Overview

overview

3

Static

static

1

setup-lin.sh

ubuntu-18.04-amd64

3

setup-lin.sh

debian-9-armhf

3

setup-lin.sh

debian-9-mips

3

setup-lin.sh

debian-9-mipsel

3

Analysis

  • max time kernel
    76s
  • max time network
    124s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20221125-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20221125-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    31/05/2023, 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup-lin.sh

  • Size

    661B

  • MD5

    d6e05568eb09e1a3c5a1bf7927f29356

  • SHA1

    96c8beddd7326f09e606babd610d1931c44a38df

  • SHA256

    9e2e1fc764629f265a64e874d63ed4b3ea6e44e4a205b09b116ab1baad850d34

  • SHA512

    3924427ea4d1b143f9b0ea3b981fc3cfb1d67f87da6ee190bb243490681a66fabd29b7c5ea3b05b595baf22dd0a78ed261bb0f5f94793a5ea9c6e5390eeb7ea0

Score
3/10

Malware Config

Signatures

  • Reads runtime system information 32 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 14 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/setup-lin.sh
    /tmp/setup-lin.sh
    1⤵
      PID:327
    • /usr/local/sbin/bash
      bash /tmp/setup-lin.sh
      1⤵
        PID:327
      • /usr/local/bin/bash
        bash /tmp/setup-lin.sh
        1⤵
          PID:327
        • /usr/sbin/bash
          bash /tmp/setup-lin.sh
          1⤵
            PID:327
          • /usr/bin/bash
            bash /tmp/setup-lin.sh
            1⤵
              PID:327
            • /sbin/bash
              bash /tmp/setup-lin.sh
              1⤵
                PID:327
              • /bin/bash
                bash /tmp/setup-lin.sh
                1⤵
                  PID:327
                  • /bin/rm
                    rm /var/lib/dpkg/lock
                    2⤵
                      PID:330
                    • /bin/rm
                      rm /var/cache/apt/archives/lock
                      2⤵
                        PID:334
                      • /bin/rm
                        rm /var/lib/apt/lists/lock
                        2⤵
                          PID:335
                        • /usr/bin/sudo
                          sudo dpkg --add-architecture i386
                          2⤵
                          • Reads runtime system information
                          PID:336
                          • /usr/bin/dpkg
                            dpkg --add-architecture i386
                            3⤵
                            • Reads runtime system information
                            PID:337
                        • /usr/bin/sudo
                          sudo apt-get update
                          2⤵
                          • Reads runtime system information
                          PID:338
                          • /usr/bin/apt-get
                            apt-get update
                            3⤵
                            • Reads runtime system information
                            • Writes file to tmp directory
                            PID:339
                            • /usr/bin/dpkg
                              /usr/bin/dpkg --print-foreign-architectures
                              4⤵
                              • Reads runtime system information
                              PID:340
                            • /usr/lib/apt/methods/http
                              /usr/lib/apt/methods/http
                              4⤵
                                PID:341
                              • /usr/lib/apt/methods/http
                                /usr/lib/apt/methods/http
                                4⤵
                                  PID:342
                                • /usr/lib/apt/methods/http
                                  /usr/lib/apt/methods/http
                                  4⤵
                                    PID:343
                                  • /usr/bin/dpkg
                                    /usr/bin/dpkg --print-foreign-architectures
                                    4⤵
                                    • Reads runtime system information
                                    PID:344
                                  • /usr/bin/dpkg
                                    /usr/bin/dpkg --print-foreign-architectures
                                    4⤵
                                    • Reads runtime system information
                                    PID:345
                              • /usr/bin/sudo
                                sudo apt-get install python3.9 -y
                                2⤵
                                • Reads runtime system information
                                PID:346
                                • /usr/bin/apt-get
                                  apt-get install python3.9 -y
                                  3⤵
                                  • Reads runtime system information
                                  • Writes file to tmp directory
                                  PID:347
                                  • /usr/bin/dpkg
                                    /usr/bin/dpkg --print-foreign-architectures
                                    4⤵
                                    • Reads runtime system information
                                    PID:348
                                  • /usr/bin/dpkg
                                    /usr/bin/dpkg --print-foreign-architectures
                                    4⤵
                                    • Reads runtime system information
                                    PID:349
                                  • /usr/lib/apt/methods/http
                                    /usr/lib/apt/methods/http
                                    4⤵
                                      PID:353
                                    • /usr/lib/apt/methods/http
                                      /usr/lib/apt/methods/http
                                      4⤵
                                        PID:354
                                  • /usr/bin/sudo
                                    sudo apt-get install -y wine
                                    2⤵
                                    • Reads runtime system information
                                    PID:355
                                    • /usr/bin/apt-get
                                      apt-get install -y wine
                                      3⤵
                                      • Writes file to tmp directory
                                      PID:356
                                      • /usr/bin/dpkg
                                        /usr/bin/dpkg --print-foreign-architectures
                                        4⤵
                                        • Reads runtime system information
                                        PID:357
                                      • /usr/bin/dpkg
                                        /usr/bin/dpkg --print-foreign-architectures
                                        4⤵
                                        • Reads runtime system information
                                        PID:358
                                  • /usr/bin/sudo
                                    sudo wget https://www.python.org/ftp/python/3.8.9/python-3.8.9.exe
                                    2⤵
                                    • Reads runtime system information
                                    PID:359
                                    • /usr/bin/wget
                                      wget https://www.python.org/ftp/python/3.8.9/python-3.8.9.exe
                                      3⤵
                                        PID:360
                                    • /usr/bin/sudo
                                      sudo wine cmd /c python-3.8.9.exe /quiet "InstallAllUsers=0"
                                      2⤵
                                      • Reads runtime system information
                                      PID:361
                                    • /usr/bin/sudo
                                      sudo wine "/root/.wine/drive_c/users/root/Local Settings/Application Data/Programs/Python/Python38-32/python.exe" -m pip install "pyinstaller==4.2" "cryptography==36.0.1" discord_webhook pycryptodome pypiwin32 "cryptography==36.0.1"
                                      2⤵
                                      • Reads runtime system information
                                      PID:362

                                  Network

                                  MITRE ATT&CK Matrix

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • /var/cache/apt/archives/partial/sgml-base_1.29_all.deb
                                    Filesize

                                    14KB

                                    MD5

                                    fee8870aaf64a1c58a01ce7d0173e9bf

                                    SHA1

                                    af9ac661eda82cc2227a023f3f98762e60a74296

                                    SHA256

                                    bca9413f03c61702820c8d577d1ca2e059b08f9c00ca0ea2d9e64632533dc6a0

                                    SHA512

                                    4890acf2670ee315ac7450ee9620b032951c7e562b47eeac30c6914a934ce39af9f5428699f22c36b538338b7431f7e9ec434d632910106c121695e0080f69d0

                                    Download Submit

                                  • /var/cache/apt/archives/partial/ssl-cert_1.0.39_all.deb
                                    Filesize

                                    20KB

                                    MD5

                                    3a8da7f47c33423162f1f6e86e6b1f83

                                    SHA1

                                    912b077399b9b6b2fc70f15b46a7054f809b4900

                                    SHA256

                                    57e66b30d0d7db7a70518b34fa1787e10f8210b327e2a39f147ee3dbf41ace85

                                    SHA512

                                    4d78a8a63289872205611af919d48938e0d825325cfca069dc875691e0e0ac62949b476f3e9a54001bebd327b98e44c4dc4ba96442299d2c65fdf2c3643e2c48

                                    Download Submit

                                  • /var/lib/dpkg/arch-new
                                    Filesize

                                    10B

                                    MD5

                                    c1f7a4dce333974804e75e0793de82e1

                                    SHA1

                                    b6ce19bacc8cec4793a868bb48edc32056f5ad67

                                    SHA256

                                    95786dc5af231fb65f5edca3e0e0466a507848c6c31654b5c02eb0868c467148

                                    SHA512

                                    a8bc50cfcdba5abe281222c9effa2d02cb8fd64a615fdac1cefda3af5933e216baa80683e8cfd7bed968cfd091ec8d4cb5853d5514820365370d82575d565a66

                                    Download Submit