d82f76ab1d5ce45980e6190eb3603d73f8dff7e71b0f2f321c5a4a8578a80647

Analysis

max time kernel
6s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20/12/2023, 09:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

scripts/install.sh
Size

3KB
MD5

4f86ad982a9cdf710d297f30a1c35d3e
SHA1

32eb21a4fd2a0ae3ead868dd550d30b64409a883
SHA256

ff7b76ed04b0ca7e42b380fd3426b4ea14dd1e6fd39154fcd32ef9e11907478f
SHA512

99a8eacfe80870912a334804ccfcdba1f13a0a5a78f6e4325d124aaf0a1b0352f47fb0144f68003670acb4565ea694f550608fc7343668a2a3d819c03e3e1802

Score

3^/10

Malware Config

Signatures

Reads runtime system information 21 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 34 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/vmoptions/goland.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedvcyjAD	sed
File opened for modification	/tmp/vmoptions/datagrip.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/dataspell.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/studio.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/webstorm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedniyOfD	sed
File opened for modification	/tmp/vmoptions/sed52nheM	sed
File opened for modification	/tmp/vmoptions/sedAMwAuP	sed
File opened for modification	/tmp/vmoptions/jetbrains_client.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedjJkPrR	sed
File opened for modification	/tmp/vmoptions/sedGbogNy	sed
File opened for modification	/tmp/vmoptions/sedqLDvME	sed
File opened for modification	/tmp/vmoptions/rubymine.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedCn1sdO	sed
File opened for modification	/tmp/vmoptions/jetbrainsclient.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedb9vVfV	sed
File opened for modification	/tmp/vmoptions/sed1mrJny	sed
File opened for modification	/tmp/vmoptions/sedGnEKzA	sed
File opened for modification	/tmp/vmoptions/webide.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedUqczeK	sed
File opened for modification	/tmp/vmoptions/gateway.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/clion.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/phpstorm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sed0aylPA	sed
File opened for modification	/tmp/vmoptions/appcode.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/devecostudio.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedJ2KCDz	sed
File opened for modification	/tmp/vmoptions/idea.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedAeJJrF	sed
File opened for modification	/tmp/vmoptions/rider.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedIHOcFH	sed
File opened for modification	/tmp/vmoptions/sedF91ZRB	sed
File opened for modification	/tmp/vmoptions/pycharm.vmoptions	install.sh

/tmp/scripts/install.sh
/tmp/scripts/install.sh
1⤵
- Writes file to tmp directory
PID:1536
- /bin/uname
  uname -s
  2⤵
  PID:1537
- /usr/bin/dirname
  dirname /tmp/scripts
  2⤵
  PID:1538
- /bin/mkdir
  mkdir -p /.config/plasma-workspace/env
  2⤵
  - Reads runtime system information
  PID:1541
- /usr/bin/touch
  touch /.profile
  2⤵
  PID:1542
- /usr/bin/touch
  touch /.bashrc
  2⤵
  PID:1543
- /usr/bin/touch
  touch /.zshrc
  2⤵
  PID:1544
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/idea.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1545
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/clion.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1549
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/phpstorm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1553
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/goland.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1557
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/pycharm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1561
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/webstorm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1565
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/webide.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1569
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/rider.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1573
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/datagrip.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1580
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/rubymine.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1584
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/appcode.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1588
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/dataspell.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1592
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/gateway.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1596
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/jetbrains_client.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1600
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/jetbrainsclient.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1604
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/studio.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1608
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/devecostudio.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1612
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.profile
  2⤵
  - Reads runtime system information
  PID:1616
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.bashrc
  2⤵
  - Reads runtime system information
  PID:1617
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.zshrc
  2⤵
  - Reads runtime system information
  PID:1618
- /bin/ln
  ln -sf /.jetbrains.vmoptions.sh /.config/plasma-workspace/env/jetbrains.vmoptions.sh
  2⤵
  PID:1619

/usr/bin/dirname
dirname /tmp/scripts/install.sh
1⤵
PID:1540

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1548

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1552

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1556

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1560

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1564

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1568

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1572

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1579

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1583

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1587

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1591

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1595

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1599

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1603

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1607

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1611

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:1615

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/.jetbrains.vmoptions.sh

Filesize
185B

MD5
c08ab06b32d96dc65c082b639ae4d467

SHA1
1fdde29652a4aea63c22b5c4d16b64258c13964e

SHA256
b68f22dd54acb66418b4332c5703286122ddc6c7bd257720e37363510991535c

SHA512
19a42319c55579405c2151577ad6d1af334ff8c9ce75648b3bbd1420a90284db84cf2bf477d06607017883574f118c3c1582257d77bc9cbfc4fbe98ade2833bf

Download Submit
/.jetbrains.vmoptions.sh

Filesize
244B

MD5
3342b3246910bdbe1f399104ea7316da

SHA1
c506673896507bc85db81ac242b4dfe833c6ebfd

SHA256
488bb2c04b0f32ca2f3065b311f64d57225923ef29332c7da26e1f9c1186d870

SHA512
c4953238cf15b3464d9120988667c98f67241874c8a81632282f403d1ec4a0e5272368849f9a75419b001351eae35bbde0b1744c412658adb4b1e9e7eda69e78

Download Submit
/.jetbrains.vmoptions.sh

Filesize
1KB

MD5
e9e99bb4399e8e72ee41f0ceb14afcf6

SHA1
b5c8c8555431462fb444c4067e1707d9dfbd0bd1

SHA256
4992433ba790ea49821639102dea0cab520e352164285a0596ccda8c73bc7a67

SHA512
ba3c1edd8ffa67cffb2cc5315d0de37b4fbe51d94a46eb9fbf91849447bacd7b7fb245649095bce038a556f411fe28616a3bc379e69f17be4548af09789b0da8

Download Submit
/.jetbrains.vmoptions.sh

Filesize
10B

MD5
3e2b31c72181b87149ff995e7202c0e3

SHA1
bd971bec88149956458a10fc9c5ecb3eb99dd452

SHA256
a8076d3d28d21e02012b20eaf7dbf75409a6277134439025f282e368e3305abf

SHA512
543f39af1ae7a2382ed869cbd1ee1ac598a88eb4e213cd64487c54b5c37722c6207ee6db4fa7e2ed53064259a44115c6da7bbc8c068378bb52a25e7088eeebd6

Download Submit
/.jetbrains.vmoptions.sh

Filesize
65B

MD5
d05e07f777d5a7262f27f009c709b6da

SHA1
d53ee0777afdc033a363017608f5d2137d3d4baf

SHA256
89cbe08b266f593d6db523a0207804ff6671fc77da7f955f8f9319f0be94cb05

SHA512
6fcf6e710c95726c196d825b34f5c34945270e124ef652b70faa4d74453d3a1a4703d169a81ef7c7791927a097958960c425c25c8e6bb184429a992d6d13aa40

Download Submit
/.jetbrains.vmoptions.sh

Filesize
122B

MD5
db429228e4713acf5bf4fbb18a8834a4

SHA1
dcfa6be754dbca2dca6d9b7d795b6eaedaedeb3c

SHA256
081d1c848695cbba6ab8453152f6d0561e4548c02da626c0c108416408b48d64

SHA512
5a23734d0a7e12abce44f74ff148ce8cb7b6bd60a2ca0e7c05be9041e8ca59e98ae7eca43caefc816cf1cf97de620e77619e10f51d792961adf81b2544803963

Download Submit
/.profile

Filesize
148B

MD5
d0cfbf4ab229cb0b8e351a1ccafc99ea

SHA1
c07864fefc64efa750b8f67f39f5d2e9443881f3

SHA256
f190a66f4f0d95e59170e1eb3a1f95352163d28ead4cc855ef06b3b112758e72

SHA512
ea741be9782d108e42716c7887b83d90689de76895d647d2602362d7ff4313c5c2643ecd81e9e7ac241ca58e49c77297669caa2b7389e1c4941caffa4e1d90df

Download Submit
/tmp/vmoptions/sedJ2KCDz

Filesize
720B

MD5
324aa84f1968b5e0f893c08d1a569079

SHA1
503adc5895a6b4426f9f25a2d7641304cbe85243

SHA256
06151881492c7d8ed6b6a27ed8a3b4c94fe24cf63c24735664827ac472631502

SHA512
31368609ca6064bf07fa12408860d273a33effba328baae66b730fcf9ebd766b1344367182ef96d3b07b2888bab5d3c0555d87280c8f581a0e4615885965c893

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads