Overview

overview

10

Static

static

10

LKฺฺ�...ฺฺ

linux_mips

7

Test

linux_mipsel

7

Resubmissions

11-06-2021 18:36

210611-dgt8yndgw6 10

06-01-2021 03:28

210106-k31d8h8dkx 10

25-11-2020 08:48

201125-mhfnf9gxta 10

24-11-2020 11:08

201124-yfsf7l7s3s 10

Analysis

  • max time kernel
    0s
  • max time network
    219s
  • platform
    linux_mips
  • resource
    debian9-mipsbe-en-20211208
  • submitted
    25-11-2020 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spy-agent-setup-linux.run

  • Size

    97KB

  • MD5

    213c6443b2bd78c4e0aad54ec8338214

  • SHA1

    264bd2b6d809a519b4348dbfc5791d3fc9342af8

  • SHA256

    e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755

  • SHA512

    5dd067120c4371ad48123c8c2b21e679196c0fb7a4607cb3bd2c5cc35eee491164685bd566469649bc273460729073c4e4cbc24b1970fc5739f9b383291149e6

Score
7/10

Malware Config

Signatures

  • Write file to user bin folder 1 TTPs 1 IoCs
  • Reads runtime system information 13 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./spy-agent-setup-linux.run
    ./spy-agent-setup-linux.run
    1⤵
      PID:324
      • /usr/bin/id
        id -u
        2⤵
        • Reads runtime system information
        PID:326
      • /usr/bin/tty
        tty -s
        2⤵
          PID:327
        • /bin/mkdir
          mkdir -p spy-agent
          2⤵
          • Reads runtime system information
          PID:328
        • /usr/bin/basename
          basename /usr/bin/md5sum
          2⤵
            PID:342
          • /usr/bin/expr
            expr 1 + 1
            2⤵
              PID:364
            • /usr/bin/expr
              expr 12780 + 87243
              2⤵
                PID:365
              • /bin/chgrp
                chgrp -R 0 .
                2⤵
                  PID:393
                • /usr/bin/expr
                  expr 12780 + 87243
                  2⤵
                    PID:397
                  • ./setup.sh
                    ./setup.sh
                    2⤵
                      PID:398
                      • /bin/mkdir
                        mkdir -p "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:399
                      • /bin/cp
                        cp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:400
                      • /bin/cp
                        cp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:401
                      • /bin/cp
                        cp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:402
                      • /bin/chmod
                        chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
                        3⤵
                          PID:403
                        • /bin/chmod
                          chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                          3⤵
                            PID:404
                          • /usr/bin/crontab
                            crontab -l
                            3⤵
                            • Reads runtime system information
                            PID:405
                          • /bin/grep
                            grep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                            3⤵
                              PID:406
                            • /usr/bin/crontab
                              crontab -u root -l
                              3⤵
                              • Reads runtime system information
                              PID:407
                            • /usr/bin/crontab
                              crontab -u root -
                              3⤵
                              • Reads runtime system information
                              PID:409
                            • /usr/bin/nohup
                              nohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                              3⤵
                                PID:413
                              • /bin/rm
                                rm -rf -- /tmp/spy-agent
                                3⤵
                                • Writes file to tmp directory
                                PID:415
                              • ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
                                "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                                3⤵
                                  PID:413
                            • /usr/bin/which
                              which md5sum
                              1⤵
                              • Write file to user bin folder
                              PID:332
                            • /usr/bin/head
                              head -n 522 ./spy-agent-setup-linux.run
                              1⤵
                                PID:336
                              • /usr/bin/tr
                                tr -d " "
                                1⤵
                                  PID:338
                                • /usr/bin/wc
                                  wc -c
                                  1⤵
                                    PID:337
                                  • /usr/bin/cut
                                    cut "-d " -f1
                                    1⤵
                                      PID:341
                                    • /usr/bin/cut
                                      cut "-d " -f1
                                      1⤵
                                        PID:345
                                      • /usr/bin/cut
                                        cut -b-32
                                        1⤵
                                          PID:349
                                        • /usr/bin/md5sum
                                          /usr/bin/md5sum
                                          1⤵
                                            PID:351
                                          • /usr/bin/expr
                                            expr 4194304 / 4
                                            1⤵
                                              PID:350
                                            • /usr/bin/expr
                                              expr 1048576 / 4
                                              1⤵
                                                PID:352
                                              • /usr/bin/expr
                                                expr 262144 / 4
                                                1⤵
                                                  PID:353
                                                • /usr/bin/expr
                                                  expr 87243 / 65536
                                                  1⤵
                                                    PID:354
                                                  • /usr/bin/expr
                                                    expr 87243 "%" 65536
                                                    1⤵
                                                      PID:355
                                                    • /bin/dd
                                                      dd "ibs=12780" "skip=1"
                                                      1⤵
                                                        PID:357
                                                      • /usr/bin/expr
                                                        expr 0 + 65536
                                                        1⤵
                                                          PID:358
                                                        • /bin/dd
                                                          dd "bs=65536" "count=1"
                                                          1⤵
                                                            PID:359
                                                          • /usr/bin/expr
                                                            expr 87243 / 100
                                                            1⤵
                                                              PID:360
                                                            • /usr/bin/expr
                                                              expr 65536 / 872
                                                              1⤵
                                                                PID:361
                                                              • /usr/bin/expr
                                                                expr 65536 + 65536
                                                                1⤵
                                                                  PID:362
                                                                • /bin/dd
                                                                  dd "bs=21707" "count=1"
                                                                  1⤵
                                                                    PID:363
                                                                  • /usr/bin/head
                                                                    head -n 522 ./spy-agent-setup-linux.run
                                                                    1⤵
                                                                      PID:367
                                                                    • /usr/bin/wc
                                                                      wc -c
                                                                      1⤵
                                                                        PID:368
                                                                      • /usr/bin/tr
                                                                        tr -d " "
                                                                        1⤵
                                                                          PID:369
                                                                        • /bin/df
                                                                          df -kP spy-agent
                                                                          1⤵
                                                                          • Reads runtime system information
                                                                          PID:372
                                                                        • /usr/bin/tail
                                                                          tail -1
                                                                          1⤵
                                                                            PID:373
                                                                          • /usr/bin/awk
                                                                            awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
                                                                            1⤵
                                                                              PID:374
                                                                            • /usr/bin/expr
                                                                              expr 4194304 / 4
                                                                              1⤵
                                                                                PID:378
                                                                              • /bin/gzip
                                                                                gzip -cd
                                                                                1⤵
                                                                                  PID:379
                                                                                • /bin/tar
                                                                                  tar xpvf -
                                                                                  1⤵
                                                                                  • Reads runtime system information
                                                                                  PID:380
                                                                                • /usr/bin/expr
                                                                                  expr 1048576 / 4
                                                                                  1⤵
                                                                                    PID:381
                                                                                  • /usr/bin/expr
                                                                                    expr 262144 / 4
                                                                                    1⤵
                                                                                      PID:382
                                                                                    • /usr/bin/expr
                                                                                      expr 87243 / 65536
                                                                                      1⤵
                                                                                        PID:383
                                                                                      • /usr/bin/expr
                                                                                        expr 87243 "%" 65536
                                                                                        1⤵
                                                                                          PID:384
                                                                                        • /bin/dd
                                                                                          dd "ibs=12780" "skip=1"
                                                                                          1⤵
                                                                                            PID:386
                                                                                          • /usr/bin/expr
                                                                                            expr 0 + 65536
                                                                                            1⤵
                                                                                              PID:387
                                                                                            • /bin/dd
                                                                                              dd "bs=65536" "count=1"
                                                                                              1⤵
                                                                                                PID:388
                                                                                              • /usr/bin/expr
                                                                                                expr 87243 / 100
                                                                                                1⤵
                                                                                                  PID:389
                                                                                                • /usr/bin/expr
                                                                                                  expr 65536 / 872
                                                                                                  1⤵
                                                                                                    PID:390
                                                                                                  • /usr/bin/expr
                                                                                                    expr 65536 + 65536
                                                                                                    1⤵
                                                                                                      PID:391
                                                                                                    • /bin/dd
                                                                                                      dd "bs=21707" "count=1"
                                                                                                      1⤵
                                                                                                        PID:392
                                                                                                      • /usr/bin/id
                                                                                                        id -u
                                                                                                        1⤵
                                                                                                        • Reads runtime system information
                                                                                                        PID:394
                                                                                                      • /bin/chown
                                                                                                        chown -R 0 .
                                                                                                        1⤵
                                                                                                          PID:395
                                                                                                        • /usr/bin/id
                                                                                                          id -g
                                                                                                          1⤵
                                                                                                          • Reads runtime system information
                                                                                                          PID:396
                                                                                                        • /bin/cat
                                                                                                          cat
                                                                                                          1⤵
                                                                                                            PID:411
                                                                                                          • /usr/bin/whoami
                                                                                                            whoami
                                                                                                            1⤵
                                                                                                              PID:410
                                                                                                            • /usr/bin/whoami
                                                                                                              whoami
                                                                                                              1⤵
                                                                                                                PID:412

                                                                                                              Network

                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads