Overview

overview

10

Static

static

10

ChrisTitus...rch.sh

ubuntu-18.04-amd64

8

ChrisTitus...rch.sh

debian-9-armhf

8

ChrisTitus...rch.sh

debian-9-mips

8

ChrisTitus...rch.sh

debian-9-mipsel

8

ChrisTitus...deb.sh

ubuntu-18.04-amd64

7

ChrisTitus...deb.sh

debian-9-armhf

5

ChrisTitus...deb.sh

debian-9-mips

5

ChrisTitus...deb.sh

debian-9-mipsel

5

ChrisTitus...it.ps1

windows7-x64

1

ChrisTitus...it.ps1

windows10-2004-x64

1

ChrisTitus...on.ps1

windows7-x64

1

ChrisTitus...on.ps1

windows10-2004-x64

1

ChrisTitus...ds.ps1

windows7-x64

8

ChrisTitus...ds.ps1

windows10-2004-x64

8

ChrisTitus...os.ps1

windows7-x64

8

ChrisTitus...os.ps1

windows10-2004-x64

8

ChrisTitus...py.ps1

windows7-x64

1

ChrisTitus...py.ps1

windows10-2004-x64

1

ChrisTitus...or.cmd

windows7-x64

1

ChrisTitus...or.cmd

windows10-2004-x64

1

ChrisTitus...at.ps1

windows7-x64

10

ChrisTitus...at.ps1

windows10-2004-x64

1

Analysis

  • max time kernel
    0s
  • max time network
    127s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20221111-en
  • resource tags

    arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28-12-2022 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ChrisTitusTech_debloatWin10_elQueAnda/cttscript/HyperV Tools/arch.sh

  • Size

    3KB

  • MD5

    61f97d46bef37eafc2f53a6c7a342605

  • SHA1

    a0566c2a1b9bc4d45cb940f48681fdab1f794d77

  • SHA256

    7aacd932ed5093cd0a43bdb20908ad3415725fbb6c46ffce6e4c35f10766198e

  • SHA512

    2684529e311f2b67f060fbb65ba9bf7c9515bdf50ebef3ebd25114040a687f889b770ed3e7d9686560802aedac59b57a3aacb4ddf6c48c8069bef7c775dcd338

Score
8/10

Malware Config

Signatures

  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 17 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ChrisTitusTech_debloatWin10_elQueAnda/cttscript/HyperV Tools/arch.sh
    "/tmp/ChrisTitusTech_debloatWin10_elQueAnda/cttscript/HyperV Tools/arch.sh"
    1⤵
    • Writes file to tmp directory
    PID:367
    • /usr/bin/id
      id -u
      2⤵
      • Reads runtime system information
      PID:369
    • /usr/bin/sudo
      sudo pacman -Syu --needed --noconfirm base base-devel git
      2⤵
      • Modifies hosts file
      • Writes DNS configuration
      • Reads runtime system information
      PID:375
    • /bin/mktemp
      mktemp -d
      2⤵
        PID:376
      • /bin/rm
        rm -rf /tmp/tmp.2kuMr3vbtU
        2⤵
        • Writes file to tmp directory
        PID:381
      • /bin/systemctl
        systemctl enable xrdp
        2⤵
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:382
      • /bin/systemctl
        systemctl enable xrdp-sesman
        2⤵
        • Enumerates kernel/hardware configuration
        • Reads runtime system information
        PID:383
      • /bin/sed
        sed -i_orig -e "s/port=3389/port=vsock:\\/\\/-1:3389/g" /etc/xrdp/xrdp.ini
        2⤵
        • Reads runtime system information
        PID:384
      • /bin/sed
        sed -i_orig -e "s/security_layer=negotiate/security_layer=rdp/g" /etc/xrdp/xrdp.ini
        2⤵
        • Reads runtime system information
        PID:385
      • /bin/sed
        sed -i_orig -e "s/crypt_level=high/crypt_level=none/g" /etc/xrdp/xrdp.ini
        2⤵
        • Reads runtime system information
        PID:386
      • /bin/sed
        sed -i_orig -e "s/bitmap_compression=true/bitmap_compression=false/g" /etc/xrdp/xrdp.ini
        2⤵
        • Reads runtime system information
        PID:387
      • /bin/sed
        sed -i_orig -e "s/FuseMountName=thinclient_drives/FuseMountName=shared-drives/g" /etc/xrdp/sesman.ini
        2⤵
        • Reads runtime system information
        PID:388
      • /bin/cat
        cat
        2⤵
          PID:390

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads