Resubmissions
28-02-2022 15:41
220228-s4qs8seeg3 1012-06-2021 09:55
210612-f7rmdwaays 1012-06-2021 09:51
210612-kcegep1ef2 7Analysis
-
max time kernel
0s -
max time network
121s -
platform
linux_mipsel -
resource
debian9-mipsel -
submitted
12-06-2021 09:51
Static task
static1
Behavioral task
behavioral1
Sample
installer.run
Resource
ubuntu-amd64
linux_amd64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
installer.run
Resource
debian9-mipsel
linux_mipsel
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
installer.run
Resource
debian9-mipsbe
linux_mips
0 signatures
0 seconds
General
-
Target
installer.run
-
Size
99KB
-
MD5
d4b45f4ab1ec5616026e8fbed2431be8
-
SHA1
28ecd4944f37bb8f9b7dfd1d486f7c9c027166d0
-
SHA256
819eab9afaca5601ffd83c85a7edd6cd1899e6b431ab8e901a385065912adeb1
-
SHA512
2026b561dce762930e3c6a7179d509efb7be482281111f65461328ed6da5c04e1bb7a7bf3f5cd883920a2cdd50e5c72b1c500d6f4963174792f0c183070b0771
Score
7/10
Malware Config
Signatures
-
Write file to user bin folder 1 TTPs 3 IoCs
description ioc Process /usr/bin/which /usr/bin/which which /usr/bin/which /usr/bin/which which /usr/bin/which /usr/bin/which which -
Reads runtime system information 13 IoCs
Reads data from /proc virtual filesystem.
description ioc Process /proc/filesystems /proc/filesystems id /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems id /proc/filesystems /proc/filesystems tar /proc/filesystems /proc/filesystems id /proc/filesystems /proc/filesystems mkdir /proc/filesystems /proc/filesystems cp /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems crontab /proc/filesystems /proc/filesystems mkdir /proc/self/mountinfo /proc/self/mountinfo df -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process /tmp/selfgz341 /tmp/selfgz341 rm /tmp/selfgz341 /tmp/selfgz341 rm /tmp/selfgz341 /tmp/selfgz341 df
Processes
-
./installer.run./installer.run1⤵PID:341
-
/usr/bin/idid -u2⤵
- Reads runtime system information
PID:344
-
-
/usr/bin/ttytty -s2⤵PID:347
-
-
/bin/mkdirmkdir /tmp/selfgz3412⤵
- Reads runtime system information
PID:348
-
-
/usr/bin/basenamebasename /usr/bin/sha256sum2⤵PID:365
-
-
/usr/bin/basenamebasename /usr/bin/md5sum2⤵PID:370
-
-
/usr/bin/exprexpr 1 + 12⤵PID:395
-
-
/usr/bin/exprexpr 14819 + 872872⤵PID:397
-
-
/bin/chgrpchgrp -R 0 .2⤵PID:425
-
-
/usr/bin/exprexpr 14819 + 872872⤵PID:429
-
-
./setup.sh./setup.sh2⤵PID:430
-
/bin/mkdirmkdir -p "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
PID:431
-
-
/bin/cpcp ./gnome-shell-ext "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
PID:432
-
-
/bin/cpcp ./gnome-shell-ext.sh "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
PID:433
-
-
/bin/cpcp ./rtp.dat "~/.cache/gnome-software/gnome-shell-extensions"3⤵
- Reads runtime system information
PID:434
-
-
/bin/chmodchmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext"3⤵PID:435
-
-
/bin/chmodchmod +x "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵PID:436
-
-
/bin/grepgrep -q "0-59 * * * * ~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵PID:438
-
-
/usr/bin/crontabcrontab -l3⤵
- Reads runtime system information
PID:437
-
-
/usr/bin/crontabcrontab -u root -3⤵
- Reads runtime system information
PID:441
-
-
/usr/bin/crontabcrontab -u root -l3⤵
- Reads runtime system information
PID:439
-
-
/usr/bin/nohupnohup "~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵PID:445
-
-
/bin/rmrm -rf -- /tmp/selfgz3413⤵
- Writes file to tmp directory
PID:447
-
-
~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"~/.cache/gnome-software/gnome-shell-extensions/gnome-shell-ext.sh"3⤵PID:445
-
-
-
/bin/rm/bin/rm -rf /tmp/selfgz3412⤵
- Writes file to tmp directory
PID:448
-
-
/usr/bin/whichwhich md5sum1⤵
- Write file to user bin folder
PID:353
-
/usr/bin/whichwhich shasum1⤵
- Write file to user bin folder
PID:355
-
/usr/bin/whichwhich sha256sum1⤵
- Write file to user bin folder
PID:357
-
/usr/bin/wcwc -c1⤵PID:360
-
/usr/bin/trtr -d " "1⤵PID:361
-
/usr/bin/headhead -n 587 ./installer.run1⤵PID:359
-
/usr/bin/cutcut "-d " -f11⤵PID:364
-
/usr/bin/cutcut "-d " -f11⤵PID:369
-
/usr/bin/cutcut "-d " -f11⤵PID:374
-
/usr/bin/cutcut -b-321⤵PID:378
-
/usr/bin/exprexpr 4194304 / 41⤵PID:380
-
/usr/bin/md5sum/usr/bin/md5sum1⤵PID:381
-
/usr/bin/exprexpr 1048576 / 41⤵PID:382
-
/usr/bin/exprexpr 262144 / 41⤵PID:383
-
/usr/bin/exprexpr 87287 / 655361⤵PID:384
-
/usr/bin/exprexpr 87287 "%" 655361⤵PID:385
-
/bin/dddd "ibs=14819" "skip=1"1⤵PID:388
-
/usr/bin/exprexpr 0 + 655361⤵PID:389
-
/bin/dddd "bs=65536" "count=1"1⤵PID:390
-
/usr/bin/exprexpr 87287 / 1001⤵PID:391
-
/usr/bin/exprexpr 65536 / 8721⤵PID:392
-
/usr/bin/exprexpr 65536 + 655361⤵PID:393
-
/bin/dddd "bs=21751" "count=1"1⤵PID:394
-
/usr/bin/headhead -n 587 ./installer.run1⤵PID:399
-
/usr/bin/trtr -d " "1⤵PID:401
-
/usr/bin/wcwc -c1⤵PID:400
-
/usr/bin/tailtail -11⤵PID:405
-
/bin/dfdf -kP /tmp/selfgz3411⤵
- Reads runtime system information
- Writes file to tmp directory
PID:404
-
/usr/bin/awkawk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"1⤵PID:406
-
/usr/bin/exprexpr 4194304 / 41⤵PID:410
-
/bin/gzipgzip -cd1⤵PID:411
-
/bin/tartar xpvf -1⤵
- Reads runtime system information
PID:412
-
/usr/bin/exprexpr 1048576 / 41⤵PID:413
-
/usr/bin/exprexpr 262144 / 41⤵PID:414
-
/usr/bin/exprexpr 87287 / 655361⤵PID:415
-
/usr/bin/exprexpr 87287 "%" 655361⤵PID:416
-
/bin/dddd "ibs=14819" "skip=1"1⤵PID:418
-
/usr/bin/exprexpr 0 + 655361⤵PID:419
-
/bin/dddd "bs=65536" "count=1"1⤵PID:420
-
/usr/bin/exprexpr 87287 / 1001⤵PID:421
-
/usr/bin/exprexpr 65536 / 8721⤵PID:422
-
/usr/bin/exprexpr 65536 + 655361⤵PID:423
-
/bin/dddd "bs=21751" "count=1"1⤵PID:424
-
/usr/bin/idid -u1⤵
- Reads runtime system information
PID:426
-
/bin/chownchown -R 0 .1⤵PID:427
-
/usr/bin/idid -g1⤵
- Reads runtime system information
PID:428
-
/bin/catcat1⤵PID:444
-
/usr/bin/whoamiwhoami1⤵PID:443
-
/usr/bin/whoamiwhoami1⤵PID:442