e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755

General

Target

spy-agent-setup-linux.run
Size

97KB
MD5

213c6443b2bd78c4e0aad54ec8338214
SHA1

264bd2b6d809a519b4348dbfc5791d3fc9342af8
SHA256

e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755
SHA512

5dd067120c4371ad48123c8c2b21e679196c0fb7a4607cb3bd2c5cc35eee491164685bd566469649bc273460729073c4e4cbc24b1970fc5739f9b383291149e6

Score

7^/10

Malware Config

Signatures

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

which

description ioc process

/usr/bin/which /usr/bin/which which

description	ioc	process
/usr/bin/which	/usr/bin/which	which

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

Processes:

idcpdftaridmkdircpcpidmkdir

description	ioc	process
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	cp
/proc/self/mountinfo	/proc/self/mountinfo	df
/proc/filesystems	/proc/filesystems	tar
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	mkdir

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

rm

description	ioc	process
/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat	/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat	rm
/tmp/spy-agent/setup.sh	/tmp/spy-agent/setup.sh	rm
/tmp/spy-agent/gnome-shell-ext.sh	/tmp/spy-agent/gnome-shell-ext.sh	rm
/tmp/spy-agent/gnome-shell-ext	/tmp/spy-agent/gnome-shell-ext	rm
/tmp/spy-agent/~/.cache	/tmp/spy-agent/~/.cache	rm
/tmp/spy-agent/~/.cache/gnome-software	/tmp/spy-agent/~/.cache/gnome-software	rm
/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext	/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext	rm
/tmp/spy-agent	/tmp/spy-agent	rm
/tmp/spy-agent/rtp.dat	/tmp/spy-agent/rtp.dat	rm
/tmp/spy-agent/~	/tmp/spy-agent/~	rm
/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions	/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions	rm
/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh	/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh	rm

./spy-agent-setup-linux.run
./spy-agent-setup-linux.run
1⤵
PID:563

/usr/bin/id
id -u
2⤵
- Reads runtime system information
PID:565

/usr/bin/tty
tty -s
2⤵
PID:566

/bin/mkdir
mkdir -p spy-agent
2⤵
- Reads runtime system information
PID:567

/usr/bin/basename
basename /usr/bin/md5sum
2⤵
PID:578

/usr/bin/expr
expr 1 + 1
2⤵
PID:600

/usr/bin/expr
expr 12780 + 87243
2⤵
PID:601

/bin/chgrp
chgrp -R 0 .
2⤵
PID:629

/usr/bin/expr
expr 12780 + 87243
2⤵
PID:633

./setup.sh
./setup.sh
2⤵
PID:634

/bin/mkdir
mkdir -p "~/.cache/gnome-software/gnome-shell-extensions"
3⤵
- Reads runtime system information
PID:635

/bin/cp
cp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"
3⤵
- Reads runtime system information
PID:636

/bin/cp
cp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"
3⤵
- Reads runtime system information
PID:637

/bin/cp
cp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"
3⤵
- Reads runtime system information
PID:638

/bin/chmod
chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
3⤵
PID:639

/bin/chmod
chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
3⤵
PID:640

/bin/grep
grep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
3⤵
PID:642

/usr/bin/crontab
crontab -l
3⤵
PID:641

/usr/bin/crontab
crontab -u root -
3⤵
PID:645

/usr/bin/crontab
crontab -u root -l
3⤵
PID:643

/bin/rm
rm -rf -- /tmp/spy-agent
3⤵
- Writes file to tmp directory
PID:651

/usr/bin/nohup
nohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
3⤵
PID:649

~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
"~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
3⤵
PID:649

/bin/pidof
pidof gnome-shell-ext
4⤵
PID:652

~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
"~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
4⤵
PID:657

/usr/bin/which
which md5sum
1⤵
- Write file to user bin folder
PID:570

/usr/bin/tr
tr -d " "
1⤵
PID:574

/usr/bin/wc
wc -c
1⤵
PID:573

/usr/bin/head
head -n 522 ./spy-agent-setup-linux.run
1⤵
PID:572

/usr/bin/cut
cut "-d " -f1
1⤵
PID:577

/usr/bin/cut
cut "-d " -f1
1⤵
PID:581

/usr/bin/cut
cut -b-32
1⤵
PID:585

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:587

/usr/bin/md5sum
/usr/bin/md5sum
1⤵
PID:586

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:588

/usr/bin/expr
expr 262144 / 4
1⤵
PID:589

/usr/bin/expr
expr 87243 / 65536
1⤵
PID:590

/usr/bin/expr
expr 87243 "%" 65536
1⤵
PID:591

/bin/dd
dd "ibs=12780" "skip=1"
1⤵
PID:593

/usr/bin/expr
expr 0 + 65536
1⤵
PID:594

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:595

/usr/bin/expr
expr 87243 / 100
1⤵
PID:596

/usr/bin/expr
expr 65536 / 872
1⤵
PID:597

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:598

/bin/dd
dd "bs=21707" "count=1"
1⤵
PID:599

/usr/bin/tr
tr -d " "
1⤵
PID:605

/usr/bin/wc
wc -c
1⤵
PID:604

/usr/bin/head
head -n 522 ./spy-agent-setup-linux.run
1⤵
PID:603

/usr/bin/awk
awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
1⤵
PID:610

/usr/bin/tail
tail -1
1⤵
PID:609

/bin/df
df -kP spy-agent
1⤵
- Reads runtime system information
PID:608

/bin/tar
tar xpvf -
1⤵
- Reads runtime system information
PID:614

/bin/gzip
gzip -cd
1⤵
PID:615

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:616

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:617

/usr/bin/expr
expr 262144 / 4
1⤵
PID:618

/usr/bin/expr
expr 87243 / 65536
1⤵
PID:619

/usr/bin/expr
expr 87243 "%" 65536
1⤵
PID:620

/bin/dd
dd "ibs=12780" "skip=1"
1⤵
PID:622

/usr/bin/expr
expr 0 + 65536
1⤵
PID:623

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:624

/usr/bin/expr
expr 87243 / 100
1⤵
PID:625

/usr/bin/expr
expr 65536 / 872
1⤵
PID:626

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:627

/bin/dd
dd "bs=21707" "count=1"
1⤵
PID:628

/usr/bin/id
id -u
1⤵
- Reads runtime system information
PID:630

/bin/chown
chown -R 0 .
1⤵
PID:631

/usr/bin/id
id -g
1⤵
- Reads runtime system information
PID:632

/bin/cat
cat
1⤵
PID:647

/usr/bin/whoami
whoami
1⤵
PID:646

/usr/bin/whoami
whoami
1⤵
PID:648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

1

T1574

Privilege Escalation

Hijack Execution Flow

1

T1574

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads