e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755

Resubmissions

11-06-2021 18:36

210611-dgt8yndgw6 10

06-01-2021 03:28

210106-k31d8h8dkx 10

25-11-2020 08:48

201125-mhfnf9gxta 10

24-11-2020 11:08

201124-yfsf7l7s3s 10

Analysis

max time kernel
0s
max time network
124s
platform
linux_amd64
resource
ubuntu-amd64
submitted
24-11-2020 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spy-agent-setup-linux.run
Size

97KB
MD5

213c6443b2bd78c4e0aad54ec8338214
SHA1

264bd2b6d809a519b4348dbfc5791d3fc9342af8
SHA256

e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755
SHA512

5dd067120c4371ad48123c8c2b21e679196c0fb7a4607cb3bd2c5cc35eee491164685bd566469649bc273460729073c4e4cbc24b1970fc5739f9b383291149e6

Score

7^/10

Malware Config

Signatures

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/bin/which	/usr/bin/which	which

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	cp
/proc/self/mountinfo	/proc/self/mountinfo	df
/proc/filesystems	/proc/filesystems	tar
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	mkdir

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat	/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat	rm
/tmp/spy-agent/setup.sh	/tmp/spy-agent/setup.sh	rm
/tmp/spy-agent/gnome-shell-ext.sh	/tmp/spy-agent/gnome-shell-ext.sh	rm
/tmp/spy-agent/gnome-shell-ext	/tmp/spy-agent/gnome-shell-ext	rm
/tmp/spy-agent/~/.cache	/tmp/spy-agent/~/.cache	rm
/tmp/spy-agent/~/.cache/gnome-software	/tmp/spy-agent/~/.cache/gnome-software	rm
/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext	/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext	rm
/tmp/spy-agent	/tmp/spy-agent	rm
/tmp/spy-agent/rtp.dat	/tmp/spy-agent/rtp.dat	rm
/tmp/spy-agent/~	/tmp/spy-agent/~	rm
/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions	/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions	rm
/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh	/tmp/spy-agent/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh	rm

./spy-agent-setup-linux.run
./spy-agent-setup-linux.run
1⤵
PID:563
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:565
- /usr/bin/tty
  tty -s
  2⤵
  PID:566
- /bin/mkdir
  mkdir -p spy-agent
  2⤵
  - Reads runtime system information
  PID:567
- /usr/bin/basename
  basename /usr/bin/md5sum
  2⤵
  PID:578
- /usr/bin/expr
  expr 1 + 1
  2⤵
  PID:600
- /usr/bin/expr
  expr 12780 + 87243
  2⤵
  PID:601
- /bin/chgrp
  chgrp -R 0 .
  2⤵
  PID:629
- /usr/bin/expr
  expr 12780 + 87243
  2⤵
  PID:633
- ./setup.sh
  ./setup.sh
  2⤵
  PID:634
- - /bin/mkdir
    mkdir -p "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:635
- - /bin/cp
    cp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:636
- - /bin/cp
    cp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:637
- - /bin/cp
    cp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:638
- - /bin/chmod
    chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
    3⤵
    PID:639
- - /bin/chmod
    chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:640
- - /bin/grep
    grep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:642
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:641
- - /usr/bin/crontab
    crontab -u root -
    3⤵
    PID:645
- - /usr/bin/crontab
    crontab -u root -l
    3⤵
    PID:643
- - /bin/rm
    rm -rf -- /tmp/spy-agent
    3⤵
    - Writes file to tmp directory
    PID:651
- - /usr/bin/nohup
    nohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:649
- - ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
    "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:649
  - - /bin/pidof
      pidof gnome-shell-ext
      4⤵
      PID:652
  - - ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
      "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
      4⤵
      PID:657

/usr/bin/which
which md5sum
1⤵
- Write file to user bin folder
PID:570

/usr/bin/tr
tr -d " "
1⤵
PID:574

/usr/bin/wc
wc -c
1⤵
PID:573

/usr/bin/head
head -n 522 ./spy-agent-setup-linux.run
1⤵
PID:572

/usr/bin/cut
cut "-d " -f1
1⤵
PID:577

/usr/bin/cut
cut "-d " -f1
1⤵
PID:581

/usr/bin/cut
cut -b-32
1⤵
PID:585

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:587

/usr/bin/md5sum
/usr/bin/md5sum
1⤵
PID:586

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:588

/usr/bin/expr
expr 262144 / 4
1⤵
PID:589

/usr/bin/expr
expr 87243 / 65536
1⤵
PID:590

/usr/bin/expr
expr 87243 "%" 65536
1⤵
PID:591

/bin/dd
dd "ibs=12780" "skip=1"
1⤵
PID:593

/usr/bin/expr
expr 0 + 65536
1⤵
PID:594

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:595

/usr/bin/expr
expr 87243 / 100
1⤵
PID:596

/usr/bin/expr
expr 65536 / 872
1⤵
PID:597

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:598

/bin/dd
dd "bs=21707" "count=1"
1⤵
PID:599

/usr/bin/tr
tr -d " "
1⤵
PID:605

/usr/bin/wc
wc -c
1⤵
PID:604

/usr/bin/head
head -n 522 ./spy-agent-setup-linux.run
1⤵
PID:603

/usr/bin/awk
awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
1⤵
PID:610

/usr/bin/tail
tail -1
1⤵
PID:609

/bin/df
df -kP spy-agent
1⤵
- Reads runtime system information
PID:608

/bin/tar
tar xpvf -
1⤵
- Reads runtime system information
PID:614

/bin/gzip
gzip -cd
1⤵
PID:615

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:616

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:617

/usr/bin/expr
expr 262144 / 4
1⤵
PID:618

/usr/bin/expr
expr 87243 / 65536
1⤵
PID:619

/usr/bin/expr
expr 87243 "%" 65536
1⤵
PID:620

/bin/dd
dd "ibs=12780" "skip=1"
1⤵
PID:622

/usr/bin/expr
expr 0 + 65536
1⤵
PID:623

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:624

/usr/bin/expr
expr 87243 / 100
1⤵
PID:625

/usr/bin/expr
expr 65536 / 872
1⤵
PID:626

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:627

/bin/dd
dd "bs=21707" "count=1"
1⤵
PID:628

/usr/bin/id
id -u
1⤵
- Reads runtime system information
PID:630

/bin/chown
chown -R 0 .
1⤵
PID:631

/usr/bin/id
id -g
1⤵
- Reads runtime system information
PID:632

/bin/cat
cat
1⤵
PID:647

/usr/bin/whoami
whoami
1⤵
PID:646

/usr/bin/whoami
whoami
1⤵
PID:648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads