Analysis
-
max time kernel
12s -
max time network
10s -
platform
debian-9_mips -
resource
debian9-mipsbe-20231215-en -
resource tags
arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
20/12/2023, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
ai.sh
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral2
Sample
ai.sh
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral3
Sample
ai.sh
Resource
debian9-mipsbe-20231215-en
Behavioral task
behavioral4
Sample
ai.sh
Resource
debian9-mipsel-20231215-en
General
-
Target
ai.sh
-
Size
831B
-
MD5
b1a64a7afeda8fc66076eae49bdb6267
-
SHA1
0d840e800c0dac1d51f8a243056e94ed385c3a98
-
SHA256
9d5036d204e6598fd4c4ac93688c9acdec3d6a1e4d14018ec16db955f3ee8b24
-
SHA512
619c55b6f6d222c8a831a441205b75359976d9d80ba01734640d81b96a32e2b263448e16be8d3dad9afb1c78ebcd717cbc8dbefe134fc593f079a931140c67fa
Malware Config
Signatures
-
Detects Kaiten/Tsunami Payload 1 IoCs
resource yara_rule behavioral3/files/fstream-6.dat family_kaiten2 -
Detects Kaiten/Tsunami payload 1 IoCs
resource yara_rule behavioral3/files/fstream-6.dat family_kaiten -
XMRig Miner payload 2 IoCs
resource yara_rule behavioral3/files/fstream-10.dat family_xmrig behavioral3/files/fstream-10.dat xmrig -
Executes dropped EXE 4 IoCs
ioc pid Process /var/tmp/.22/start 745 start /var/tmp/.22/hide 747 hide /var/tmp/.22/create 749 create /var/tmp/.22/auto 757 auto -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.VWLgsm crontab -
Reads runtime system information 4 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems tar File opened for reading /proc/filesystems crontab File opened for reading /proc/filesystems crontab -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sh-thd.y2EVHf ai.sh
Processes
-
/tmp/ai.sh/tmp/ai.sh1⤵
- Writes file to tmp directory
PID:711 -
/bin/grepgrep EST2⤵PID:723
-
-
/bin/grepgrep 94.241.140.1772⤵PID:724
-
-
/bin/grepgrep 802⤵PID:725
-
-
/bin/mkdirmkdir -p /var/tmp/.222⤵
- Reads runtime system information
PID:729
-
-
/bin/tartar -xf xm.jpg2⤵
- Reads runtime system information
PID:739 -
/usr/local/sbin/gzipgzip -d3⤵PID:740
-
-
/usr/local/bin/gzipgzip -d3⤵PID:740
-
-
/usr/sbin/gzipgzip -d3⤵PID:740
-
-
/usr/bin/gzipgzip -d3⤵PID:740
-
-
/sbin/gzipgzip -d3⤵PID:740
-
-
/bin/gzipgzip -d3⤵PID:740
-
-
-
/bin/chmodchmod +x start2⤵PID:744
-
-
/var/tmp/.22/start./start2⤵
- Executes dropped EXE
PID:745 -
/bin/unameuname -m3⤵PID:746
-
-
/var/tmp/.22/hide./hide3⤵
- Executes dropped EXE
PID:747
-
-
/var/tmp/.22/create./create3⤵
- Executes dropped EXE
PID:749 -
/bin/catcat auto4⤵PID:751
-
-
/usr/bin/crontabcrontab cronjobs4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:752
-
-
/bin/rmrm -f cronjobs4⤵PID:753
-
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:754
-
-
/bin/chmodchmod u+x auto init.d4⤵PID:755
-
-
/bin/shsh -c "./auto > /dev/null 2>&1 &"4⤵PID:756
-
-
/bin/rmrm -f aarch64 x86_64 hide.c init.c start create4⤵PID:758
-
-
-
-
/usr/bin/base64base64 -d1⤵PID:720
-
/bin/catcat1⤵PID:736
-
/var/tmp/.22/auto./auto1⤵
- Executes dropped EXE
PID:757 -
/var/tmp/.22/init.d/var/tmp/.22/init.d2⤵PID:759
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34B
MD5d73b6cacb30d623ccbb82cb8b3489476
SHA183a9395088a8885f45dfb4de5dc509aa74bb5164
SHA2561a6177c310e4ddd1526252e4fcecfa3c78a440760f4adae90e4b2d60ad3000c5
SHA51294e1949188ff086eec6dbc72dc01967f5c952928399db92656d65dc30f767e188f1a43f9558ffcf0fffaf38a522b335e6509228330780a97f09432c1b50f5941
-
Filesize
266B
MD5453ec25f76738a92ac2cf448d45b5448
SHA1fbc4f6d350d9006b06900769c7dfea8037f4f40e
SHA2561d56b02dada86e1bdfb2c29e2adaae05a2a065e1185cb32caed8611c7bfe99f8
SHA512fdfbe6599ffb72125da0eb2c2b49459a3c8bb23046c40f1ee3be1aec3f2d87f651dcdb0b37b72d398ddeca21ee88d072356db1e4b6aa3a417b116a1c7402961b
-
Filesize
237B
MD531dd8df9646ec4ba759bb9bab05d50d2
SHA156d64851b676586beaab6b385e270855815e95bd
SHA2565b1574e562a37087c472f214870d022e7ca80de38a601f6b16893cc2a398071f
SHA512ae95c5016b6ccbd94a0700801bd31f113e366a1f54460a1c102f694a52d703fde19242a8bd886a854494b679793344ae123d1cd9086e97254122e8bd51d5ffb0
-
Filesize
669B
MD518d2b80638dc8ed90e86c7caf316fe43
SHA1887f50f37a7e57abd113153becd5d8e36a780b19
SHA256d6a88499031026e3216ac733dd5b6365d597fa91599d33ec10a65cbb72e229b8
SHA5121ab557c50377097f1b4f59bacea66de1b569ea8e341d47155919d2996157f71e078e3a4b474ef005c7320e4eb46199fdda01dcffe5df6973778059466c0f2cec
-
Filesize
17KB
MD50bb4618c041fdb18c2e115b65bc5401f
SHA1d9d039df279c4cdcceba347630a5fbdd296fca22
SHA2563f1e584ca9393a3f635d8a8573e5b7f863df0dc092911de03bffc2d4ab4f8b53
SHA5127dfc744f8aa5d571db704a56d6f5d5bda4b1889b1829a1cdbcc0272d059dc9fa1d2055e56c47ffb39851f175bbde41a6b137a1175cb7ad06eb64c601302538cf
-
Filesize
41KB
MD53d7964550b662754985bae37e0ee427b
SHA13de28ccabe03f53cc4f534c96337ece4878d7a0e
SHA25603fab42e0825e6c35b803a125d63191dcf819f48bc9152180379b6c598632075
SHA51275849f318fa46c8415fac9bded6b0bcecc2762cbb3b2c63d0d27794bfaaf8803fff3b67919758a2b7d534f30ea0a4010e828615a09d64f562820e111b00ea7c3
-
Filesize
355B
MD58674ce902ffedf49ae4be47baabcc2c0
SHA1441ecd5d3a928125e10a0b6b19f7eed31cfd4476
SHA2568f93a7dd12dbd84749cb5cf675cd8371bd732655a8d048f269d8e88e8136e2e3
SHA5128428b05454cc9a6ccc3ddea862d9f38b6f10f542ebf6f784b2f7027a985f1adc9bf7c69d3306b6d4d1896af9ec8e7fe1e1d9291c60652c46d7e5126a2d2e3380
-
Filesize
2KB
MD5b586844bb52809b9dd6c5982347e27e0
SHA11aa9693db7bd01099d3022c5d697b601a938e205
SHA256a86693407c7ec7a73e1f0e39ae7727f8bdbbc690cbaedeb3817f04cb9f87a57c
SHA5122a3c4031b987178e8b93ced37794d2b2803ffb595b431f05b25793fd4874d8059d9499b8c00ca5abeb7524bba3c4d23a3a5cf2091a811c79224803f7a5f440f0
-
Filesize
176B
MD5fe2ac6ae76a359f127213790c460496f
SHA1df036a0088e1f418cb6e618fae06cf6282e79452
SHA2560f1e5ab87d39835c6c28f242e68f7855a57813ef8e3e07091eee4f4d4f7ef78d
SHA5128e41371af2cca37fff463fa1fff44db1cb462c8bf65f93f0ba0779adcfb4c812e411baf00bd67a2e7c92ddb27d65894bb18e205d6ca0e588c81219ba1b272889
-
Filesize
3.8MB
MD5bffed784b8e2d3f33a4fd10ce78f49e4
SHA1ae0e4e06594ac8f81614e17f4bd527ee184919d4
SHA2560f05779c210e21675f4ee6f8c99c8b24dcdeb4ac54db447ced7b0680d434d9c8
SHA512ee028da377fd607c3e8aaacfc5e75c70a06cfba15140aaefea94391c95959e5d9cbd56c28e9522701f62a9f78909b1ae859280442f870b1a28b23e22f191caf9
-
Filesize
2.7MB
MD536b3bf20d0c4d023aaa9617d29540f34
SHA1bc802f646e40de028d10b6025feefe35b9395948
SHA256714fc0ab79da19245fa0f3c0bb736960d72feef69401004e004890d2e4131101
SHA512613008c05cdbb891586fdfa054a0559aa31079a61766d14bdb13d24e704d0d69fc5906a3c5e9f1e119883e9339f757760ff2ed663bb155637124788ada15a10c