d82f76ab1d5ce45980e6190eb3603d73f8dff7e71b0f2f321c5a4a8578a80647

Analysis

max time kernel
14s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
20-12-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scripts/install.sh
Size

3KB
MD5

4f86ad982a9cdf710d297f30a1c35d3e
SHA1

32eb21a4fd2a0ae3ead868dd550d30b64409a883
SHA256

ff7b76ed04b0ca7e42b380fd3426b4ea14dd1e6fd39154fcd32ef9e11907478f
SHA512

99a8eacfe80870912a334804ccfcdba1f13a0a5a78f6e4325d124aaf0a1b0352f47fb0144f68003670acb4565ea694f550608fc7343668a2a3d819c03e3e1802

Score

3^/10

Malware Config

Signatures

Reads runtime system information 21 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 34 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/vmoptions/sedFPqIIo	sed
File opened for modification	/tmp/vmoptions/goland.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/devecostudio.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedi33vNJ	sed
File opened for modification	/tmp/vmoptions/studio.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedHGAqrz	sed
File opened for modification	/tmp/vmoptions/sed3hbsc2	sed
File opened for modification	/tmp/vmoptions/rubymine.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/jetbrains_client.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/clion.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedkULafB	sed
File opened for modification	/tmp/vmoptions/webide.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedZqUc3L	sed
File opened for modification	/tmp/vmoptions/sedQ58dcd	sed
File opened for modification	/tmp/vmoptions/jetbrainsclient.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/dataspell.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedj1wptl	sed
File opened for modification	/tmp/vmoptions/gateway.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedvz5dUX	sed
File opened for modification	/tmp/vmoptions/webstorm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/datagrip.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedwDddjr	sed
File opened for modification	/tmp/vmoptions/appcode.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedVSestn	sed
File opened for modification	/tmp/vmoptions/idea.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/pycharm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedLO6Trk	sed
File opened for modification	/tmp/vmoptions/rider.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sed67c3L1	sed
File opened for modification	/tmp/vmoptions/phpstorm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedBei3vr	sed
File opened for modification	/tmp/vmoptions/sed4Nd2d8	sed
File opened for modification	/tmp/vmoptions/sed234Fb1	sed
File opened for modification	/tmp/vmoptions/seduI4xgY	sed

/tmp/scripts/install.sh
/tmp/scripts/install.sh
1⤵
- Writes file to tmp directory
PID:679
- /bin/uname
  uname -s
  2⤵
  PID:681
- /usr/bin/dirname
  dirname /tmp/scripts
  2⤵
  PID:684
- /bin/mkdir
  mkdir -p /.config/plasma-workspace/env
  2⤵
  - Reads runtime system information
  PID:690
- /usr/bin/touch
  touch /.profile
  2⤵
  PID:692
- /usr/bin/touch
  touch /.bashrc
  2⤵
  PID:694
- /usr/bin/touch
  touch /.zshrc
  2⤵
  PID:696
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/idea.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:697
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/clion.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:702
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/phpstorm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:706
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/goland.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:711
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/pycharm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:715
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/webstorm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:719
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/webide.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:723
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/rider.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:727
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/datagrip.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:731
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/rubymine.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:735
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/appcode.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:739
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/dataspell.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:743
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/gateway.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:747
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/jetbrains_client.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:751
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/jetbrainsclient.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:757
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/studio.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:763
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/devecostudio.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:768
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.profile
  2⤵
  - Reads runtime system information
  PID:773
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.bashrc
  2⤵
  - Reads runtime system information
  PID:775
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.zshrc
  2⤵
  - Reads runtime system information
  PID:777
- /bin/ln
  ln -sf /.jetbrains.vmoptions.sh /.config/plasma-workspace/env/jetbrains.vmoptions.sh
  2⤵
  PID:778

/usr/bin/dirname
dirname /tmp/scripts/install.sh
1⤵
PID:686

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:701

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:705

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:710

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:714

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:718

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:722

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:726

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:730

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:734

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:738

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:742

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:746

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:750

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:756

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:761

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:767

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/.jetbrains.vmoptions.sh

Filesize
65B

MD5
d05e07f777d5a7262f27f009c709b6da

SHA1
d53ee0777afdc033a363017608f5d2137d3d4baf

SHA256
89cbe08b266f593d6db523a0207804ff6671fc77da7f955f8f9319f0be94cb05

SHA512
6fcf6e710c95726c196d825b34f5c34945270e124ef652b70faa4d74453d3a1a4703d169a81ef7c7791927a097958960c425c25c8e6bb184429a992d6d13aa40

Download Submit
/.profile

Filesize
148B

MD5
d0cfbf4ab229cb0b8e351a1ccafc99ea

SHA1
c07864fefc64efa750b8f67f39f5d2e9443881f3

SHA256
f190a66f4f0d95e59170e1eb3a1f95352163d28ead4cc855ef06b3b112758e72

SHA512
ea741be9782d108e42716c7887b83d90689de76895d647d2602362d7ff4313c5c2643ecd81e9e7ac241ca58e49c77297669caa2b7389e1c4941caffa4e1d90df

Download Submit
/tmp/vmoptions/sedVSestn

Filesize
636B

MD5
505d97467ea81e9b83a09a7738561ab7

SHA1
1a3698a91fbf5817433023a147adb0c715066b9f

SHA256
f5a4f7aec84eb0a45dd6abe9d4bfd2096e4bab775855f1447dc1bf8346c35b28

SHA512
20a01a513491681bf819129fa4cbba9062cff2ae5bd2d7b83a4d59f7c8410843790f1268b86ed28b3d99841f1d4c11fdc77fe46786a593e3c29551ef153a6310

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads