d82f76ab1d5ce45980e6190eb3603d73f8dff7e71b0f2f321c5a4a8578a80647

Analysis

max time kernel
6s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/12/2023, 09:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scripts/install.sh
Size

3KB
MD5

4f86ad982a9cdf710d297f30a1c35d3e
SHA1

32eb21a4fd2a0ae3ead868dd550d30b64409a883
SHA256

ff7b76ed04b0ca7e42b380fd3426b4ea14dd1e6fd39154fcd32ef9e11907478f
SHA512

99a8eacfe80870912a334804ccfcdba1f13a0a5a78f6e4325d124aaf0a1b0352f47fb0144f68003670acb4565ea694f550608fc7343668a2a3d819c03e3e1802

Score

3^/10

Malware Config

Signatures

Reads runtime system information 21 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 34 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/vmoptions/goland.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedvcyjAD	sed
File opened for modification	/tmp/vmoptions/datagrip.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/dataspell.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/studio.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/webstorm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedniyOfD	sed
File opened for modification	/tmp/vmoptions/sed52nheM	sed
File opened for modification	/tmp/vmoptions/sedAMwAuP	sed
File opened for modification	/tmp/vmoptions/jetbrains_client.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedjJkPrR	sed
File opened for modification	/tmp/vmoptions/sedGbogNy	sed
File opened for modification	/tmp/vmoptions/sedqLDvME	sed
File opened for modification	/tmp/vmoptions/rubymine.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedCn1sdO	sed
File opened for modification	/tmp/vmoptions/jetbrainsclient.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedb9vVfV	sed
File opened for modification	/tmp/vmoptions/sed1mrJny	sed
File opened for modification	/tmp/vmoptions/sedGnEKzA	sed
File opened for modification	/tmp/vmoptions/webide.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedUqczeK	sed
File opened for modification	/tmp/vmoptions/gateway.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/clion.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/phpstorm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sed0aylPA	sed
File opened for modification	/tmp/vmoptions/appcode.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/devecostudio.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedJ2KCDz	sed
File opened for modification	/tmp/vmoptions/idea.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedAeJJrF	sed
File opened for modification	/tmp/vmoptions/rider.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedIHOcFH	sed
File opened for modification	/tmp/vmoptions/sedF91ZRB	sed
File opened for modification	/tmp/vmoptions/pycharm.vmoptions	install.sh

/tmp/scripts/install.sh
/tmp/scripts/install.sh
1⤵
- Writes file to tmp directory
PID:1536
- /bin/uname
  uname -s
  2⤵
  PID:1537
- /usr/bin/dirname
  dirname /tmp/scripts
  2⤵
  PID:1538
- /bin/mkdir
  mkdir -p /.config/plasma-workspace/env
  2⤵
  - Reads runtime system information
  PID:1541
- /usr/bin/touch
  touch /.profile
  2⤵
  PID:1542
- /usr/bin/touch
  touch /.bashrc
  2⤵
  PID:1543
- /usr/bin/touch
  touch /.zshrc
  2⤵
  PID:1544
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/idea.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1545
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/clion.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1549
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/phpstorm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1553
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/goland.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1557
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/pycharm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1561
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/webstorm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1565
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/webide.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1569
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/rider.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1573
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/datagrip.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1580
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/rubymine.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1584
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/appcode.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1588
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/dataspell.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1592
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/gateway.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1596
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/jetbrains_client.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1600
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/jetbrainsclient.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1604
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/studio.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1608
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/devecostudio.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1612
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.profile
  2⤵
  - Reads runtime system information
  PID:1616
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.bashrc
  2⤵
  - Reads runtime system information
  PID:1617
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.zshrc
  2⤵
  - Reads runtime system information
  PID:1618
- /bin/ln
  ln -sf /.jetbrains.vmoptions.sh /.config/plasma-workspace/env/jetbrains.vmoptions.sh
  2⤵
  PID:1619

/usr/bin/dirname
dirname /tmp/scripts/install.sh
1⤵
PID:1540

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1548

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1552

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1556

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1560

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1564

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1568

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1572

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1579

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1583

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1587

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1591

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1595

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1599

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1603

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1607

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1611

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1615

Network

DNS

cdn.fwupd.org

Remote address:

1.1.1.1:53

Request

cdn.fwupd.org

IN A

Response

cdn.fwupd.org

IN CNAME

dualstack.p2.shared.global.fastly.net

dualstack.p2.shared.global.fastly.net

IN A

151.101.2.49

dualstack.p2.shared.global.fastly.net

IN A

151.101.66.49

dualstack.p2.shared.global.fastly.net

IN A

151.101.130.49

dualstack.p2.shared.global.fastly.net

IN A

151.101.194.49
DNS

cdn.fwupd.org

Remote address:

1.1.1.1:53

Request

cdn.fwupd.org

IN AAAA

Response

cdn.fwupd.org

IN CNAME

dualstack.p2.shared.global.fastly.net

dualstack.p2.shared.global.fastly.net

IN AAAA

2a04:4e42::561

dualstack.p2.shared.global.fastly.net

IN AAAA

2a04:4e42:200::561

dualstack.p2.shared.global.fastly.net

IN AAAA

2a04:4e42:400::561

dualstack.p2.shared.global.fastly.net

IN AAAA

2a04:4e42:600::561
DNS

1527653184.rsc.cdn77.org

Remote address:

1.1.1.1:53

Request

1527653184.rsc.cdn77.org

IN A

Response

1527653184.rsc.cdn77.org

IN A

195.181.164.17

1527653184.rsc.cdn77.org

IN A

89.187.167.6
DNS

1527653184.rsc.cdn77.org

Remote address:

1.1.1.1:53

Request

1527653184.rsc.cdn77.org

IN AAAA

Response

1527653184.rsc.cdn77.org

IN AAAA

2a02:6ea0:ca00::4

1527653184.rsc.cdn77.org

IN AAAA

2a02:6ea0:ca00::3

151.101.194.49:443

tls

127 B
40 B
2
1
151.101.129.91:443

tls

127 B
40 B
2
1
195.181.164.14:443

tls

851 B
11
151.101.194.49:443

cdn.fwupd.org

tls

8.2kB
1.1MB
132
802
185.125.188.62:443

tls

135 B
2
185.125.188.62:443

tls

135 B
2
151.101.129.91:443

extensions.gnome.org

tls

3.9kB
223.2kB
65
174
195.181.164.17:443

odrs.gnome.org

tls

18.1kB
1.6MB
285
1168

224.0.0.251:5353

146 B
2
1.1.1.1:53

cdn.fwupd.org

dns

70 B
185 B
1
1

DNS Request

cdn.fwupd.org

DNS Response

151.101.2.49

151.101.66.49

151.101.130.49

151.101.194.49
1.1.1.1:53

cdn.fwupd.org

dns

70 B
233 B
1
1

DNS Request

cdn.fwupd.org

DNS Response

2a04:4e42::561

2a04:4e42:200::561

2a04:4e42:400::561

2a04:4e42:600::561
1.1.1.1:53

1527653184.rsc.cdn77.org

dns

81 B
113 B
1
1

DNS Request

1527653184.rsc.cdn77.org

DNS Response

195.181.164.17

89.187.167.6
1.1.1.1:53

1527653184.rsc.cdn77.org

dns

81 B
137 B
1
1

DNS Request

1527653184.rsc.cdn77.org

DNS Response

2a02:6ea0:ca00::4

2a02:6ea0:ca00::3

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/.jetbrains.vmoptions.sh

Filesize
185B

MD5
c08ab06b32d96dc65c082b639ae4d467

SHA1
1fdde29652a4aea63c22b5c4d16b64258c13964e

SHA256
b68f22dd54acb66418b4332c5703286122ddc6c7bd257720e37363510991535c

SHA512
19a42319c55579405c2151577ad6d1af334ff8c9ce75648b3bbd1420a90284db84cf2bf477d06607017883574f118c3c1582257d77bc9cbfc4fbe98ade2833bf

Download Submit
/.jetbrains.vmoptions.sh

Filesize
244B

MD5
3342b3246910bdbe1f399104ea7316da

SHA1
c506673896507bc85db81ac242b4dfe833c6ebfd

SHA256
488bb2c04b0f32ca2f3065b311f64d57225923ef29332c7da26e1f9c1186d870

SHA512
c4953238cf15b3464d9120988667c98f67241874c8a81632282f403d1ec4a0e5272368849f9a75419b001351eae35bbde0b1744c412658adb4b1e9e7eda69e78

Download Submit
/.jetbrains.vmoptions.sh

Filesize
1KB

MD5
e9e99bb4399e8e72ee41f0ceb14afcf6

SHA1
b5c8c8555431462fb444c4067e1707d9dfbd0bd1

SHA256
4992433ba790ea49821639102dea0cab520e352164285a0596ccda8c73bc7a67

SHA512
ba3c1edd8ffa67cffb2cc5315d0de37b4fbe51d94a46eb9fbf91849447bacd7b7fb245649095bce038a556f411fe28616a3bc379e69f17be4548af09789b0da8

Download Submit
/.jetbrains.vmoptions.sh

Filesize
10B

MD5
3e2b31c72181b87149ff995e7202c0e3

SHA1
bd971bec88149956458a10fc9c5ecb3eb99dd452

SHA256
a8076d3d28d21e02012b20eaf7dbf75409a6277134439025f282e368e3305abf

SHA512
543f39af1ae7a2382ed869cbd1ee1ac598a88eb4e213cd64487c54b5c37722c6207ee6db4fa7e2ed53064259a44115c6da7bbc8c068378bb52a25e7088eeebd6

Download Submit
/.jetbrains.vmoptions.sh

Filesize
65B

MD5
d05e07f777d5a7262f27f009c709b6da

SHA1
d53ee0777afdc033a363017608f5d2137d3d4baf

SHA256
89cbe08b266f593d6db523a0207804ff6671fc77da7f955f8f9319f0be94cb05

SHA512
6fcf6e710c95726c196d825b34f5c34945270e124ef652b70faa4d74453d3a1a4703d169a81ef7c7791927a097958960c425c25c8e6bb184429a992d6d13aa40

Download Submit
/.jetbrains.vmoptions.sh

Filesize
122B

MD5
db429228e4713acf5bf4fbb18a8834a4

SHA1
dcfa6be754dbca2dca6d9b7d795b6eaedaedeb3c

SHA256
081d1c848695cbba6ab8453152f6d0561e4548c02da626c0c108416408b48d64

SHA512
5a23734d0a7e12abce44f74ff148ce8cb7b6bd60a2ca0e7c05be9041e8ca59e98ae7eca43caefc816cf1cf97de620e77619e10f51d792961adf81b2544803963

Download Submit
/.profile

Filesize
148B

MD5
d0cfbf4ab229cb0b8e351a1ccafc99ea

SHA1
c07864fefc64efa750b8f67f39f5d2e9443881f3

SHA256
f190a66f4f0d95e59170e1eb3a1f95352163d28ead4cc855ef06b3b112758e72

SHA512
ea741be9782d108e42716c7887b83d90689de76895d647d2602362d7ff4313c5c2643ecd81e9e7ac241ca58e49c77297669caa2b7389e1c4941caffa4e1d90df

Download Submit
/tmp/vmoptions/sedJ2KCDz

Filesize
720B

MD5
324aa84f1968b5e0f893c08d1a569079

SHA1
503adc5895a6b4426f9f25a2d7641304cbe85243

SHA256
06151881492c7d8ed6b6a27ed8a3b4c94fe24cf63c24735664827ac472631502

SHA512
31368609ca6064bf07fa12408860d273a33effba328baae66b730fcf9ebd766b1344367182ef96d3b07b2888bab5d3c0555d87280c8f581a0e4615885965c893

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.