Overview

overview

10

Static

static

10

spy-agent-...ux.run

linux_mipsel

7

spy-agent-...ux.run

linux_amd64

7

Resubmissions

11-06-2021 18:36

210611-dgt8yndgw6 10

06-01-2021 03:28

210106-k31d8h8dkx 10

25-11-2020 08:48

201125-mhfnf9gxta 10

24-11-2020 11:08

201124-yfsf7l7s3s 10

Analysis

  • max time kernel
    0s
  • max time network
    25s
  • platform
    linux_mipsel
  • resource
    debian9-mipsel
  • submitted
    11-06-2021 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spy-agent-setup-linux.run

  • Size

    97KB

  • MD5

    213c6443b2bd78c4e0aad54ec8338214

  • SHA1

    264bd2b6d809a519b4348dbfc5791d3fc9342af8

  • SHA256

    e9bd299eec7dbee7d4f5c97ccf8ab27a7b77388eaa649f353e41df8b7b1df755

  • SHA512

    5dd067120c4371ad48123c8c2b21e679196c0fb7a4607cb3bd2c5cc35eee491164685bd566469649bc273460729073c4e4cbc24b1970fc5739f9b383291149e6

Score
7/10

Malware Config

Signatures

  • Write file to user bin folder 1 TTPs 1 IoCs
  • Reads runtime system information 13 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./spy-agent-setup-linux.run
    ./spy-agent-setup-linux.run
    1⤵
      PID:343
      • /usr/bin/id
        id -u
        2⤵
        • Reads runtime system information
        PID:346
      • /usr/bin/tty
        tty -s
        2⤵
          PID:347
        • /bin/mkdir
          mkdir -p spy-agent
          2⤵
          • Reads runtime system information
          PID:349
        • /usr/bin/basename
          basename /usr/bin/md5sum
          2⤵
            PID:363
          • /usr/bin/expr
            expr 1 + 1
            2⤵
              PID:389
            • /usr/bin/expr
              expr 12780 + 87243
              2⤵
                PID:390
              • /bin/chgrp
                chgrp -R 0 .
                2⤵
                  PID:419
                • /usr/bin/expr
                  expr 12780 + 87243
                  2⤵
                    PID:423
                  • ./setup.sh
                    ./setup.sh
                    2⤵
                      PID:424
                      • /bin/mkdir
                        mkdir -p "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:425
                      • /bin/cp
                        cp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:426
                      • /bin/cp
                        cp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:427
                      • /bin/cp
                        cp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"
                        3⤵
                        • Reads runtime system information
                        PID:428
                      • /bin/chmod
                        chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
                        3⤵
                          PID:429
                        • /bin/chmod
                          chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                          3⤵
                            PID:430
                          • /bin/grep
                            grep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                            3⤵
                              PID:432
                            • /usr/bin/crontab
                              crontab -l
                              3⤵
                              • Reads runtime system information
                              PID:431
                            • /usr/bin/crontab
                              crontab -u root -l
                              3⤵
                              • Reads runtime system information
                              PID:433
                            • /usr/bin/crontab
                              crontab -u root -
                              3⤵
                              • Reads runtime system information
                              PID:435
                            • /usr/bin/nohup
                              nohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                              3⤵
                                PID:439
                              • /bin/rm
                                rm -rf -- /tmp/spy-agent
                                3⤵
                                • Writes file to tmp directory
                                PID:441
                              • ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
                                "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                                3⤵
                                  PID:439
                            • /usr/bin/which
                              which md5sum
                              1⤵
                              • Write file to user bin folder
                              PID:353
                            • /usr/bin/head
                              head -n 522 ./spy-agent-setup-linux.run
                              1⤵
                                PID:357
                              • /usr/bin/tr
                                tr -d " "
                                1⤵
                                  PID:359
                                • /usr/bin/wc
                                  wc -c
                                  1⤵
                                    PID:358
                                  • /usr/bin/cut
                                    cut "-d " -f1
                                    1⤵
                                      PID:362
                                    • /usr/bin/cut
                                      cut "-d " -f1
                                      1⤵
                                        PID:366
                                      • /usr/bin/cut
                                        cut -b-32
                                        1⤵
                                          PID:370
                                        • /usr/bin/md5sum
                                          /usr/bin/md5sum
                                          1⤵
                                            PID:372
                                          • /usr/bin/expr
                                            expr 4194304 / 4
                                            1⤵
                                              PID:371
                                            • /usr/bin/expr
                                              expr 1048576 / 4
                                              1⤵
                                                PID:374
                                              • /usr/bin/expr
                                                expr 262144 / 4
                                                1⤵
                                                  PID:375
                                                • /usr/bin/expr
                                                  expr 87243 / 65536
                                                  1⤵
                                                    PID:376
                                                  • /usr/bin/expr
                                                    expr 87243 "%" 65536
                                                    1⤵
                                                      PID:378
                                                    • /bin/dd
                                                      dd "ibs=12780" "skip=1"
                                                      1⤵
                                                        PID:381
                                                      • /usr/bin/expr
                                                        expr 0 + 65536
                                                        1⤵
                                                          PID:382
                                                        • /bin/dd
                                                          dd "bs=65536" "count=1"
                                                          1⤵
                                                            PID:383
                                                          • /usr/bin/expr
                                                            expr 87243 / 100
                                                            1⤵
                                                              PID:384
                                                            • /usr/bin/expr
                                                              expr 65536 / 872
                                                              1⤵
                                                                PID:386
                                                              • /usr/bin/expr
                                                                expr 65536 + 65536
                                                                1⤵
                                                                  PID:387
                                                                • /bin/dd
                                                                  dd "bs=21707" "count=1"
                                                                  1⤵
                                                                    PID:388
                                                                  • /usr/bin/head
                                                                    head -n 522 ./spy-agent-setup-linux.run
                                                                    1⤵
                                                                      PID:392
                                                                    • /usr/bin/wc
                                                                      wc -c
                                                                      1⤵
                                                                        PID:393
                                                                      • /usr/bin/tr
                                                                        tr -d " "
                                                                        1⤵
                                                                          PID:394
                                                                        • /bin/df
                                                                          df -kP spy-agent
                                                                          1⤵
                                                                          • Reads runtime system information
                                                                          PID:397
                                                                        • /usr/bin/tail
                                                                          tail -1
                                                                          1⤵
                                                                            PID:398
                                                                          • /usr/bin/awk
                                                                            awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
                                                                            1⤵
                                                                              PID:399
                                                                            • /usr/bin/expr
                                                                              expr 4194304 / 4
                                                                              1⤵
                                                                                PID:403
                                                                              • /bin/gzip
                                                                                gzip -cd
                                                                                1⤵
                                                                                  PID:404
                                                                                • /bin/tar
                                                                                  tar xpvf -
                                                                                  1⤵
                                                                                  • Reads runtime system information
                                                                                  PID:405
                                                                                • /usr/bin/expr
                                                                                  expr 1048576 / 4
                                                                                  1⤵
                                                                                    PID:406
                                                                                  • /usr/bin/expr
                                                                                    expr 262144 / 4
                                                                                    1⤵
                                                                                      PID:408
                                                                                    • /usr/bin/expr
                                                                                      expr 87243 / 65536
                                                                                      1⤵
                                                                                        PID:409
                                                                                      • /usr/bin/expr
                                                                                        expr 87243 "%" 65536
                                                                                        1⤵
                                                                                          PID:410
                                                                                        • /bin/dd
                                                                                          dd "ibs=12780" "skip=1"
                                                                                          1⤵
                                                                                            PID:412
                                                                                          • /usr/bin/expr
                                                                                            expr 0 + 65536
                                                                                            1⤵
                                                                                              PID:413
                                                                                            • /bin/dd
                                                                                              dd "bs=65536" "count=1"
                                                                                              1⤵
                                                                                                PID:414
                                                                                              • /usr/bin/expr
                                                                                                expr 87243 / 100
                                                                                                1⤵
                                                                                                  PID:415
                                                                                                • /usr/bin/expr
                                                                                                  expr 65536 / 872
                                                                                                  1⤵
                                                                                                    PID:416
                                                                                                  • /usr/bin/expr
                                                                                                    expr 65536 + 65536
                                                                                                    1⤵
                                                                                                      PID:417
                                                                                                    • /bin/dd
                                                                                                      dd "bs=21707" "count=1"
                                                                                                      1⤵
                                                                                                        PID:418
                                                                                                      • /usr/bin/id
                                                                                                        id -u
                                                                                                        1⤵
                                                                                                        • Reads runtime system information
                                                                                                        PID:420
                                                                                                      • /bin/chown
                                                                                                        chown -R 0 .
                                                                                                        1⤵
                                                                                                          PID:421
                                                                                                        • /usr/bin/id
                                                                                                          id -g
                                                                                                          1⤵
                                                                                                          • Reads runtime system information
                                                                                                          PID:422
                                                                                                        • /bin/cat
                                                                                                          cat
                                                                                                          1⤵
                                                                                                            PID:438
                                                                                                          • /usr/bin/whoami
                                                                                                            whoami
                                                                                                            1⤵
                                                                                                              PID:436
                                                                                                            • /usr/bin/whoami
                                                                                                              whoami
                                                                                                              1⤵
                                                                                                                PID:437

                                                                                                              Network

                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads