Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10shell-bot/22
ubuntu-18.04-amd64
7shell-bot/a.out
ubuntu-18.04-amd64
1shell-bot/cfs
ubuntu-18.04-amd64
7shell-bot/cfs
debian-9-armhf
7shell-bot/cfs
debian-9-mips
7shell-bot/cfs
debian-9-mipsel
1shell-bot/...SE.vbs
windows7-x64
1shell-bot/...SE.vbs
windows10-2004-x64
1shell-bot/...rt.vbs
windows7-x64
1shell-bot/...rt.vbs
windows10-2004-x64
1shell-bot/...es.vbs
windows7-x64
1shell-bot/...es.vbs
windows10-2004-x64
1shell-bot/...Config
ubuntu-18.04-amd64
3shell-bot/...Config
debian-9-armhf
1shell-bot/...Config
debian-9-mips
3shell-bot/...Config
debian-9-mipsel
3shell-bot/...t.so:.
ubuntu-18.04-amd64
1shell-bot/...gen.sh
ubuntu-18.04-amd64
1shell-bot/...gen.sh
debian-9-armhf
1shell-bot/...gen.sh
debian-9-mips
1shell-bot/...gen.sh
debian-9-mipsel
1shell-bot/...ig.vbs
windows7-x64
1shell-bot/...ig.vbs
windows10-2004-x64
1shell-bot/...re.vbs
windows7-x64
1shell-bot/...re.vbs
windows10-2004-x64
1shell-bot/...ngelog
ubuntu-18.04-amd64
3shell-bot/...ngelog
debian-9-armhf
1shell-bot/...ngelog
debian-9-mips
shell-bot/...ngelog
debian-9-mipsel
1shell-bot/...nstall
ubuntu-18.04-amd64
1shell-bot/...nstall
debian-9-armhf
1shell-bot/...nstall
debian-9-mips
1Analysis
-
max time kernel
8s -
max time network
134s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20231026-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
14/11/2023, 07:28
Behavioral task
behavioral1
Sample
shell-bot/22
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral2
Sample
shell-bot/a.out
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral3
Sample
shell-bot/cfs
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral4
Sample
shell-bot/cfs
Resource
debian9-armhf-20231026-en
Behavioral task
behavioral5
Sample
shell-bot/cfs
Resource
debian9-mipsbe-20231026-en
Behavioral task
behavioral6
Sample
shell-bot/cfs
Resource
debian9-mipsel-20231026-en
Behavioral task
behavioral7
Sample
shell-bot/ftp-server/Unreal3.2.10.2/.RELEASE.vbs
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
shell-bot/ftp-server/Unreal3.2.10.2/.RELEASE.vbs
Resource
win10v2004-20231023-en
Behavioral task
behavioral9
Sample
shell-bot/ftp-server/Unreal3.2.10.2/.bugreport.vbs
Resource
win7-20231020-en
Behavioral task
behavioral10
Sample
shell-bot/ftp-server/Unreal3.2.10.2/.bugreport.vbs
Resource
win10v2004-20231023-en
Behavioral task
behavioral11
Sample
shell-bot/ftp-server/Unreal3.2.10.2/Changes.vbs
Resource
win7-20231025-en
Behavioral task
behavioral12
Sample
shell-bot/ftp-server/Unreal3.2.10.2/Changes.vbs
Resource
win10v2004-20231020-en
Behavioral task
behavioral13
Sample
shell-bot/ftp-server/Unreal3.2.10.2/Config
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral14
Sample
shell-bot/ftp-server/Unreal3.2.10.2/Config
Resource
debian9-armhf-20231026-en
Behavioral task
behavioral15
Sample
shell-bot/ftp-server/Unreal3.2.10.2/Config
Resource
debian9-mipsbe-20231026-en
Behavioral task
behavioral16
Sample
shell-bot/ftp-server/Unreal3.2.10.2/Config
Resource
debian9-mipsel-20231026-en
Behavioral task
behavioral17
Sample
shell-bot/ftp-server/Unreal3.2.10.2/GCONV_PATH=./pwnkit.so:.
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral18
Sample
shell-bot/ftp-server/Unreal3.2.10.2/autogen.sh
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral19
Sample
shell-bot/ftp-server/Unreal3.2.10.2/autogen.sh
Resource
debian9-armhf-20231026-en
Behavioral task
behavioral20
Sample
shell-bot/ftp-server/Unreal3.2.10.2/autogen.sh
Resource
debian9-mipsbe-20231026-en
Behavioral task
behavioral21
Sample
shell-bot/ftp-server/Unreal3.2.10.2/autogen.sh
Resource
debian9-mipsel-20231026-en
Behavioral task
behavioral22
Sample
shell-bot/ftp-server/Unreal3.2.10.2/config.vbs
Resource
win7-20231020-en
Behavioral task
behavioral23
Sample
shell-bot/ftp-server/Unreal3.2.10.2/config.vbs
Resource
win10v2004-20231023-en
Behavioral task
behavioral24
Sample
shell-bot/ftp-server/Unreal3.2.10.2/configure.vbs
Resource
win7-20231020-en
Behavioral task
behavioral25
Sample
shell-bot/ftp-server/Unreal3.2.10.2/configure.vbs
Resource
win10v2004-20231020-en
Behavioral task
behavioral26
Sample
shell-bot/ftp-server/Unreal3.2.10.2/createchangelog
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral27
Sample
shell-bot/ftp-server/Unreal3.2.10.2/createchangelog
Resource
debian9-armhf-20231026-en
Behavioral task
behavioral28
Sample
shell-bot/ftp-server/Unreal3.2.10.2/createchangelog
Resource
debian9-mipsbe-20231026-en
Behavioral task
behavioral29
Sample
shell-bot/ftp-server/Unreal3.2.10.2/createchangelog
Resource
debian9-mipsel-20231026-en
Behavioral task
behavioral30
Sample
shell-bot/ftp-server/Unreal3.2.10.2/curlinstall
Resource
ubuntu1804-amd64-20231026-en
Behavioral task
behavioral31
Sample
shell-bot/ftp-server/Unreal3.2.10.2/curlinstall
Resource
debian9-armhf-20231026-en
Behavioral task
behavioral32
Sample
shell-bot/ftp-server/Unreal3.2.10.2/curlinstall
Resource
debian9-mipsbe-20231026-en
General
-
Target
shell-bot/22
-
Size
21KB
-
MD5
7e4c409f8f570a3ea7546be22566de2e
-
SHA1
0dbef070c9cee7e1288286ff75077ddfa8535389
-
SHA256
e58192b38de0def86eb3acc508120ef0041678bfb9fa5601cf6f7ceed7f71db0
-
SHA512
760f1758ac9ab23b3df23365767185bf3d92d6aea766adfd08ac288bfc8fb5c96eb5938704262b0cc3558db2adc250c184cb5b7f3cd73fa015ffddca240f9606
-
SSDEEP
192:RnxzjwsWskaDanX6JENuZYhz0h+fcfLBj4Yj+2FAm2McYBNWYnCVme+x7HQS:BWskamFsqGhR9j1pFp2McYBBnCVmfx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/filed1qwVL 1560 filed1qwVL -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /etc/cron.hourly/0 22 -
Uses Polkit to run commands 1 IoCs
Uses Polkit pkexec as a proxy to execute commands, possibly to bypass security restrictions.
pid Process 1560 pkexec -
Writes file to system bin folder 1 TTPs 1 IoCs
description ioc Process File opened for modification /bin/ls 22 -
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/self/exe 22 File opened for reading /proc/filesystems pkexec -
Writes file to tmp directory 14 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/ccVMMHCM.s gcc File opened for modification /tmp/ccRUuenk.o as File opened for modification /tmp/ccV80D4n.o collect2 File opened for modification /tmp/shell-bot/lol/gconv-modules filed1qwVL File opened for modification /tmp/filed1qwVL 22 File opened for modification /tmp/ccohLdLt.le collect2 File opened for modification /tmp/cchmPNbS.res gcc File opened for modification /tmp/shell-bot/payload.so ld File opened for modification /tmp/shell-bot/payload.c filed1qwVL File opened for modification /tmp/ccRUuenk.o gcc File opened for modification /tmp/ccFhTEeQ.c collect2 File opened for modification /tmp/ccUYGPUV.ld collect2 File opened for modification /tmp/shell-bot/GCONV_PATH=./lol filed1qwVL File opened for modification /tmp/ccVMMHCM.s cc1
Processes
-
/tmp/shell-bot/22/tmp/shell-bot/221⤵
- Creates/modifies Cron job
- Writes file to system bin folder
- Reads runtime system information
- Writes file to tmp directory
PID:1555 -
/tmp/filed1qwVL/tmp/shell-bot/222⤵
- Executes dropped EXE
- Writes file to tmp directory
PID:1560 -
/bin/shsh -c "gcc -o payload.so -shared -fPIC payload.c"3⤵PID:1561
-
/usr/bin/gccgcc -o payload.so -shared -fPIC payload.c4⤵
- Writes file to tmp directory
PID:1562 -
/usr/lib/gcc/x86_64-linux-gnu/7/cc1/usr/lib/gcc/x86_64-linux-gnu/7/cc1 -quiet -imultiarch x86_64-linux-gnu payload.c -quiet -dumpbase payload.c "-mtune=generic" "-march=x86-64" -auxbase payload -fPIC -fstack-protector-strong -Wformat -Wformat-security -o /tmp/ccVMMHCM.s5⤵
- Writes file to tmp directory
PID:1563
-
-
/usr/local/sbin/asas --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s5⤵PID:1564
-
-
/usr/local/bin/asas --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s5⤵PID:1564
-
-
/usr/sbin/asas --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s5⤵PID:1564
-
-
/usr/bin/asas --64 -o /tmp/ccRUuenk.o /tmp/ccVMMHCM.s5⤵
- Writes file to tmp directory
PID:1564
-
-
/usr/lib/gcc/x86_64-linux-gnu/7/collect2/usr/lib/gcc/x86_64-linux-gnu/7/collect2 -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cchmPNbS.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o payload.so /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccRUuenk.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o5⤵
- Writes file to tmp directory
PID:1565 -
/usr/bin/ld/usr/bin/ld -plugin /usr/lib/gcc/x86_64-linux-gnu/7/liblto_plugin.so "-plugin-opt=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper" "-plugin-opt=-fresolution=/tmp/cchmPNbS.res" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" "-plugin-opt=-pass-through=-lc" "-plugin-opt=-pass-through=-lgcc" "-plugin-opt=-pass-through=-lgcc_s" --build-id --eh-frame-hdr -m elf_x86_64 "--hash-style=gnu" --as-needed -shared -z relro -o payload.so /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/7/crtbeginS.o -L/usr/lib/gcc/x86_64-linux-gnu/7 -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/7/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/7/../../.. /tmp/ccRUuenk.o -lgcc --push-state --as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s --pop-state /usr/lib/gcc/x86_64-linux-gnu/7/crtendS.o /usr/lib/gcc/x86_64-linux-gnu/7/../../../x86_64-linux-gnu/crtn.o6⤵
- Writes file to tmp directory
PID:1566
-
-
-
-
-
-
/usr/bin/pkexec2⤵
- Uses Polkit to run commands
- Reads runtime system information
PID:1560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD53f006f7f81fc17be7f4a0d3da0fad5de
SHA197a94d3d0654c6551057af3809b52572bd7f9f5d
SHA256982f9e0f089b91ba79df723435099df15c72e1201a45010ee60226ab136c93bf
SHA51297d2ac0057427b940ada7c0fc805c1966e2535c3c3767ca85fef4a7e0fdc9d4ef9eb133530408b1e439df067881cb317e948ad9bfd487e958a04c97d9db978e0
-
Filesize
2KB
MD5345c5531e3858eea5ea274e7381c58a1
SHA170889be48a916442ed3458864eff5bf4dcc36b30
SHA256426de9f88e1249a4017b6564b8b32c0c18357f5d825441d6a808e00f823abcc6
SHA51238a4e0624b3598ed3498d4c9bc8ecefc122e60dc1b67ab0df71de6d83977f7224ee1a5b70f1ba527409c5eeb1e4df7a85fc6c719cde664ed96176d7b585e40ce
-
Filesize
1KB
MD53311369c6ecd004ddccdbbf8ff91826a
SHA1ffa8e5e2dd446b3baccabb55c7bb954148c64502
SHA2565f221ac86ea687a2bf170f3cf20d8444c3a3be4410a0592b234a012e802b495a
SHA5126ecab9b9e864bc6a9f5ee401e94f813c8ad3dfcc02312bfad684091dd7e883ab36a7f384b26e44fb3173c615245ec609b2894113ee79d943663f62fa218c6bd1
-
Filesize
12KB
MD53f604aaf29add5c4e1d110f560d22c88
SHA1cbe738f14b05c3bfc50e5b1f78230b3e0c76d1b4
SHA256457b3a87063efbd3608568b8ffceb07e2d4aa28b626852c66842076c9be2bba2
SHA5127b408e6cf7408fb27b9003eec587554c61e92a8967266613c2c4c9bbe4ff59fe6a7bb6ea0a63ef0d3981268ed50b451de34bfb6219dd7a15dd3631363521a9ad
-
Filesize
47B
MD5abf4899a9b112331a6f28be4f4ebde17
SHA1bc04cf0dd07679b8e4762a7ac452298927cbfe8b
SHA2567361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97
SHA5124a602fcd23358ad743dc83e4c9bd973a773375fd8a590333e28541ec25d2ece8aa7b9f457263a5c5b0e107ca4fb9d841408f951d676831d1d36eda2bf7eb5cc4
-
Filesize
310B
MD59bdd9493f821ae398a112a86e16b67a8
SHA199dedb7cff4bd61a75b4e64960d230158efd702f
SHA256c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f
SHA5124357330d472489f9ca9c4f3a281fcd85a1a37421ea5cee1973fd3acf9e22cb2f8d4fea216b46c57f85a4aeff08a72cb8a46f1a01b5389c1a89a6613b48c8816e