Overview

overview

6

Static

static

3

B_W_luminati-cn.exe

windows7-x64

5

B_W_luminati-cn.exe

windows10-2004-x64

6

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

4

Proxy Manager.exe

windows7-x64

5

Proxy Manager.exe

windows10-2004-x64

5

d3dcompiler_47.dll

windows10-2004-x64

3

ffmpeg.dll

windows7-x64

3

ffmpeg.dll

windows10-2004-x64

3

libEGL.dll

windows7-x64

3

libEGL.dll

windows10-2004-x64

3

libGLESv2.dll

windows7-x64

3

libGLESv2.dll

windows10-2004-x64

3

resources/...-CN.js

windows7-x64

3

resources/...-CN.js

windows10-2004-x64

3

resources/...gen.sh

ubuntu-18.04-amd64

3

resources/...gen.sh

debian-9-armhf

3

resources/...gen.sh

debian-9-mips

3

resources/...gen.sh

debian-9-mipsel

3

resources/...dex.js

ubuntu-18.04-amd64

6

resources/...dex.js

debian-9-armhf

6

resources/...dex.js

debian-9-mips

3

resources/...dex.js

debian-9-mipsel

3

resources/...ade.sh

ubuntu-18.04-amd64

4

resources/...ade.sh

debian-9-armhf

4

resources/...ade.sh

debian-9-mips

3

Analysis

  • max time kernel
    1s
  • max time network
    130s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    28/03/2025, 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    resources/app/bin/lpm_downgrade.sh

  • Size

    486B

  • MD5

    c2913650e886be90c3dc3464cf257124

  • SHA1

    5f3a2794a1c3be209f5074d73a6485b48a4e98ba

  • SHA256

    c00ee8c9bf0002b7b3a5cbc7c25f3dd7d2846950826f70a79ed66ad8d180d202

  • SHA512

    e7528a5266b8a1c8fb895656bb6dfea67eb7e094a442e93ab51d3a01f4bf3c48048a729a84a8a0a12223fd021bcf773055115533fe6590850fb4ab0b5aec717d

Score
4/10
discovery

Malware Config

Signatures

  • Changes its process name 2 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

    discovery
  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/resources/app/bin/lpm_downgrade.sh
    /tmp/resources/app/bin/lpm_downgrade.sh
    1⤵
      PID:1501
    • /usr/local/sbin/bash
      bash /tmp/resources/app/bin/lpm_downgrade.sh
      1⤵
        PID:1501
      • /usr/local/bin/bash
        bash /tmp/resources/app/bin/lpm_downgrade.sh
        1⤵
          PID:1501
        • /usr/sbin/bash
          bash /tmp/resources/app/bin/lpm_downgrade.sh
          1⤵
            PID:1501
          • /usr/bin/bash
            bash /tmp/resources/app/bin/lpm_downgrade.sh
            1⤵
              PID:1501
            • /sbin/bash
              bash /tmp/resources/app/bin/lpm_downgrade.sh
              1⤵
                PID:1501
              • /bin/bash
                bash /tmp/resources/app/bin/lpm_downgrade.sh
                1⤵
                  PID:1501
                  • /usr/bin/dirname
                    dirname /tmp/resources/app/bin/lpm_downgrade.sh
                    2⤵
                      PID:1502
                    • /usr/bin/id
                      id -u
                      2⤵
                      • Reads runtime system information
                      PID:1504
                    • /bin/date
                      date "+%s000"
                      2⤵
                        PID:1506
                      • /bin/uname
                        uname -r
                        2⤵
                          PID:1508
                        • /usr/bin/head
                          head -1
                          2⤵
                            PID:1513
                          • /usr/bin/fold
                            fold -w 32
                            2⤵
                              PID:1512
                            • /usr/bin/tr
                              tr -dc a-zA-Z0-9
                              2⤵
                                PID:1511
                              • /usr/bin/head
                                head -80 /dev/urandom
                                2⤵
                                  PID:1510
                                • /bin/uname
                                  uname -s
                                  2⤵
                                    PID:1515
                                  • /usr/bin/npm
                                    npm root -g
                                    2⤵
                                      PID:1516
                                    • /usr/local/sbin/node
                                      node /usr/bin/npm root -g
                                      2⤵
                                        PID:1516
                                      • /usr/local/bin/node
                                        node /usr/bin/npm root -g
                                        2⤵
                                          PID:1516
                                        • /usr/sbin/node
                                          node /usr/bin/npm root -g
                                          2⤵
                                            PID:1516
                                          • /usr/bin/node
                                            node /usr/bin/npm root -g
                                            2⤵
                                            • Changes its process name
                                            • Enumerates kernel/hardware configuration
                                            • Reads runtime system information
                                            PID:1516
                                          • /bin/date
                                            date "+%s"
                                            2⤵
                                              PID:1530
                                            • /usr/bin/curl
                                              curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_cert.downgrade_no_backup" --data "{\"uuid\": \"t6mTKDsrauztKa4H4cCV2fEW6lICWKHl\", \"timestamp\": \"1743164435\", \"ver\": \"%VER%\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743164435\", \"c_up_ts\": \"1743164435000\", \"note\": \"\", \"lum\": 0, \"root\":1, \"os_release\":\"4.15.0-213-generic\"}}" -H "Content-Type: application/json"
                                              2⤵
                                                PID:1531

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • /root/.npm/_logs/2025-03-28T12_20_35_557Z-debug-0.log
                                              Filesize

                                              1KB

                                              MD5

                                              22afb1def2dbe5a566a6abf060a3a808

                                              SHA1

                                              67b55cac159fd767fbfe6fe3840cac87b9762d79

                                              SHA256

                                              0b8fc3ff5bf492b6f5d0246e615a45bd80876249d849fcbf4f92f042bafe1663

                                              SHA512

                                              dd4b84efbffc1b0568ab1e5235574148d3ee01c2a9034d94edead6d913e612ef841cb7ecbc07257d6a96a23c7707e34f1723429b4d2fc83bc7fd1aed0099f0ef

                                              Download Submit