Resubmissions
11-06-2021 18:36
210611-dgt8yndgw6 1006-01-2021 03:28
210106-k31d8h8dkx 1025-11-2020 08:48
201125-mhfnf9gxta 1024-11-2020 11:08
201124-yfsf7l7s3s 10Analysis
-
max time kernel
0s -
max time network
116s -
platform
linux_mipsel -
resource
debian9-mipsel -
submitted
24-11-2020 11:08
Static task
static1
Behavioral task
behavioral1
Sample
spy-agent-setup-linux.run
Resource
ubuntu-amd64
Behavioral task
behavioral2
Sample
spy-agent-setup-linux.run
Resource
debian9-mipsel
Behavioral task
behavioral3
Sample
spy-agent-setup-linux.run
Resource
debian9-mipsbe
General
-
Target
spy-agent-setup-linux.run
-
Size
97KB
-
MD5
213c6443b2bd78c4e0aad54ec8338214
-
SHA1
264bd2b6d809a519b4348dbfc5791d3fc9342af8
-
SHA256
e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755
-
SHA512
5dd067120c4371ad48123c8c2b21e679196c0fb7a4607cb3bd2c5cc35eee491164685bd566469649bc273460729073c4e4cbc24b1970fc5739f9b383291149e6
Malware Config
Signatures
-
Write file to user bin folder 1 TTPs 1 IoCs
Processes:
whichdescription ioc process /usr/bin/which /usr/bin/which which -
Reads runtime system information 13 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpcrontabcrontabtaridmkdircpcpcrontabidmkdirdfiddescription ioc process /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems tar /proc/filesystems /proc/filesystems id /proc/filesystems /proc/filesystems mkdir /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems id /proc/filesystems /proc/filesystems mkdir /proc/self/mountinfo /proc/self/mountinfo df /proc/filesystems /proc/filesystems id -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
rmdescription ioc process /tmp/spy-agent /tmp/spy-agent rm
Processes
-
./spy-agent-setup-linux.run./spy-agent-setup-linux.run1⤵
-
/usr/bin/idid -u2⤵
- Reads runtime system information
-
/usr/bin/ttytty -s2⤵
-
/bin/mkdirmkdir -p spy-agent2⤵
- Reads runtime system information
-
/usr/bin/basenamebasename /usr/bin/md5sum2⤵
-
/usr/bin/exprexpr 1 + 12⤵
-
/usr/bin/exprexpr 12780 + 872432⤵
-
/bin/chgrpchgrp -R 0 .2⤵
-
/usr/bin/exprexpr 12780 + 872432⤵
-
./setup.sh./setup.sh2⤵
-
/bin/mkdirmkdir -p "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
-
/bin/cpcp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
-
/bin/cpcp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
-
/bin/cpcp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
-
/bin/chmodchmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"3⤵
-
/bin/chmodchmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵
-
/bin/grepgrep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
-
/usr/bin/crontabcrontab -u root -l3⤵
- Reads runtime system information
-
/usr/bin/crontabcrontab -u root -3⤵
- Reads runtime system information
-
/usr/bin/nohupnohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵
-
/bin/rmrm -rf -- /tmp/spy-agent3⤵
- Writes file to tmp directory
-
~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵
-
/usr/bin/whichwhich md5sum1⤵
- Write file to user bin folder
-
/usr/bin/wcwc -c1⤵
-
/usr/bin/trtr -d " "1⤵
-
/usr/bin/headhead -n 522 ./spy-agent-setup-linux.run1⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/cutcut -b-321⤵
-
/usr/bin/md5sum/usr/bin/md5sum1⤵
-
/usr/bin/exprexpr 4194304 / 41⤵
-
/usr/bin/exprexpr 1048576 / 41⤵
-
/usr/bin/exprexpr 262144 / 41⤵
-
/usr/bin/exprexpr 87243 / 655361⤵
-
/usr/bin/exprexpr 87243 "%" 655361⤵
-
/bin/dddd "ibs=12780" "skip=1"1⤵
-
/usr/bin/exprexpr 0 + 655361⤵
-
/bin/dddd "bs=65536" "count=1"1⤵
-
/usr/bin/exprexpr 87243 / 1001⤵
-
/usr/bin/exprexpr 65536 / 8721⤵
-
/usr/bin/exprexpr 65536 + 655361⤵
-
/bin/dddd "bs=21707" "count=1"1⤵
-
/usr/bin/headhead -n 522 ./spy-agent-setup-linux.run1⤵
-
/usr/bin/wcwc -c1⤵
-
/usr/bin/trtr -d " "1⤵
-
/usr/bin/tailtail -11⤵
-
/bin/dfdf -kP spy-agent1⤵
- Reads runtime system information
-
/usr/bin/awkawk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"1⤵
-
/usr/bin/exprexpr 4194304 / 41⤵
-
/bin/gzipgzip -cd1⤵
-
/bin/tartar xpvf -1⤵
- Reads runtime system information
-
/usr/bin/exprexpr 1048576 / 41⤵
-
/usr/bin/exprexpr 262144 / 41⤵
-
/usr/bin/exprexpr 87243 / 655361⤵
-
/usr/bin/exprexpr 87243 "%" 655361⤵
-
/bin/dddd "ibs=12780" "skip=1"1⤵
-
/usr/bin/exprexpr 0 + 655361⤵
-
/bin/dddd "bs=65536" "count=1"1⤵
-
/usr/bin/exprexpr 87243 / 1001⤵
-
/usr/bin/exprexpr 65536 / 8721⤵
-
/usr/bin/exprexpr 65536 + 655361⤵
-
/bin/dddd "bs=21707" "count=1"1⤵
-
/usr/bin/idid -u1⤵
- Reads runtime system information
-
/bin/chownchown -R 0 .1⤵
-
/usr/bin/idid -g1⤵
- Reads runtime system information
-
/bin/catcat1⤵
-
/usr/bin/whoamiwhoami1⤵
-
/usr/bin/whoamiwhoami1⤵