Analysis
-
max time kernel
0s -
max time network
134s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20221111-en -
resource tags
-
submitted
28/12/2022, 23:48
General
-
Target
gog_undertale_2.0.0.1.sh
-
Size
122.5MB
-
MD5
e740df4e15974ad8c21f45ebe8426fb0
-
SHA1
71b07640d9da478858ebf67c3c84c42260bb427d
-
SHA256
dd47d4418c7c3b1b971123d2364f988f29ca78b8a7687742e8937e9ffc3bc297
-
SHA512
a5c307d81f99fd8697f1ac8bd911e3a9847f5306d75d671136e43c44ddbc4a5a4fb6e520d37a058865381940b9889424fc265655741964388ac9787bd1f05400
-
SSDEEP
3145728:Yf4gqKOqQFRZX9/jPkGw1Kd6jAfI0+Y9Yb2iQY:YggqKOqQPZt/DkGw1KdAAfICib2iQY
Score
7/10
Malware Config
Signatures
-
Write file to user bin folder 1 TTPs 1 IoCs
-
Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
-
Reads runtime system information 5 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 64 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/gog_undertale_2.0.0.1.sh/tmp/gog_undertale_2.0.0.1.sh1⤵
- Writes file to tmp directory
-
/usr/bin/basenamebasename /tmp/gog_undertale_2.0.0.1.sh2⤵
-
-
/bin/mkdirmkdir /tmp/selfgz6002⤵
- Reads runtime system information
-
-
/usr/bin/basenamebasename /usr/bin/md5sum2⤵
-
-
/usr/bin/exprexpr 1 + 12⤵
-
-
/usr/bin/exprexpr 12450 + 5756172⤵
-
-
/bin/chgrpchgrp -R 0 .2⤵
-
-
/usr/bin/exprexpr 12450 + 5756172⤵
-
-
./startmojo.sh./startmojo.sh2⤵
-
/bin/unameuname3⤵
-
-
/bin/grepgrep darwin3⤵
-
-
/bin/unameuname -m3⤵
-
-
/bin/grepgrep i.863⤵
-
-
/bin/grepgrep 86pc3⤵
-
-
/bin/grepgrep amd643⤵
-
-
/bin/grepgrep Power3⤵
-
-
/usr/bin/touchtouch frontendstarted3⤵
-
-
/bin/chmodchmod +x bin/linux/x86_64/mojosetup3⤵
-
-
/tmp/selfgz600/bin/linux/x86_64/mojosetup/tmp/selfgz600/bin/linux/x86_64/mojosetup3⤵
- Writes file to shm directory
- Writes file to tmp directory
-
-
-
/bin/rm/bin/rm -rf /tmp/selfgz6002⤵
- Writes file to tmp directory
-
-
/usr/bin/dirnamedirname /tmp/gog_undertale_2.0.0.1.sh1⤵
-
/usr/bin/whichwhich md5sum1⤵
- Write file to user bin folder
-
/usr/bin/headhead -n 519 /tmp/gog_undertale_2.0.0.1.sh1⤵
- Writes file to tmp directory
-
/usr/bin/trtr -d " "1⤵
-
/usr/bin/wcwc -c1⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/cutcut "-d " -f11⤵
-
/usr/bin/md5sum/usr/bin/md5sum1⤵
-
/usr/bin/cutcut -b-321⤵
-
/usr/bin/exprexpr 575617 / 10241⤵
-
/usr/bin/exprexpr 575617 "%" 10241⤵
-
/bin/dddd "if=/tmp/gog_undertale_2.0.0.1.sh" "ibs=12450" "skip=1" "obs=1024" "conv=sync"1⤵
-
/bin/dddd "ibs=1024" "obs=1024" "count=562"1⤵
-
/bin/dddd "ibs=1" "obs=1024" "count=129"1⤵
-
/usr/bin/headhead -n 519 /tmp/gog_undertale_2.0.0.1.sh1⤵
-
/usr/bin/wcwc -c1⤵
-
/usr/bin/trtr -d " "1⤵
-
/bin/dfdf -kP /tmp/selfgz6001⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/tailtail -11⤵
-
/usr/bin/awkawk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"1⤵
-
/usr/bin/exprexpr 4194304 / 41⤵
-
/bin/tartar xvf -1⤵
- Reads runtime system information
-
/usr/bin/exprexpr 1048576 / 41⤵
-
/bin/gzipgzip -cd1⤵
-
/usr/bin/exprexpr 575617 / 2621441⤵
-
/usr/bin/exprexpr 575617 "%" 2621441⤵
-
/bin/dddd "bs=12450" "count=0" "skip=1"1⤵
-
/usr/bin/exprexpr 0 + 2621441⤵
-
/bin/dddd "bs=262144" "count=1"1⤵
-
/usr/bin/exprexpr 575617 / 1001⤵
-
/usr/bin/exprexpr 262144 / 57561⤵
-
/usr/bin/exprexpr 262144 + 2621441⤵
-
/bin/dddd "bs=262144" "count=1"1⤵
-
/usr/bin/exprexpr 575617 / 1001⤵
-
/usr/bin/exprexpr 524288 / 57561⤵
-
/usr/bin/exprexpr 524288 + 2621441⤵
-
/bin/dddd "bs=51329" "count=1"1⤵
-
/usr/bin/idid -u1⤵
- Reads runtime system information
-
/bin/chownchown -R 0 .1⤵
-
/usr/bin/idid -g1⤵
- Reads runtime system information
-
/usr/bin/trtr "[A-Z]" "[a-z]"1⤵
-
/bin/grepgrep fr_1⤵
-
/bin/grepgrep de_1⤵
-
/bin/grepgrep ru_1⤵