819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1

Resubmissions

17-06-2021 18:16

210617-arb9rgsa9n 10

12-06-2021 13:38

210612-55n311k7mn 7

Analysis

max time kernel
17704s
max time network
156s
platform
linux_amd64
resource
ubuntu-amd64
submitted
12-06-2021 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

installer.run
Size

99KB
MD5

d4b45f4ab1ec5616026e8fbed2431be8
SHA1

28ecd4944f37bb8f9b7dfd1d486f7c9c027166d0
SHA256

819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1
SHA512

2026b561dce762930e3c6a7179d509efb7be482281111f65461328ed6da5c04e1bb7a7bf3f5cd883920a2cdd50e5c72b1c500d6f4963174792f0c183070b0771

Score

7^/10

Malware Config

Signatures

Write file to user bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
/usr/bin/which	/usr/bin/which	which
/usr/bin/which	/usr/bin/which	which

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	mkdir
/proc/self/mountinfo	/proc/self/mountinfo	df
/proc/filesystems	/proc/filesystems	mkdir
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	tar
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	cp

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/selfgz696	/tmp/selfgz696	rm
/tmp/selfgz696/rtp.dat	/tmp/selfgz696/rtp.dat	rm
/tmp/selfgz696/gnome-shell-ext.sh	/tmp/selfgz696/gnome-shell-ext.sh	rm
/tmp/selfgz696/~/.cache	/tmp/selfgz696/~/.cache	rm
/tmp/selfgz696/~/.cache/gnome-software/gnome-shell-extensions	/tmp/selfgz696/~/.cache/gnome-software/gnome-shell-extensions	rm
/tmp/selfgz696/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat	/tmp/selfgz696/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat	rm
/tmp/selfgz696	/tmp/selfgz696	rm
/tmp/selfgz696	/tmp/selfgz696	df
/tmp/selfgz696/gnome-shell-ext	/tmp/selfgz696/gnome-shell-ext	rm
/tmp/selfgz696/~	/tmp/selfgz696/~	rm
/tmp/selfgz696/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh	/tmp/selfgz696/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh	rm
/tmp/selfgz696/setup.sh	/tmp/selfgz696/setup.sh	rm
/tmp/selfgz696/~/.cache/gnome-software	/tmp/selfgz696/~/.cache/gnome-software	rm
/tmp/selfgz696/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext	/tmp/selfgz696/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext	rm

./installer.run
./installer.run
1⤵
PID:696
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:698
- /usr/bin/tty
  tty -s
  2⤵
  PID:699
- /bin/mkdir
  mkdir /tmp/selfgz696
  2⤵
  - Reads runtime system information
  PID:700
- /usr/bin/basename
  basename /usr/bin/shasum
  2⤵
  PID:713
- /usr/bin/basename
  basename /usr/bin/md5sum
  2⤵
  PID:717
- /usr/bin/expr
  expr 1 + 1
  2⤵
  PID:739
- /usr/bin/expr
  expr 14819 + 87287
  2⤵
  PID:740
- /bin/chgrp
  chgrp -R 0 .
  2⤵
  PID:768
- /usr/bin/expr
  expr 14819 + 87287
  2⤵
  PID:772
- ./setup.sh
  ./setup.sh
  2⤵
  PID:773
- - /bin/mkdir
    mkdir -p "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:774
- - /bin/cp
    cp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:775
- - /bin/cp
    cp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:776
- - /bin/cp
    cp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:777
- - /bin/chmod
    chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
    3⤵
    PID:778
- - /bin/chmod
    chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:779
- - /bin/grep
    grep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:781
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:780
- - /usr/bin/crontab
    crontab -u root -
    3⤵
    PID:784
- - /usr/bin/crontab
    crontab -u root -l
    3⤵
    PID:782
- - /bin/rm
    rm -rf -- /tmp/selfgz696
    3⤵
    - Writes file to tmp directory
    PID:790
- - /usr/bin/nohup
    nohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:788
- - ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
    "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:788
  - - /bin/pidof
      pidof gnome-shell-ext
      4⤵
      PID:791
  - - ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
      "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
      4⤵
      PID:797
- /bin/rm
  /bin/rm -rf /tmp/selfgz696
  2⤵
  - Writes file to tmp directory
  PID:792

/usr/bin/which
which md5sum
1⤵
- Write file to user bin folder
PID:703

/usr/bin/which
which shasum
1⤵
- Write file to user bin folder
PID:705

/usr/bin/tr
tr -d " "
1⤵
PID:709

/usr/bin/wc
wc -c
1⤵
PID:708

/usr/bin/head
head -n 587 ./installer.run
1⤵
PID:707

/usr/bin/cut
cut "-d " -f1
1⤵
PID:712

/usr/bin/cut
cut "-d " -f1
1⤵
PID:716

/usr/bin/cut
cut "-d " -f1
1⤵
PID:720

/usr/bin/cut
cut -b-32
1⤵
PID:724

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:726

/usr/bin/md5sum
/usr/bin/md5sum
1⤵
PID:725

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:727

/usr/bin/expr
expr 262144 / 4
1⤵
PID:728

/usr/bin/expr
expr 87287 / 65536
1⤵
PID:729

/usr/bin/expr
expr 87287 "%" 65536
1⤵
PID:730

/bin/dd
dd "ibs=14819" "skip=1"
1⤵
PID:732

/usr/bin/expr
expr 0 + 65536
1⤵
PID:733

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:734

/usr/bin/expr
expr 87287 / 100
1⤵
PID:735

/usr/bin/expr
expr 65536 / 872
1⤵
PID:736

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:737

/bin/dd
dd "bs=21751" "count=1"
1⤵
PID:738

/usr/bin/tr
tr -d " "
1⤵
PID:744

/usr/bin/wc
wc -c
1⤵
PID:743

/usr/bin/head
head -n 587 ./installer.run
1⤵
PID:742

/usr/bin/awk
awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
1⤵
PID:749

/usr/bin/tail
tail -1
1⤵
PID:748

/bin/df
df -kP /tmp/selfgz696
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:747

/bin/tar
tar xpvf -
1⤵
- Reads runtime system information
PID:753

/bin/gzip
gzip -cd
1⤵
PID:754

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:755

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:756

/usr/bin/expr
expr 262144 / 4
1⤵
PID:757

/usr/bin/expr
expr 87287 / 65536
1⤵
PID:758

/usr/bin/expr
expr 87287 "%" 65536
1⤵
PID:759

/bin/dd
dd "ibs=14819" "skip=1"
1⤵
PID:761

/usr/bin/expr
expr 0 + 65536
1⤵
PID:762

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:763

/usr/bin/expr
expr 87287 / 100
1⤵
PID:764

/usr/bin/expr
expr 65536 / 872
1⤵
PID:765

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:766

/bin/dd
dd "bs=21751" "count=1"
1⤵
PID:767

/usr/bin/id
id -u
1⤵
- Reads runtime system information
PID:769

/bin/chown
chown -R 0 .
1⤵
PID:770

/usr/bin/id
id -g
1⤵
- Reads runtime system information
PID:771

/bin/cat
cat
1⤵
PID:786

/usr/bin/whoami
whoami
1⤵
PID:785

/usr/bin/whoami
whoami
1⤵
PID:787

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads