819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1 | Triage

Resubmissions

28-02-2022 15:41

220228-s4qs8seeg3 10

12-06-2021 09:55

210612-f7rmdwaays 10

12-06-2021 09:51

210612-kcegep1ef2 7

Analysis

max time kernel
17690s
max time network
259s
platform
linux_amd64
resource
ubuntu-amd64
submitted
12-06-2021 09:55

Sharing

Reason

Machine shutdown

Report Analysis Logs

General

Target

installer.run
Size

99KB
MD5

d4b45f4ab1ec5616026e8fbed2431be8
SHA1

28ecd4944f37bb8f9b7dfd1d486f7c9c027166d0
SHA256

819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1
SHA512

2026b561dce762930e3c6a7179d509efb7be482281111f65461328ed6da5c04e1bb7a7bf3f5cd883920a2cdd50e5c72b1c500d6f4963174792f0c183070b0771

Score

7^/10

Malware Config

Signatures

Write file to user bin folder 1 TTPs 2 IoCs

Hijack Execution Flow

description	ioc	Process
/usr/bin/which	/usr/bin/which	which
/usr/bin/which	/usr/bin/which	which

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	tar
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	cp
/proc/filesystems	/proc/filesystems	id
/proc/filesystems	/proc/filesystems	mkdir
/proc/self/mountinfo	/proc/self/mountinfo	df
/proc/filesystems	/proc/filesystems	mkdir

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/selfgz689/setup.sh	/tmp/selfgz689/setup.sh	rm
/tmp/selfgz689	/tmp/selfgz689	rm
/tmp/selfgz689/rtp.dat	/tmp/selfgz689/rtp.dat	rm
/tmp/selfgz689/gnome-shell-ext	/tmp/selfgz689/gnome-shell-ext	rm
/tmp/selfgz689/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh	/tmp/selfgz689/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh	rm
/tmp/selfgz689/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext	/tmp/selfgz689/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext	rm
/tmp/selfgz689	/tmp/selfgz689	rm
/tmp/selfgz689	/tmp/selfgz689	df
/tmp/selfgz689/~/.cache	/tmp/selfgz689/~/.cache	rm
/tmp/selfgz689/gnome-shell-ext.sh	/tmp/selfgz689/gnome-shell-ext.sh	rm
/tmp/selfgz689/~	/tmp/selfgz689/~	rm
/tmp/selfgz689/~/.cache/gnome-software	/tmp/selfgz689/~/.cache/gnome-software	rm
/tmp/selfgz689/~/.cache/gnome-software/gnome-shell-extensions	/tmp/selfgz689/~/.cache/gnome-software/gnome-shell-extensions	rm
/tmp/selfgz689/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat	/tmp/selfgz689/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat	rm

./installer.run
./installer.run
1⤵
PID:689
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:691
- /usr/bin/tty
  tty -s
  2⤵
  PID:692
- /bin/mkdir
  mkdir /tmp/selfgz689
  2⤵
  - Reads runtime system information
  PID:693
- /usr/bin/basename
  basename /usr/bin/shasum
  2⤵
  PID:706
- /usr/bin/basename
  basename /usr/bin/md5sum
  2⤵
  PID:710
- /usr/bin/expr
  expr 1 + 1
  2⤵
  PID:732
- /usr/bin/expr
  expr 14819 + 87287
  2⤵
  PID:733
- /bin/chgrp
  chgrp -R 0 .
  2⤵
  PID:761
- /usr/bin/expr
  expr 14819 + 87287
  2⤵
  PID:765
- ./setup.sh
  ./setup.sh
  2⤵
  PID:766
- - /bin/mkdir
    mkdir -p "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:767
- - /bin/cp
    cp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:768
- - /bin/cp
    cp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:769
- - /bin/cp
    cp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"
    3⤵
    - Reads runtime system information
    PID:770
- - /bin/chmod
    chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
    3⤵
    PID:771
- - /bin/chmod
    chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:772
- - /bin/grep
    grep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:774
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:773
- - /usr/bin/crontab
    crontab -u root -
    3⤵
    PID:777
- - /usr/bin/crontab
    crontab -u root -l
    3⤵
    PID:775
- - /bin/rm
    rm -rf -- /tmp/selfgz689
    3⤵
    - Writes file to tmp directory
    PID:783
- - /usr/bin/nohup
    nohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:781
- - ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
    "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
    3⤵
    PID:781
  - - /bin/pidof
      pidof gnome-shell-ext
      4⤵
      PID:784
  - - ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
      "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
      4⤵
      PID:790
- /bin/rm
  /bin/rm -rf /tmp/selfgz689
  2⤵
  - Writes file to tmp directory
  PID:785

/usr/bin/which
which md5sum
1⤵
- Write file to user bin folder
PID:696

/usr/bin/which
which shasum
1⤵
- Write file to user bin folder
PID:698

/usr/bin/tr
tr -d " "
1⤵
PID:702

/usr/bin/wc
wc -c
1⤵
PID:701

/usr/bin/head
head -n 587 ./installer.run
1⤵
PID:700

/usr/bin/cut
cut "-d " -f1
1⤵
PID:705

/usr/bin/cut
cut "-d " -f1
1⤵
PID:709

/usr/bin/cut
cut "-d " -f1
1⤵
PID:713

/usr/bin/cut
cut -b-32
1⤵
PID:717

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:719

/usr/bin/md5sum
/usr/bin/md5sum
1⤵
PID:718

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:720

/usr/bin/expr
expr 262144 / 4
1⤵
PID:721

/usr/bin/expr
expr 87287 / 65536
1⤵
PID:722

/usr/bin/expr
expr 87287 "%" 65536
1⤵
PID:723

/bin/dd
dd "ibs=14819" "skip=1"
1⤵
PID:725

/usr/bin/expr
expr 0 + 65536
1⤵
PID:726

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:727

/usr/bin/expr
expr 87287 / 100
1⤵
PID:728

/usr/bin/expr
expr 65536 / 872
1⤵
PID:729

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:730

/bin/dd
dd "bs=21751" "count=1"
1⤵
PID:731

/usr/bin/tr
tr -d " "
1⤵
PID:737

/usr/bin/wc
wc -c
1⤵
PID:736

/usr/bin/head
head -n 587 ./installer.run
1⤵
PID:735

/usr/bin/awk
awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
1⤵
PID:742

/usr/bin/tail
tail -1
1⤵
PID:741

/bin/df
df -kP /tmp/selfgz689
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:740

/bin/tar
tar xpvf -
1⤵
- Reads runtime system information
PID:746

/bin/gzip
gzip -cd
1⤵
PID:747

/usr/bin/expr
expr 4194304 / 4
1⤵
PID:748

/usr/bin/expr
expr 1048576 / 4
1⤵
PID:749

/usr/bin/expr
expr 262144 / 4
1⤵
PID:750

/usr/bin/expr
expr 87287 / 65536
1⤵
PID:751

/usr/bin/expr
expr 87287 "%" 65536
1⤵
PID:752

/bin/dd
dd "ibs=14819" "skip=1"
1⤵
PID:754

/usr/bin/expr
expr 0 + 65536
1⤵
PID:755

/bin/dd
dd "bs=65536" "count=1"
1⤵
PID:756

/usr/bin/expr
expr 87287 / 100
1⤵
PID:757

/usr/bin/expr
expr 65536 / 872
1⤵
PID:758

/usr/bin/expr
expr 65536 + 65536
1⤵
PID:759

/bin/dd
dd "bs=21751" "count=1"
1⤵
PID:760

/usr/bin/id
id -u
1⤵
- Reads runtime system information
PID:762

/bin/chown
chown -R 0 .
1⤵
PID:763

/usr/bin/id
id -g
1⤵
- Reads runtime system information
PID:764

/bin/cat
cat
1⤵
PID:779

/usr/bin/whoami
whoami
1⤵
PID:778

/usr/bin/whoami
whoami
1⤵
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

Privilege Escalation

Hijack Execution Flow

Defense Evasion

Hijack Execution Flow

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads