d9a1fe765cd55f7244e67df1bbaa5c70d0bd7cd074d5f6d35a94841d24c8322b | Triage

Analysis

max time kernel
4s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20230621-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20230621-enkernel:4.15.0-161-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
16/07/2023, 21:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MCsniperPY-main/upload.sh
Size

1KB
MD5

fa746c7d2de09ca127e01f5ec1f25794
SHA1

636886f4ca6d8d1d0c7a9d976ff2218ed4a3c676
SHA256

513aad2de999de6e8c7fe7b037abbb71af02be824d3097c3a2572aded89ceea6
SHA512

b7ae300bd55213e2bb4d6cc7ded0dabb127449b8a78c05be8ef7ac20f3819556abe91aaae540b7453e6290f80ad0e02ce48b9ddd910110d51ba8b05220612eca

Score

3^/10

Malware Config

Signatures

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/fd	Process not Found
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/status	apt-esm-hook
File opened for reading	/proc/613/status	apt-esm-hook
File opened for reading	/proc/612/cmdline	apt-esm-hook

Writes file to tmp directory 16 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileutl.message.CsfIRf	apt
File opened for modification	/tmp/fileutl.message.6G14ra	apt
File opened for modification	/tmp/fileutl.message.2rioo2	apt
File opened for modification	/tmp/fileutl.message.cKuV2n	apt
File opened for modification	/tmp/fileutl.message.52cuAi	apt
File opened for modification	/tmp/fileutl.message.4V2lIR	apt
File opened for modification	/tmp/fileutl.message.c46E44	apt
File opened for modification	/tmp/fileutl.message.kXyK2W	apt
File opened for modification	/tmp/fileutl.message.f9adL7	apt
File opened for modification	/tmp/fileutl.message.ja5apM	apt
File opened for modification	/tmp/fileutl.message.H3hK9c	apt
File opened for modification	/tmp/fileutl.message.x4IpIZ	apt
File opened for modification	/tmp/fileutl.message.5amonU	apt
File opened for modification	/tmp/fileutl.message.xidC3O	apt
File opened for modification	/tmp/fileutl.message.Oc1kNq	apt
File opened for modification	/tmp/fileutl.message.Xdlyjl	apt

/tmp/MCsniperPY-main/upload.sh
/tmp/MCsniperPY-main/upload.sh
1⤵
PID:603
- /usr/bin/apt
  apt install twine
  2⤵
  - Writes file to tmp directory
  PID:605
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:606
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:607
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:615
- /bin/rm
  rm "dist/*"
  2⤵
  PID:616
- /usr/bin/python3
  python3 setup.py sdist bdist_wheel
  2⤵
  PID:617

/bin/sh
sh -c "[ ! -f /usr/lib/ubuntu-advantage/apt-esm-hook ] || /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke || true"
1⤵
PID:613
- /usr/lib/ubuntu-advantage/apt-esm-hook
  /usr/lib/ubuntu-advantage/apt-esm-hook pre-invoke
  2⤵
  - Reads runtime system information
  PID:614

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/fileutl.message.Oc1kNq

Filesize
235KB

MD5
373fe2f2ef99005d2550a482f09a3e51

SHA1
68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

SHA256
7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

SHA512
def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Download Submit