Overview

overview

3

Static

static

1

setup-lin.sh

ubuntu-18.04-amd64

3

setup-lin.sh

debian-9-armhf

3

setup-lin.sh

debian-9-mips

3

setup-lin.sh

debian-9-mipsel

3

Analysis

  • max time kernel
    91s
  • max time network
    133s
  • platform
    linux_mipsel
  • resource
    debian9-mipsel-en-20211208
  • resource tags

    arch:mipselimage:debian9-mipsel-en-20211208kernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    31-05-2023 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup-lin.sh

  • Size

    661B

  • MD5

    d6e05568eb09e1a3c5a1bf7927f29356

  • SHA1

    96c8beddd7326f09e606babd610d1931c44a38df

  • SHA256

    9e2e1fc764629f265a64e874d63ed4b3ea6e44e4a205b09b116ab1baad850d34

  • SHA512

    3924427ea4d1b143f9b0ea3b981fc3cfb1d67f87da6ee190bb243490681a66fabd29b7c5ea3b05b595baf22dd0a78ed261bb0f5f94793a5ea9c6e5390eeb7ea0

Score
3/10

Malware Config

Signatures

  • Reads runtime system information 32 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 14 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/setup-lin.sh
    /tmp/setup-lin.sh
    1⤵
      PID:335
    • /usr/local/sbin/bash
      bash /tmp/setup-lin.sh
      1⤵
        PID:335
      • /usr/local/bin/bash
        bash /tmp/setup-lin.sh
        1⤵
          PID:335
        • /usr/sbin/bash
          bash /tmp/setup-lin.sh
          1⤵
            PID:335
          • /usr/bin/bash
            bash /tmp/setup-lin.sh
            1⤵
              PID:335
            • /sbin/bash
              bash /tmp/setup-lin.sh
              1⤵
                PID:335
              • /bin/bash
                bash /tmp/setup-lin.sh
                1⤵
                  PID:335
                  • /bin/rm
                    rm /var/lib/dpkg/lock
                    2⤵
                      PID:337
                    • /bin/rm
                      rm /var/cache/apt/archives/lock
                      2⤵
                        PID:339
                      • /bin/rm
                        rm /var/lib/apt/lists/lock
                        2⤵
                          PID:343
                        • /usr/bin/sudo
                          sudo dpkg --add-architecture i386
                          2⤵
                          • Reads runtime system information
                          PID:344
                          • /usr/bin/dpkg
                            dpkg --add-architecture i386
                            3⤵
                            • Reads runtime system information
                            PID:345
                        • /usr/bin/sudo
                          sudo apt-get update
                          2⤵
                          • Reads runtime system information
                          PID:346
                          • /usr/bin/apt-get
                            apt-get update
                            3⤵
                            • Reads runtime system information
                            • Writes file to tmp directory
                            PID:347
                            • /usr/bin/dpkg
                              /usr/bin/dpkg --print-foreign-architectures
                              4⤵
                              • Reads runtime system information
                              PID:348
                            • /usr/lib/apt/methods/http
                              /usr/lib/apt/methods/http
                              4⤵
                                PID:349
                              • /usr/lib/apt/methods/http
                                /usr/lib/apt/methods/http
                                4⤵
                                  PID:350
                                • /usr/lib/apt/methods/http
                                  /usr/lib/apt/methods/http
                                  4⤵
                                    PID:351
                                  • /usr/bin/dpkg
                                    /usr/bin/dpkg --print-foreign-architectures
                                    4⤵
                                    • Reads runtime system information
                                    PID:352
                                  • /usr/bin/dpkg
                                    /usr/bin/dpkg --print-foreign-architectures
                                    4⤵
                                    • Reads runtime system information
                                    PID:356
                              • /usr/bin/sudo
                                sudo apt-get install python3.9 -y
                                2⤵
                                • Reads runtime system information
                                PID:357
                                • /usr/bin/apt-get
                                  apt-get install python3.9 -y
                                  3⤵
                                  • Reads runtime system information
                                  • Writes file to tmp directory
                                  PID:358
                                  • /usr/bin/dpkg
                                    /usr/bin/dpkg --print-foreign-architectures
                                    4⤵
                                    • Reads runtime system information
                                    PID:359
                                  • /usr/bin/dpkg
                                    /usr/bin/dpkg --print-foreign-architectures
                                    4⤵
                                    • Reads runtime system information
                                    PID:360
                                  • /usr/lib/apt/methods/http
                                    /usr/lib/apt/methods/http
                                    4⤵
                                      PID:361
                                    • /usr/lib/apt/methods/http
                                      /usr/lib/apt/methods/http
                                      4⤵
                                        PID:362
                                  • /usr/bin/sudo
                                    sudo apt-get install -y wine
                                    2⤵
                                    • Reads runtime system information
                                    PID:363
                                    • /usr/bin/apt-get
                                      apt-get install -y wine
                                      3⤵
                                      • Writes file to tmp directory
                                      PID:364
                                      • /usr/bin/dpkg
                                        /usr/bin/dpkg --print-foreign-architectures
                                        4⤵
                                        • Reads runtime system information
                                        PID:365
                                      • /usr/bin/dpkg
                                        /usr/bin/dpkg --print-foreign-architectures
                                        4⤵
                                        • Reads runtime system information
                                        PID:366
                                  • /usr/bin/sudo
                                    sudo wget https://www.python.org/ftp/python/3.8.9/python-3.8.9.exe
                                    2⤵
                                    • Reads runtime system information
                                    PID:367
                                    • /usr/bin/wget
                                      wget https://www.python.org/ftp/python/3.8.9/python-3.8.9.exe
                                      3⤵
                                        PID:368
                                    • /usr/bin/sudo
                                      sudo wine cmd /c python-3.8.9.exe /quiet "InstallAllUsers=0"
                                      2⤵
                                      • Reads runtime system information
                                      PID:369
                                    • /usr/bin/sudo
                                      sudo wine "/root/.wine/drive_c/users/root/Local Settings/Application Data/Programs/Python/Python38-32/python.exe" -m pip install "pyinstaller==4.2" "cryptography==36.0.1" discord_webhook pycryptodome pypiwin32 "cryptography==36.0.1"
                                      2⤵
                                      • Reads runtime system information
                                      PID:370

                                  Network

                                  MITRE ATT&CK Matrix

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • /var/cache/apt/archives/partial/sgml-base_1.29_all.deb
                                    Filesize

                                    14KB

                                    MD5

                                    fee8870aaf64a1c58a01ce7d0173e9bf

                                    SHA1

                                    af9ac661eda82cc2227a023f3f98762e60a74296

                                    SHA256

                                    bca9413f03c61702820c8d577d1ca2e059b08f9c00ca0ea2d9e64632533dc6a0

                                    SHA512

                                    4890acf2670ee315ac7450ee9620b032951c7e562b47eeac30c6914a934ce39af9f5428699f22c36b538338b7431f7e9ec434d632910106c121695e0080f69d0

                                    Download Submit

                                  • /var/cache/apt/archives/partial/ssl-cert_1.0.39_all.deb
                                    Filesize

                                    20KB

                                    MD5

                                    3a8da7f47c33423162f1f6e86e6b1f83

                                    SHA1

                                    912b077399b9b6b2fc70f15b46a7054f809b4900

                                    SHA256

                                    57e66b30d0d7db7a70518b34fa1787e10f8210b327e2a39f147ee3dbf41ace85

                                    SHA512

                                    4d78a8a63289872205611af919d48938e0d825325cfca069dc875691e0e0ac62949b476f3e9a54001bebd327b98e44c4dc4ba96442299d2c65fdf2c3643e2c48

                                    Download Submit

                                  • /var/lib/dpkg/arch-new
                                    Filesize

                                    12B

                                    MD5

                                    77a63c084c0aaef3ae6795eb98f75ab7

                                    SHA1

                                    24b11cacb3d1116a98777dfd09c2499548a14d73

                                    SHA256

                                    14a7fbb88303776e397b5bdf386a386d4097ca898527203b65425ec17077b82e

                                    SHA512

                                    4f2394ea36d2b4aa3040cfd40773f6cf60a6a615199df91c20e7b5e7dc8202fb26506a72a08949884234cbd0d3901876608cfab6cce354a0bf33d8848d9c1b04

                                    Download Submit