Overview

overview

9

Static

static

1

Network-Re...ify.sh

ubuntu-18.04-amd64

8

Network-Re...ify.sh

debian-9-armhf

9

Network-Re...ify.sh

debian-9-mips

9

Network-Re...ify.sh

debian-9-mipsel

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Network-Reinstall-System-Modify.sh

  • Size

    22KB

  • Sample

    230328-s2g4badd8y

  • MD5

    9c28ccb76f59bd3db8024df3390cc43f

  • SHA1

    71456f36535ad65ad3d8999ff33bd8060a285bf1

  • SHA256

    54a8e65a111d9259425671d12dd74b18c60d4ffaf672b3e98705e662a344c1f4

  • SHA512

    74abcf82204ef17faf41531228a93c23c760f8ae2f494a741bbda5bcfa069cb85f82532f5663abd30ab670237e12a8f35250ca918d05dd50c08244ad3df27110

  • SSDEEP

    192:wkT+rj6wiacnMRw0zjpw5fI2BfxKUM/uiT9hEpaQ8fj5qraRzlko0uoHb3+gYOG/:wX6Sicw+YpVY6mLLlWP7UypKYmb

Score
9/10
linux

Malware Config

Targets

    • Target

      Network-Reinstall-System-Modify.sh

    • Size

      22KB

    • MD5

      9c28ccb76f59bd3db8024df3390cc43f

    • SHA1

      71456f36535ad65ad3d8999ff33bd8060a285bf1

    • SHA256

      54a8e65a111d9259425671d12dd74b18c60d4ffaf672b3e98705e662a344c1f4

    • SHA512

      74abcf82204ef17faf41531228a93c23c760f8ae2f494a741bbda5bcfa069cb85f82532f5663abd30ab670237e12a8f35250ca918d05dd50c08244ad3df27110

    • SSDEEP

      192:wkT+rj6wiacnMRw0zjpw5fI2BfxKUM/uiT9hEpaQ8fj5qraRzlko0uoHb3+gYOG/:wX6Sicw+YpVY6mLLlWP7UypKYmb

    Score
    9/10

    • Deletes system logs

    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Write file to user bin folder

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates kernel/hardware configuration

      Reads contents of /sys virtual filesystem to enumerate system information.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hijack Execution Flow

1
T1574

Privilege Escalation

Hijack Execution Flow

1
T1574

Defense Evasion

Indicator Removal on Host

1
T1070

Hijack Execution Flow

1
T1574

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

1
T1568

Impact

Tasks