e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755

Resubmissions

11/06/2021, 18:36

210611-dgt8yndgw6 10

06/01/2021, 03:28

210106-k31d8h8dkx 10

25/11/2020, 08:48

201125-mhfnf9gxta 10

24/11/2020, 11:08

201124-yfsf7l7s3s 10

Analysis

max time kernel
0s
max time network
116s
platform
linux_mipsel
resource
debian9-mipsel
submitted
24/11/2020, 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spy-agent-setup-linux.run
Size

97KB
MD5

213c6443b2bd78c4e0aad54ec8338214
SHA1

264bd2b6d809a519b4348dbfc5791d3fc9342af8
SHA256

e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755
SHA512

5dd067120c4371ad48123c8c2b21e679196c0fb7a4607cb3bd2c5cc35eee491164685bd566469649bc273460729073c4e4cbc24b1970fc5739f9b383291149e6

Score

7^/10

Malware Config

Signatures

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/bin/which	/usr/bin/which	which

Reads runtime system information 13 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	tar
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	crontab
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	mkdir
/proc/self/mountinfo	/proc/self/mountinfo	df
/proc/filesystems	/proc/filesystems	id

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/spy-agent	/tmp/spy-agent	rm

./spy-agent-setup-linux.run
./spy-agent-setup-linux.run
1⤵
PID:317
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:319
- /usr/bin/tty
  tty -s
  2⤵
  PID:321
- /bin/mkdir
  mkdir -p spy-agent
  2⤵
  - Reads runtime system information
  PID:325
- /usr/bin/basename
  basename /usr/bin/md5sum
  2⤵
  PID:338
- /usr/bin/expr
  expr 1 + 1
  2⤵
  PID:360
- /usr/bin/expr
  expr 12780 + 87243
  2⤵
  PID:361
- /bin/chgrp
  chgrp -R 0 .
  2⤵
  PID:389
- /usr/bin/expr
  expr 12780 + 87243
  2⤵
  PID:393
- ./setup.sh
  ./setup.sh
  2⤵
  PID:394
- - /bin/mkdir
    mkdir -p "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:395
- - /bin/cp
    cp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:396
- - /bin/cp
    cp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:397
- - /bin/cp
    cp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:398
- - /bin/chmod
    chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
    3⤵
    PID:399
- - /bin/chmod
    chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:400
- - /bin/grep
    grep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:402
- - /usr/bin/crontab
    crontab -l
    3⤵
    - Reads runtime system information
    PID:401
- - /usr/bin/crontab
    crontab -u root -l
    3⤵
    - Reads runtime system information
    PID:403
- - /usr/bin/crontab
    crontab -u root -
    3⤵
    - Reads runtime system information
    PID:405
- - /usr/bin/nohup
    nohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:409
- - /bin/rm
    rm -rf -- /tmp/spy-agent
    3⤵
    - Writes file to tmp directory
    PID:411
- - ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
    "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:409

/usr/bin/which
which md5sum
1⤵
- Write file to user bin folder
PID:328

/usr/bin/wc
wc -c
1⤵
PID:333

/usr/bin/tr
tr -d " "
1⤵
PID:334

/usr/bin/head
head -n 522 ./spy-agent-setup-linux.run
1⤵
PID:332

/usr/bin/cut
cut "-d " -f1
1⤵
PID:337

/usr/bin/cut
cut "-d " -f1
1⤵
PID:341

/usr/bin/cut
cut -b-32
1⤵
PID:345

/usr/bin/md5sum
/usr/bin/md5sum
1⤵
PID:347

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:346

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:348

/usr/bin/expr
expr 262144 / 4
1⤵
PID:349

/usr/bin/expr
expr 87243 / 65536
1⤵
PID:350

/usr/bin/expr
expr 87243 "%" 65536
1⤵
PID:351

/bin/dd
dd "ibs=12780" "skip=1"
1⤵
PID:353

/usr/bin/expr
expr 0 + 65536
1⤵
PID:354

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:355

/usr/bin/expr
expr 87243 / 100
1⤵
PID:356

/usr/bin/expr
expr 65536 / 872
1⤵
PID:357

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:358

/bin/dd
dd "bs=21707" "count=1"
1⤵
PID:359

/usr/bin/head
head -n 522 ./spy-agent-setup-linux.run
1⤵
PID:363

/usr/bin/wc
wc -c
1⤵
PID:364

/usr/bin/tr
tr -d " "
1⤵
PID:365

/usr/bin/tail
tail -1
1⤵
PID:369

/bin/df
df -kP spy-agent
1⤵
- Reads runtime system information
PID:368

/usr/bin/awk
awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
1⤵
PID:370

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:374

/bin/gzip
gzip -cd
1⤵
PID:375

/bin/tar
tar xpvf -
1⤵
- Reads runtime system information
PID:376

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:377

/usr/bin/expr
expr 262144 / 4
1⤵
PID:378

/usr/bin/expr
expr 87243 / 65536
1⤵
PID:379

/usr/bin/expr
expr 87243 "%" 65536
1⤵
PID:380

/bin/dd
dd "ibs=12780" "skip=1"
1⤵
PID:382

/usr/bin/expr
expr 0 + 65536
1⤵
PID:383

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:384

/usr/bin/expr
expr 87243 / 100
1⤵
PID:385

/usr/bin/expr
expr 65536 / 872
1⤵
PID:386

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:387

/bin/dd
dd "bs=21707" "count=1"
1⤵
PID:388

/usr/bin/id
id -u
1⤵
- Reads runtime system information
PID:390

/bin/chown
chown -R 0 .
1⤵
PID:391

/usr/bin/id
id -g
1⤵
- Reads runtime system information
PID:392

/bin/cat
cat
1⤵
PID:408

/usr/bin/whoami
whoami
1⤵
PID:406

/usr/bin/whoami
whoami
1⤵
PID:407

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads