Overview

overview

9

Static

static

1

encrypt.sh

ubuntu-18.04-amd64

9

encrypt.sh

debian-9-armhf

9

encrypt.sh

debian-9-mips

9

encrypt.sh

debian-9-mipsel

9

Resubmissions

12/05/2023, 14:01

230512-rbhrgsdc97 6

12/02/2023, 18:04

230212-wnlq5afa3w 9

Analysis

  • max time kernel
    0s
  • max time network
    156s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20221111-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    12/02/2023, 18:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    encrypt.sh

  • Size

    3KB

  • MD5

    cf5762eea336cf74a0323d715f72b8b9

  • SHA1

    b40e39adadc5ae4d98fd3900837414797562b1bc

  • SHA256

    ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28

  • SHA512

    35822aafe30d8a14a1ac48d25f6a5eff90c55e18c44df6432bcec962370b6ff1fe06559510090691abb5e4b50594b7067b48f3e582944b07af1c3669fe739c77

Score
9/10

Malware Config

Signatures

  • Writes file to system bin folder 1 TTPs 1 IoCs
  • Reads CPU attributes 1 TTPs 2 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/encrypt.sh
    /tmp/encrypt.sh
    1⤵
    • Writes file to tmp directory
    PID:322
    • /bin/chmod
      chmod +x /tmp//encrypt
      2⤵
        PID:337
      • /usr/bin/find
        find /usr/lib/vmware -type f -name index.html
        2⤵
          PID:342
        • /bin/mv
          mv /etc/motd /etc/motd1
          2⤵
          • Reads runtime system information
          PID:343
        • /bin/cp
          cp /tmp//motd /etc/motd
          2⤵
            PID:344
          • /bin/find
            /bin/find / -name "*.log" -exec /bin/rm -rf "{}" ";"
            2⤵
              PID:345
            • /bin/rm
              /bin/rm -f /store/packages/vmtools.py
              2⤵
                PID:355
              • /bin/touch
                /bin/touch -r /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/endpoints.conf
                2⤵
                  PID:356
                • /bin/touch
                  /bin/touch -r /etc/vmware/rhttpproxy/config.xml /bin/hostd-probe.sh
                  2⤵
                    PID:357
                  • /bin/touch
                    /bin/touch -r /etc/vmware/rhttpproxy/config.xml /etc/rc.local.d/local.sh
                    2⤵
                      PID:358
                    • /bin/rm
                      /bin/rm -f /tmp/encrypt /tmp/nohup.out /tmp/index.html /tmp/motd /tmp/public.pem /tmp/archieve.zip
                      2⤵
                      • Writes file to tmp directory
                      PID:359
                    • /bin/sh
                      /bin/sh /bin/auto-backup.sh
                      2⤵
                      • Writes file to system bin folder
                      PID:360
                    • /bin/rm
                      /bin/rm -- /tmp/encrypt.sh
                      2⤵
                      • Writes file to tmp directory
                      PID:361
                    • /etc/init.d/SSH
                      /etc/init.d/SSH start
                      2⤵
                        PID:362
                    • /bin/grep
                      grep "Config File"
                      1⤵
                        PID:331
                      • /usr/bin/awk
                        awk "{print \$3}"
                        1⤵
                          PID:332
                        • /bin/grep
                          grep vmx
                          1⤵
                            PID:335
                          • /bin/ps
                            ps
                            1⤵
                            • Reads CPU attributes
                            • Reads runtime system information
                            PID:334
                          • /usr/bin/awk
                            awk "{print \$2}"
                            1⤵
                              PID:336
                            • /bin/grep
                              grep /vmfs/volumes/
                              1⤵
                                PID:340
                              • /usr/bin/awk
                                awk "-F " "{print \$2}"
                                1⤵
                                  PID:341
                                • /bin/grep
                                  /bin/grep encrypt
                                  1⤵
                                    PID:348
                                  • /bin/ps
                                    /bin/ps
                                    1⤵
                                    • Reads CPU attributes
                                    • Reads runtime system information
                                    PID:347
                                  • /bin/grep
                                    /bin/grep -v grep
                                    1⤵
                                      PID:349
                                    • /bin/wc
                                      /bin/wc -l
                                      1⤵
                                        PID:350
                                      • /bin/vmware
                                        /bin/vmware -l
                                        1⤵
                                          PID:352
                                        • /bin/wc
                                          /bin/wc -l
                                          1⤵
                                            PID:354
                                          • /bin/grep
                                            /bin/grep " 7."
                                            1⤵
                                              PID:353

                                            Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads