Overview

overview

10

Static

static

10

spy-agent-...ux.run

linux_amd64

7

spy-agent-...ux.run

linux_mipsel

7

spy-agent-...ux.run

linux_mips

1

Resubmissions

11-06-2021 18:36

210611-dgt8yndgw6 10

06-01-2021 03:28

210106-k31d8h8dkx 10

25-11-2020 08:48

201125-mhfnf9gxta 10

24-11-2020 11:08

201124-yfsf7l7s3s 10

Analysis

  • max time kernel
    0s
  • max time network
    116s
  • platform
    linux_mipsel
  • resource
    debian9-mipsel
  • submitted
    24-11-2020 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spy-agent-setup-linux.run

  • Size

    97KB

  • MD5

    213c6443b2bd78c4e0aad54ec8338214

  • SHA1

    264bd2b6d809a519b4348dbfc5791d3fc9342af8

  • SHA256

    e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755

  • SHA512

    5dd067120c4371ad48123c8c2b21e679196c0fb7a4607cb3bd2c5cc35eee491164685bd566469649bc273460729073c4e4cbc24b1970fc5739f9b383291149e6

Score
7/10

Malware Config

Signatures

  • Write file to user bin folder 1 TTPs 1 IoCs
  • Reads runtime system information 13 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./spy-agent-setup-linux.run
    ./spy-agent-setup-linux.run
    1⤵
      PID:317
      • /usr/bin/id
        id -u
        2⤵
        • Reads runtime system information
        PID:319
      • /usr/bin/tty
        tty -s
        2⤵
          PID:321
        • /bin/mkdir
          mkdir -p spy-agent
          2⤵
          • Reads runtime system information
          PID:325
        • /usr/bin/basename
          basename /usr/bin/md5sum
          2⤵
            PID:338
          • /usr/bin/expr
            expr 1 + 1
            2⤵
              PID:360
            • /usr/bin/expr
              expr 12780 + 87243
              2⤵
                PID:361
              • /bin/chgrp
                chgrp -R 0 .
                2⤵
                  PID:389
                • /usr/bin/expr
                  expr 12780 + 87243
                  2⤵
                    PID:393
                  • ./setup.sh
                    ./setup.sh
                    2⤵
                      PID:394
                      • /bin/mkdir
                        mkdir -p "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:395
                      • /bin/cp
                        cp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:396
                      • /bin/cp
                        cp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:397
                      • /bin/cp
                        cp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:398
                      • /bin/chmod
                        chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
                        3⤵
                          PID:399
                        • /bin/chmod
                          chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                          3⤵
                            PID:400
                          • /bin/grep
                            grep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                            3⤵
                              PID:402
                            • /usr/bin/crontab
                              crontab -l
                              3⤵
                              • Reads runtime system information
                              PID:401
                            • /usr/bin/crontab
                              crontab -u root -l
                              3⤵
                              • Reads runtime system information
                              PID:403
                            • /usr/bin/crontab
                              crontab -u root -
                              3⤵
                              • Reads runtime system information
                              PID:405
                            • /usr/bin/nohup
                              nohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                              3⤵
                                PID:409
                              • /bin/rm
                                rm -rf -- /tmp/spy-agent
                                3⤵
                                • Writes file to tmp directory
                                PID:411
                              • ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
                                "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                                3⤵
                                  PID:409
                            • /usr/bin/which
                              which md5sum
                              1⤵
                              • Write file to user bin folder
                              PID:328
                            • /usr/bin/wc
                              wc -c
                              1⤵
                                PID:333
                              • /usr/bin/tr
                                tr -d " "
                                1⤵
                                  PID:334
                                • /usr/bin/head
                                  head -n 522 ./spy-agent-setup-linux.run
                                  1⤵
                                    PID:332
                                  • /usr/bin/cut
                                    cut "-d " -f1
                                    1⤵
                                      PID:337
                                    • /usr/bin/cut
                                      cut "-d " -f1
                                      1⤵
                                        PID:341
                                      • /usr/bin/cut
                                        cut -b-32
                                        1⤵
                                          PID:345
                                        • /usr/bin/md5sum
                                          /usr/bin/md5sum
                                          1⤵
                                            PID:347
                                          • /usr/bin/expr
                                            expr 4194304 / 4
                                            1⤵
                                              PID:346
                                            • /usr/bin/expr
                                              expr 1048576 / 4
                                              1⤵
                                                PID:348
                                              • /usr/bin/expr
                                                expr 262144 / 4
                                                1⤵
                                                  PID:349
                                                • /usr/bin/expr
                                                  expr 87243 / 65536
                                                  1⤵
                                                    PID:350
                                                  • /usr/bin/expr
                                                    expr 87243 "%" 65536
                                                    1⤵
                                                      PID:351
                                                    • /bin/dd
                                                      dd "ibs=12780" "skip=1"
                                                      1⤵
                                                        PID:353
                                                      • /usr/bin/expr
                                                        expr 0 + 65536
                                                        1⤵
                                                          PID:354
                                                        • /bin/dd
                                                          dd "bs=65536" "count=1"
                                                          1⤵
                                                            PID:355
                                                          • /usr/bin/expr
                                                            expr 87243 / 100
                                                            1⤵
                                                              PID:356
                                                            • /usr/bin/expr
                                                              expr 65536 / 872
                                                              1⤵
                                                                PID:357
                                                              • /usr/bin/expr
                                                                expr 65536 + 65536
                                                                1⤵
                                                                  PID:358
                                                                • /bin/dd
                                                                  dd "bs=21707" "count=1"
                                                                  1⤵
                                                                    PID:359
                                                                  • /usr/bin/head
                                                                    head -n 522 ./spy-agent-setup-linux.run
                                                                    1⤵
                                                                      PID:363
                                                                    • /usr/bin/wc
                                                                      wc -c
                                                                      1⤵
                                                                        PID:364
                                                                      • /usr/bin/tr
                                                                        tr -d " "
                                                                        1⤵
                                                                          PID:365
                                                                        • /usr/bin/tail
                                                                          tail -1
                                                                          1⤵
                                                                            PID:369
                                                                          • /bin/df
                                                                            df -kP spy-agent
                                                                            1⤵
                                                                            • Reads runtime system information
                                                                            PID:368
                                                                          • /usr/bin/awk
                                                                            awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
                                                                            1⤵
                                                                              PID:370
                                                                            • /usr/bin/expr
                                                                              expr 4194304 / 4
                                                                              1⤵
                                                                                PID:374
                                                                              • /bin/gzip
                                                                                gzip -cd
                                                                                1⤵
                                                                                  PID:375
                                                                                • /bin/tar
                                                                                  tar xpvf -
                                                                                  1⤵
                                                                                  • Reads runtime system information
                                                                                  PID:376
                                                                                • /usr/bin/expr
                                                                                  expr 1048576 / 4
                                                                                  1⤵
                                                                                    PID:377
                                                                                  • /usr/bin/expr
                                                                                    expr 262144 / 4
                                                                                    1⤵
                                                                                      PID:378
                                                                                    • /usr/bin/expr
                                                                                      expr 87243 / 65536
                                                                                      1⤵
                                                                                        PID:379
                                                                                      • /usr/bin/expr
                                                                                        expr 87243 "%" 65536
                                                                                        1⤵
                                                                                          PID:380
                                                                                        • /bin/dd
                                                                                          dd "ibs=12780" "skip=1"
                                                                                          1⤵
                                                                                            PID:382
                                                                                          • /usr/bin/expr
                                                                                            expr 0 + 65536
                                                                                            1⤵
                                                                                              PID:383
                                                                                            • /bin/dd
                                                                                              dd "bs=65536" "count=1"
                                                                                              1⤵
                                                                                                PID:384
                                                                                              • /usr/bin/expr
                                                                                                expr 87243 / 100
                                                                                                1⤵
                                                                                                  PID:385
                                                                                                • /usr/bin/expr
                                                                                                  expr 65536 / 872
                                                                                                  1⤵
                                                                                                    PID:386
                                                                                                  • /usr/bin/expr
                                                                                                    expr 65536 + 65536
                                                                                                    1⤵
                                                                                                      PID:387
                                                                                                    • /bin/dd
                                                                                                      dd "bs=21707" "count=1"
                                                                                                      1⤵
                                                                                                        PID:388
                                                                                                      • /usr/bin/id
                                                                                                        id -u
                                                                                                        1⤵
                                                                                                        • Reads runtime system information
                                                                                                        PID:390
                                                                                                      • /bin/chown
                                                                                                        chown -R 0 .
                                                                                                        1⤵
                                                                                                          PID:391
                                                                                                        • /usr/bin/id
                                                                                                          id -g
                                                                                                          1⤵
                                                                                                          • Reads runtime system information
                                                                                                          PID:392
                                                                                                        • /bin/cat
                                                                                                          cat
                                                                                                          1⤵
                                                                                                            PID:408
                                                                                                          • /usr/bin/whoami
                                                                                                            whoami
                                                                                                            1⤵
                                                                                                              PID:406
                                                                                                            • /usr/bin/whoami
                                                                                                              whoami
                                                                                                              1⤵
                                                                                                                PID:407

                                                                                                              Network

                                                                                                              MITRE ATT&CK Matrix ATT&CK v6

                                                                                                              Initial Access

                                                                                                              Execution

                                                                                                              Persistence

                                                                                                              Hijack Execution Flow

                                                                                                              1
                                                                                                              T1574

                                                                                                              Privilege Escalation

                                                                                                              Hijack Execution Flow

                                                                                                              1
                                                                                                              T1574

                                                                                                              Defense Evasion

                                                                                                              Hijack Execution Flow

                                                                                                              1
                                                                                                              T1574

                                                                                                              Credential Access

                                                                                                              Discovery

                                                                                                              Lateral Movement

                                                                                                              Collection

                                                                                                              Exfiltration

                                                                                                              Command and Control

                                                                                                              Impact

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads