aca23e159ba224939fb6e82070767785233fe2
SHA512d81762d6257f4b74b8f96eda6967f1165e1b6fa41aabd04ab42c3ec40c9c9314faba0659a32243740825590776b3c9ee54eeada2378d603b71a71eb643b95b15