Resubmissions

28-02-2022 15:41

220228-s4qs8seeg3 10

12-06-2021 09:55

210612-f7rmdwaays 10

12-06-2021 09:51

210612-kcegep1ef2 7

Analysis

  • max time kernel
    17690s
  • max time network
    156s
  • platform
    linux_amd64
  • resource
    ubuntu-amd64
  • submitted
    12-06-2021 09:51

General

  • Target

    installer.run

  • Size

    99KB

  • MD5

    d4b45f4ab1ec5616026e8fbed2431be8

  • SHA1

    28ecd4944f37bb8f9b7dfd1d486f7c9c027166d0

  • SHA256

    819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1

  • SHA512

    2026b561dce762930e3c6a7179d509efb7be482281111f65461328ed6da5c04e1bb7a7bf3f5cd883920a2cdd50e5c72b1c500d6f4963174792f0c183070b0771

Score
7/10

Malware Config

Signatures

  • Write file to user bin folder 1 TTPs 2 IoCs
  • Reads runtime system information 10 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 14 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./installer.run
    ./installer.run
    1⤵
      PID:691
      • /usr/bin/id
        id -u
        2⤵
        • Reads runtime system information
        PID:693
      • /usr/bin/tty
        tty -s
        2⤵
          PID:694
        • /bin/mkdir
          mkdir /tmp/selfgz691
          2⤵
          • Reads runtime system information
          PID:695
        • /usr/bin/basename
          basename /usr/bin/shasum
          2⤵
            PID:708
          • /usr/bin/basename
            basename /usr/bin/md5sum
            2⤵
              PID:712
            • /usr/bin/expr
              expr 1 + 1
              2⤵
                PID:734
              • /usr/bin/expr
                expr 14819 + 87287
                2⤵
                  PID:735
                • /bin/chgrp
                  chgrp -R 0 .
                  2⤵
                    PID:763
                  • /usr/bin/expr
                    expr 14819 + 87287
                    2⤵
                      PID:767
                    • ./setup.sh
                      ./setup.sh
                      2⤵
                        PID:768
                        • /bin/mkdir
                          mkdir -p "~/.cache/gnome-software/gnome-shell-extensions"
                          3⤵
                          • Reads runtime system information
                          PID:769
                        • /bin/cp
                          cp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"
                          3⤵
                          • Reads runtime system information
                          PID:770
                        • /bin/cp
                          cp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"
                          3⤵
                          • Reads runtime system information
                          PID:771
                        • /bin/cp
                          cp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"
                          3⤵
                          • Reads runtime system information
                          PID:772
                        • /bin/chmod
                          chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
                          3⤵
                            PID:773
                          • /bin/chmod
                            chmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                            3⤵
                              PID:774
                            • /bin/grep
                              grep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                              3⤵
                                PID:776
                              • /usr/bin/crontab
                                crontab -l
                                3⤵
                                  PID:775
                                • /usr/bin/crontab
                                  crontab -u root -
                                  3⤵
                                    PID:779
                                  • /usr/bin/crontab
                                    crontab -u root -l
                                    3⤵
                                      PID:777
                                    • /bin/rm
                                      rm -rf -- /tmp/selfgz691
                                      3⤵
                                      • Writes file to tmp directory
                                      PID:785
                                    • /usr/bin/nohup
                                      nohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                                      3⤵
                                        PID:783
                                      • ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh
                                        "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"
                                        3⤵
                                          PID:783
                                          • /bin/pidof
                                            pidof gnome-shell-ext
                                            4⤵
                                              PID:786
                                            • ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext
                                              "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"
                                              4⤵
                                                PID:792
                                          • /bin/rm
                                            /bin/rm -rf /tmp/selfgz691
                                            2⤵
                                            • Writes file to tmp directory
                                            PID:787
                                        • /usr/bin/which
                                          which md5sum
                                          1⤵
                                          • Write file to user bin folder
                                          PID:698
                                        • /usr/bin/which
                                          which shasum
                                          1⤵
                                          • Write file to user bin folder
                                          PID:700
                                        • /usr/bin/tr
                                          tr -d " "
                                          1⤵
                                            PID:704
                                          • /usr/bin/wc
                                            wc -c
                                            1⤵
                                              PID:703
                                            • /usr/bin/head
                                              head -n 587 ./installer.run
                                              1⤵
                                                PID:702
                                              • /usr/bin/cut
                                                cut "-d " -f1
                                                1⤵
                                                  PID:707
                                                • /usr/bin/cut
                                                  cut "-d " -f1
                                                  1⤵
                                                    PID:711
                                                  • /usr/bin/cut
                                                    cut "-d " -f1
                                                    1⤵
                                                      PID:715
                                                    • /usr/bin/cut
                                                      cut -b-32
                                                      1⤵
                                                        PID:719
                                                      • /usr/bin/expr
                                                        expr 4194304 / 4
                                                        1⤵
                                                          PID:721
                                                        • /usr/bin/md5sum
                                                          /usr/bin/md5sum
                                                          1⤵
                                                            PID:720
                                                          • /usr/bin/expr
                                                            expr 1048576 / 4
                                                            1⤵
                                                              PID:722
                                                            • /usr/bin/expr
                                                              expr 262144 / 4
                                                              1⤵
                                                                PID:723
                                                              • /usr/bin/expr
                                                                expr 87287 / 65536
                                                                1⤵
                                                                  PID:724
                                                                • /usr/bin/expr
                                                                  expr 87287 "%" 65536
                                                                  1⤵
                                                                    PID:725
                                                                  • /bin/dd
                                                                    dd "ibs=14819" "skip=1"
                                                                    1⤵
                                                                      PID:727
                                                                    • /usr/bin/expr
                                                                      expr 0 + 65536
                                                                      1⤵
                                                                        PID:728
                                                                      • /bin/dd
                                                                        dd "bs=65536" "count=1"
                                                                        1⤵
                                                                          PID:729
                                                                        • /usr/bin/expr
                                                                          expr 87287 / 100
                                                                          1⤵
                                                                            PID:730
                                                                          • /usr/bin/expr
                                                                            expr 65536 / 872
                                                                            1⤵
                                                                              PID:731
                                                                            • /usr/bin/expr
                                                                              expr 65536 + 65536
                                                                              1⤵
                                                                                PID:732
                                                                              • /bin/dd
                                                                                dd "bs=21751" "count=1"
                                                                                1⤵
                                                                                  PID:733
                                                                                • /usr/bin/tr
                                                                                  tr -d " "
                                                                                  1⤵
                                                                                    PID:739
                                                                                  • /usr/bin/wc
                                                                                    wc -c
                                                                                    1⤵
                                                                                      PID:738
                                                                                    • /usr/bin/head
                                                                                      head -n 587 ./installer.run
                                                                                      1⤵
                                                                                        PID:737
                                                                                      • /usr/bin/awk
                                                                                        awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
                                                                                        1⤵
                                                                                          PID:744
                                                                                        • /usr/bin/tail
                                                                                          tail -1
                                                                                          1⤵
                                                                                            PID:743
                                                                                          • /bin/df
                                                                                            df -kP /tmp/selfgz691
                                                                                            1⤵
                                                                                            • Reads runtime system information
                                                                                            • Writes file to tmp directory
                                                                                            PID:742
                                                                                          • /bin/tar
                                                                                            tar xpvf -
                                                                                            1⤵
                                                                                            • Reads runtime system information
                                                                                            PID:748
                                                                                          • /bin/gzip
                                                                                            gzip -cd
                                                                                            1⤵
                                                                                              PID:749
                                                                                            • /usr/bin/expr
                                                                                              expr 4194304 / 4
                                                                                              1⤵
                                                                                                PID:750
                                                                                              • /usr/bin/expr
                                                                                                expr 1048576 / 4
                                                                                                1⤵
                                                                                                  PID:751
                                                                                                • /usr/bin/expr
                                                                                                  expr 262144 / 4
                                                                                                  1⤵
                                                                                                    PID:752
                                                                                                  • /usr/bin/expr
                                                                                                    expr 87287 / 65536
                                                                                                    1⤵
                                                                                                      PID:753
                                                                                                    • /usr/bin/expr
                                                                                                      expr 87287 "%" 65536
                                                                                                      1⤵
                                                                                                        PID:754
                                                                                                      • /bin/dd
                                                                                                        dd "ibs=14819" "skip=1"
                                                                                                        1⤵
                                                                                                          PID:756
                                                                                                        • /usr/bin/expr
                                                                                                          expr 0 + 65536
                                                                                                          1⤵
                                                                                                            PID:757
                                                                                                          • /bin/dd
                                                                                                            dd "bs=65536" "count=1"
                                                                                                            1⤵
                                                                                                              PID:758
                                                                                                            • /usr/bin/expr
                                                                                                              expr 87287 / 100
                                                                                                              1⤵
                                                                                                                PID:759
                                                                                                              • /usr/bin/expr
                                                                                                                expr 65536 / 872
                                                                                                                1⤵
                                                                                                                  PID:760
                                                                                                                • /usr/bin/expr
                                                                                                                  expr 65536 + 65536
                                                                                                                  1⤵
                                                                                                                    PID:761
                                                                                                                  • /bin/dd
                                                                                                                    dd "bs=21751" "count=1"
                                                                                                                    1⤵
                                                                                                                      PID:762
                                                                                                                    • /usr/bin/id
                                                                                                                      id -u
                                                                                                                      1⤵
                                                                                                                      • Reads runtime system information
                                                                                                                      PID:764
                                                                                                                    • /bin/chown
                                                                                                                      chown -R 0 .
                                                                                                                      1⤵
                                                                                                                        PID:765
                                                                                                                      • /usr/bin/id
                                                                                                                        id -g
                                                                                                                        1⤵
                                                                                                                        • Reads runtime system information
                                                                                                                        PID:766
                                                                                                                      • /bin/cat
                                                                                                                        cat
                                                                                                                        1⤵
                                                                                                                          PID:781
                                                                                                                        • /usr/bin/whoami
                                                                                                                          whoami
                                                                                                                          1⤵
                                                                                                                            PID:780
                                                                                                                          • /usr/bin/whoami
                                                                                                                            whoami
                                                                                                                            1⤵
                                                                                                                              PID:782

                                                                                                                            Network

                                                                                                                            MITRE ATT&CK Enterprise v6

                                                                                                                            Replay Monitor

                                                                                                                            Loading Replay Monitor...

                                                                                                                            Downloads