Resubmissions
28-02-2022 15:41
220228-s4qs8seeg3 1012-06-2021 09:55
210612-f7rmdwaays 1012-06-2021 09:51
210612-kcegep1ef2 7Analysis
-
max time kernel
17690s -
max time network
156s -
platform
linux_amd64 -
resource
ubuntu-amd64 -
submitted
12-06-2021 09:51
Static task
static1
Behavioral task
behavioral1
Sample
installer.run
Resource
ubuntu-amd64
linux_amd64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
installer.run
Resource
debian9-mipsel
linux_mipsel
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
installer.run
Resource
debian9-mipsbe
linux_mips
0 signatures
0 seconds
General
-
Target
installer.run
-
Size
99KB
-
MD5
d4b45f4ab1ec5616026e8fbed2431be8
-
SHA1
28ecd4944f37bb8f9b7dfd1d486f7c9c027166d0
-
SHA256
819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1
-
SHA512
2026b561dce762930e3c6a7179d509efb7be482281111f65461328ed6da5c04e1bb7a7bf3f5cd883920a2cdd50e5c72b1c500d6f4963174792f0c183070b0771
Score
7/10
Malware Config
Signatures
-
Write file to user bin folder 1 TTPs 2 IoCs
description ioc Process /usr/bin/which /usr/bin/which which /usr/bin/which /usr/bin/which which -
Reads runtime system information 10 IoCs
Reads data from /proc virtual filesystem.
description ioc Process /proc/filesystems /proc/filesystems id /proc/filesystems /proc/filesystems id /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems mkdir /proc/self/mountinfo /proc/self/mountinfo df /proc/filesystems /proc/filesystems tar /proc/filesystems /proc/filesystems id /proc/filesystems /proc/filesystems mkdir -
Writes file to tmp directory 14 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process /tmp/selfgz691/gnome-shell-ext.sh /tmp/selfgz691/gnome-shell-ext.sh rm /tmp/selfgz691/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat /tmp/selfgz691/~/.cache/gnome-software/gnome-shell-extensions/rtp.dat rm /tmp/selfgz691 /tmp/selfgz691 df /tmp/selfgz691/setup.sh /tmp/selfgz691/setup.sh rm /tmp/selfgz691/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh /tmp/selfgz691/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh rm /tmp/selfgz691 /tmp/selfgz691 rm /tmp/selfgz691 /tmp/selfgz691 rm /tmp/selfgz691/rtp.dat /tmp/selfgz691/rtp.dat rm /tmp/selfgz691/gnome-shell-ext /tmp/selfgz691/gnome-shell-ext rm /tmp/selfgz691/~ /tmp/selfgz691/~ rm /tmp/selfgz691/~/.cache /tmp/selfgz691/~/.cache rm /tmp/selfgz691/~/.cache/gnome-software /tmp/selfgz691/~/.cache/gnome-software rm /tmp/selfgz691/~/.cache/gnome-software/gnome-shell-extensions /tmp/selfgz691/~/.cache/gnome-software/gnome-shell-extensions rm /tmp/selfgz691/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext /tmp/selfgz691/~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext rm
Processes
-
./installer.run./installer.run1⤵PID:691
-
/usr/bin/idid -u2⤵
- Reads runtime system information
PID:693
-
-
/usr/bin/ttytty -s2⤵PID:694
-
-
/bin/mkdirmkdir /tmp/selfgz6912⤵
- Reads runtime system information
PID:695
-
-
/usr/bin/basenamebasename /usr/bin/shasum2⤵PID:708
-
-
/usr/bin/basenamebasename /usr/bin/md5sum2⤵PID:712
-
-
/usr/bin/exprexpr 1 + 12⤵PID:734
-
-
/usr/bin/exprexpr 14819 + 872872⤵PID:735
-
-
/bin/chgrpchgrp -R 0 .2⤵PID:763
-
-
/usr/bin/exprexpr 14819 + 872872⤵PID:767
-
-
./setup.sh./setup.sh2⤵PID:768
-
/bin/mkdirmkdir -p "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
PID:769
-
-
/bin/cpcp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
PID:770
-
-
/bin/cpcp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
PID:771
-
-
/bin/cpcp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
PID:772
-
-
/bin/chmodchmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"3⤵PID:773
-
-
/bin/chmodchmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵PID:774
-
-
/bin/grepgrep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵PID:776
-
-
/usr/bin/crontabcrontab -l3⤵PID:775
-
-
/usr/bin/crontabcrontab -u root -3⤵PID:779
-
-
/usr/bin/crontabcrontab -u root -l3⤵PID:777
-
-
/bin/rmrm -rf -- /tmp/selfgz6913⤵
- Writes file to tmp directory
PID:785
-
-
/usr/bin/nohupnohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵PID:783
-
-
~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵PID:783
-
/bin/pidofpidof gnome-shell-ext4⤵PID:786
-
-
~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"4⤵PID:792
-
-
-
-
/bin/rm/bin/rm -rf /tmp/selfgz6912⤵
- Writes file to tmp directory
PID:787
-
-
/usr/bin/whichwhich md5sum1⤵
- Write file to user bin folder
PID:698
-
/usr/bin/whichwhich shasum1⤵
- Write file to user bin folder
PID:700
-
/usr/bin/trtr -d " "1⤵PID:704
-
/usr/bin/wcwc -c1⤵PID:703
-
/usr/bin/headhead -n 587 ./installer.run1⤵PID:702
-
/usr/bin/cutcut "-d " -f11⤵PID:707
-
/usr/bin/cutcut "-d " -f11⤵PID:711
-
/usr/bin/cutcut "-d " -f11⤵PID:715
-
/usr/bin/cutcut -b-321⤵PID:719
-
/usr/bin/exprexpr 4194304 / 41⤵PID:721
-
/usr/bin/md5sum/usr/bin/md5sum1⤵PID:720
-
/usr/bin/exprexpr 1048576 / 41⤵PID:722
-
/usr/bin/exprexpr 262144 / 41⤵PID:723
-
/usr/bin/exprexpr 87287 / 655361⤵PID:724
-
/usr/bin/exprexpr 87287 "%" 655361⤵PID:725
-
/bin/dddd "ibs=14819" "skip=1"1⤵PID:727
-
/usr/bin/exprexpr 0 + 655361⤵PID:728
-
/bin/dddd "bs=65536" "count=1"1⤵PID:729
-
/usr/bin/exprexpr 87287 / 1001⤵PID:730
-
/usr/bin/exprexpr 65536 / 8721⤵PID:731
-
/usr/bin/exprexpr 65536 + 655361⤵PID:732
-
/bin/dddd "bs=21751" "count=1"1⤵PID:733
-
/usr/bin/trtr -d " "1⤵PID:739
-
/usr/bin/wcwc -c1⤵PID:738
-
/usr/bin/headhead -n 587 ./installer.run1⤵PID:737
-
/usr/bin/awkawk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"1⤵PID:744
-
/usr/bin/tailtail -11⤵PID:743
-
/bin/dfdf -kP /tmp/selfgz6911⤵
- Reads runtime system information
- Writes file to tmp directory
PID:742
-
/bin/tartar xpvf -1⤵
- Reads runtime system information
PID:748
-
/bin/gzipgzip -cd1⤵PID:749
-
/usr/bin/exprexpr 4194304 / 41⤵PID:750
-
/usr/bin/exprexpr 1048576 / 41⤵PID:751
-
/usr/bin/exprexpr 262144 / 41⤵PID:752
-
/usr/bin/exprexpr 87287 / 655361⤵PID:753
-
/usr/bin/exprexpr 87287 "%" 655361⤵PID:754
-
/bin/dddd "ibs=14819" "skip=1"1⤵PID:756
-
/usr/bin/exprexpr 0 + 655361⤵PID:757
-
/bin/dddd "bs=65536" "count=1"1⤵PID:758
-
/usr/bin/exprexpr 87287 / 1001⤵PID:759
-
/usr/bin/exprexpr 65536 / 8721⤵PID:760
-
/usr/bin/exprexpr 65536 + 655361⤵PID:761
-
/bin/dddd "bs=21751" "count=1"1⤵PID:762
-
/usr/bin/idid -u1⤵
- Reads runtime system information
PID:764
-
/bin/chownchown -R 0 .1⤵PID:765
-
/usr/bin/idid -g1⤵
- Reads runtime system information
PID:766
-
/bin/catcat1⤵PID:781
-
/usr/bin/whoamiwhoami1⤵PID:780
-
/usr/bin/whoamiwhoami1⤵PID:782