Analysis
-
max time kernel
0s -
max time network
103s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-en-20211208kernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
28-03-2023 15:37
Static task
static1
Behavioral task
behavioral1
Sample
Network-Reinstall-System-Modify.sh
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral2
Sample
Network-Reinstall-System-Modify.sh
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral3
Sample
Network-Reinstall-System-Modify.sh
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral4
Sample
Network-Reinstall-System-Modify.sh
Resource
debian9-mipsel-20221111-en
General
-
Target
Network-Reinstall-System-Modify.sh
-
Size
22KB
-
MD5
9c28ccb76f59bd3db8024df3390cc43f
-
SHA1
71456f36535ad65ad3d8999ff33bd8060a285bf1
-
SHA256
54a8e65a111d9259425671d12dd74b18c60d4ffaf672b3e98705e662a344c1f4
-
SHA512
74abcf82204ef17faf41531228a93c23c760f8ae2f494a741bbda5bcfa069cb85f82532f5663abd30ab670237e12a8f35250ca918d05dd50c08244ad3df27110
-
SSDEEP
192:wkT+rj6wiacnMRw0zjpw5fI2BfxKUM/uiT9hEpaQ8fj5qraRzlko0uoHb3+gYOG/:wX6Sicw+YpVY6mLLlWP7UypKYmb
Malware Config
Signatures
-
Modifies hosts file 6 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
httphttphttpwgetwgethttpdescription ioc process /etc/hosts /etc/hosts http /etc/hosts /etc/hosts http /etc/hosts /etc/hosts http /etc/hosts /etc/hosts wget /etc/hosts /etc/hosts wget /etc/hosts /etc/hosts http -
Writes DNS configuration 1 TTPs 6 IoCs
Writes data to DNS resolver config file.
Processes:
httphttphttphttpwgetwgetdescription ioc process /etc/resolv.conf /etc/resolv.conf http /etc/resolv.conf /etc/resolv.conf http /etc/resolv.conf /etc/resolv.conf http /etc/resolv.conf /etc/resolv.conf http /etc/resolv.conf /etc/resolv.conf wget /etc/resolv.conf /etc/resolv.conf wget -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 api.myip.com 20 api.myip.com 21 api.myip.com -
Enumerates kernel/hardware configuration 1 TTPs 10 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
fdiskdescription ioc process /sys/dev/block/252:0/dm/uuid /sys/dev/block/252:0/dm/uuid fdisk /sys/block/sr0/dev /sys/block/sr0/dev fdisk /sys/dev/block/11:0 /sys/dev/block/11:0 fdisk /sys/dev/block/11:0/dm/uuid /sys/dev/block/11:0/dm/uuid fdisk /sys/block/fd0/dev /sys/block/fd0/dev fdisk /sys/dev/block/2:0 /sys/dev/block/2:0 fdisk /sys/dev/block/2:0/dm/uuid /sys/dev/block/2:0/dm/uuid fdisk /sys/block/vda/dev /sys/block/vda/dev fdisk /sys/dev/block/252:0 /sys/dev/block/252:0 fdisk /sys/block/vda1/dev /sys/block/vda1/dev fdisk -
Reads runtime system information 14 IoCs
Reads data from /proc virtual filesystem.
Processes:
dpkgdpkgapt-esm-hookdpkgapt-esm-hookaptdpkgfdiskapt-getdescription ioc process /proc/filesystems /proc/filesystems dpkg /proc/filesystems /proc/filesystems dpkg /proc/602/status /proc/602/status apt-esm-hook /proc/filesystems /proc/filesystems dpkg /proc/self/status /proc/self/status apt-esm-hook /proc/592/cmdline /proc/592/cmdline apt-esm-hook /proc/sys/kernel/ngroups_max /proc/sys/kernel/ngroups_max apt /proc/self/fd /proc/self/fd /proc/self/status /proc/self/status apt-esm-hook /proc/601/cmdline /proc/601/cmdline apt-esm-hook /proc/filesystems /proc/filesystems dpkg /proc/partitions /proc/partitions fdisk /proc/593/status /proc/593/status apt-esm-hook /proc/sys/kernel/ngroups_max /proc/sys/kernel/ngroups_max apt-get -
Writes file to tmp directory 33 IoCs
Malware often drops required files in the /tmp directory.
Processes:
apt-getaptNetwork-Reinstall-System-Modify.shdescription ioc process /tmp/fileutl.message.fFoKfj /tmp/fileutl.message.fFoKfj apt-get /tmp/fileutl.message.8BJabL /tmp/fileutl.message.8BJabL apt-get /tmp/fileutl.message.UcmT2E /tmp/fileutl.message.UcmT2E apt-get /tmp/fileutl.message.B049Y6 /tmp/fileutl.message.B049Y6 apt-get /tmp/fileutl.message.oKBJrm /tmp/fileutl.message.oKBJrm apt-get /tmp/fileutl.message.xzIIB9 /tmp/fileutl.message.xzIIB9 apt /tmp/fileutl.message.ztuuOd /tmp/fileutl.message.ztuuOd apt /tmp/fileutl.message.ZjYguT /tmp/fileutl.message.ZjYguT apt /tmp/fileutl.message.bgRdlz /tmp/fileutl.message.bgRdlz apt /tmp/fileutl.message.rjthNB /tmp/fileutl.message.rjthNB apt-get /tmp/fileutl.message.7dOwVK /tmp/fileutl.message.7dOwVK apt /tmp/fileutl.message.ZBdpOX /tmp/fileutl.message.ZBdpOX apt /tmp/fileutl.message.Fl7Lw6 /tmp/fileutl.message.Fl7Lw6 apt /tmp/fileutl.message.fiRFAv /tmp/fileutl.message.fiRFAv apt-get /tmp/fileutl.message.I3NzkR /tmp/fileutl.message.I3NzkR apt-get /tmp/fileutl.message.braT6c /tmp/fileutl.message.braT6c apt-get /tmp/fileutl.message.p8gBID /tmp/fileutl.message.p8gBID apt /tmp/fileutl.message.4AG49f /tmp/fileutl.message.4AG49f apt-get /tmp/Network-Reinstall-System-Modify.sh /tmp/Network-Reinstall-System-Modify.sh Network-Reinstall-System-Modify.sh /tmp/fileutl.message.pYItiO /tmp/fileutl.message.pYItiO apt-get /tmp/fileutl.message.ATR3uX /tmp/fileutl.message.ATR3uX apt-get /tmp/fileutl.message.HmRKkm /tmp/fileutl.message.HmRKkm apt /tmp/fileutl.message.d5X9Dq /tmp/fileutl.message.d5X9Dq apt /tmp/fileutl.message.5JF3Yu /tmp/fileutl.message.5JF3Yu apt /tmp/fileutl.message.ZAL11H /tmp/fileutl.message.ZAL11H apt-get /tmp/fileutl.message.msmgU9 /tmp/fileutl.message.msmgU9 apt-get /tmp/fileutl.message.zQAGpp /tmp/fileutl.message.zQAGpp apt-get /tmp/fileutl.message.hnCSHG /tmp/fileutl.message.hnCSHG apt /tmp/fileutl.message.zQZvbP /tmp/fileutl.message.zQZvbP apt /tmp/fileutl.message.hqvZ91 /tmp/fileutl.message.hqvZ91 apt /tmp/fileutl.message.6KoAG3 /tmp/fileutl.message.6KoAG3 apt-get /tmp/fileutl.message.H6epwC /tmp/fileutl.message.H6epwC apt /tmp/fileutl.message.LBXk3h /tmp/fileutl.message.LBXk3h apt
Processes
-
/tmp/Network-Reinstall-System-Modify.sh/tmp/Network-Reinstall-System-Modify.sh1⤵
- Writes file to tmp directory
-
/usr/bin/clearclear2⤵
-
/bin/sleepsleep 6s2⤵
-
/bin/sleepsleep 2s2⤵
-
/usr/bin/apt-getapt-get install -y xz-utils openssl gawk file wget curl2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
- Modifies hosts file
- Writes DNS configuration
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
- Modifies hosts file
- Writes DNS configuration
-
/usr/bin/aptapt install -y xz-utils openssl gawk file wget curl2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
- Modifies hosts file
- Writes DNS configuration
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
- Modifies hosts file
- Writes DNS configuration
-
/bin/sleepsleep 3s2⤵
-
/bin/sleepsleep 1s2⤵
-
/bin/unameuname -m2⤵
-
/usr/bin/wgetwget --no-check-certificate -qO /root/Core_Install.sh http://dou-dou.cc/Network-Reinstall-System-Modify-master/CoreShell/Core_Install_v5.3.sh2⤵
- Modifies hosts file
- Writes DNS configuration
-
/bin/chmodchmod a+x /root/Core_Install.sh2⤵
-
/bin/sleepsleep 3s2⤵
-
/usr/bin/clearclear2⤵
-
/usr/bin/clearclear2⤵
-
/bin/catcat /etc/issue1⤵
-
/bin/grepgrep Debian1⤵
-
/bin/shsh -c "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true"1⤵
-
/usr/lib/ubuntu-advantage/apt-esm-hook/usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke2⤵
- Reads runtime system information
-
/bin/shsh -c "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true"1⤵
-
/usr/lib/ubuntu-advantage/apt-esm-hook/usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke2⤵
- Reads runtime system information
-
/usr/bin/headhead -11⤵
-
/sbin/fdiskfdisk -l1⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/bin/grepgrep -o gpt1⤵
-
/bin/grepgrep "\"country\":\"China\""1⤵
-
/usr/bin/wgetwget --no-check-certificate -qO- https://api.myip.com1⤵
- Modifies hosts file
- Writes DNS configuration