Analysis
-
max time kernel
0s -
max time network
103s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
-
submitted
28-03-2023 15:37
General
-
Target
Network-Reinstall-System-Modify.sh
-
Size
22KB
-
MD5
9c28ccb76f59bd3db8024df3390cc43f
-
SHA1
71456f36535ad65ad3d8999ff33bd8060a285bf1
-
SHA256
54a8e65a111d9259425671d12dd74b18c60d4ffaf672b3e98705e662a344c1f4
-
SHA512
74abcf82204ef17faf41531228a93c23c760f8ae2f494a741bbda5bcfa069cb85f82532f5663abd30ab670237e12a8f35250ca918d05dd50c08244ad3df27110
-
SSDEEP
192:wkT+rj6wiacnMRw0zjpw5fI2BfxKUM/uiT9hEpaQ8fj5qraRzlko0uoHb3+gYOG/:wX6Sicw+YpVY6mLLlWP7UypKYmb
Score
8/10
Malware Config
Signatures
-
Modifies hosts file 6 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
-
Writes DNS configuration 1 TTPs 6 IoCs
Writes data to DNS resolver config file.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates kernel/hardware configuration 1 TTPs 10 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 14 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 33 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/Network-Reinstall-System-Modify.sh/tmp/Network-Reinstall-System-Modify.sh1⤵
- Writes file to tmp directory
-
/usr/bin/clearclear2⤵
-
/bin/sleepsleep 6s2⤵
-
/bin/sleepsleep 2s2⤵
-
/usr/bin/apt-getapt-get install -y xz-utils openssl gawk file wget curl2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
- Modifies hosts file
- Writes DNS configuration
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
- Modifies hosts file
- Writes DNS configuration
-
/usr/bin/aptapt install -y xz-utils openssl gawk file wget curl2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
- Modifies hosts file
- Writes DNS configuration
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
- Modifies hosts file
- Writes DNS configuration
-
/bin/sleepsleep 3s2⤵
-
/bin/sleepsleep 1s2⤵
-
/bin/unameuname -m2⤵
-
/usr/bin/wgetwget --no-check-certificate -qO /root/Core_Install.sh http://dou-dou.cc/Network-Reinstall-System-Modify-master/CoreShell/Core_Install_v5.3.sh2⤵
- Modifies hosts file
- Writes DNS configuration
-
/bin/chmodchmod a+x /root/Core_Install.sh2⤵
-
/bin/sleepsleep 3s2⤵
-
/usr/bin/clearclear2⤵
-
/usr/bin/clearclear2⤵
-
/bin/catcat /etc/issue1⤵
-
/bin/grepgrep Debian1⤵
-
/bin/shsh -c "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true"1⤵
-
/usr/lib/ubuntu-advantage/apt-esm-hook/usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke2⤵
- Reads runtime system information
-
/bin/shsh -c "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true"1⤵
-
/usr/lib/ubuntu-advantage/apt-esm-hook/usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke2⤵
- Reads runtime system information
-
/usr/bin/headhead -11⤵
-
/sbin/fdiskfdisk -l1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/grepgrep -o gpt1⤵
-
/bin/grepgrep "\"country\":\"China\""1⤵
-
/usr/bin/wgetwget --no-check-certificate -qO- https://api.myip.com1⤵
- Modifies hosts file
- Writes DNS configuration