d82f76ab1d5ce45980e6190eb3603d73f8dff7e71b0f2f321c5a4a8578a80647

Analysis

max time kernel
12s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
20/12/2023, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scripts/install.sh
Size

3KB
MD5

4f86ad982a9cdf710d297f30a1c35d3e
SHA1

32eb21a4fd2a0ae3ead868dd550d30b64409a883
SHA256

ff7b76ed04b0ca7e42b380fd3426b4ea14dd1e6fd39154fcd32ef9e11907478f
SHA512

99a8eacfe80870912a334804ccfcdba1f13a0a5a78f6e4325d124aaf0a1b0352f47fb0144f68003670acb4565ea694f550608fc7343668a2a3d819c03e3e1802

Score

3^/10

Malware Config

Signatures

Reads runtime system information 21 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 34 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/vmoptions/rider.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedZQ4pXK	sed
File opened for modification	/tmp/vmoptions/jetbrains_client.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedEItXNA	sed
File opened for modification	/tmp/vmoptions/sedkK6k51	sed
File opened for modification	/tmp/vmoptions/goland.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedvPfywW	sed
File opened for modification	/tmp/vmoptions/seddbUl8a	sed
File opened for modification	/tmp/vmoptions/sedcp7iks	sed
File opened for modification	/tmp/vmoptions/webide.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/datagrip.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedCScfOu	sed
File opened for modification	/tmp/vmoptions/rubymine.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sed33XeGC	sed
File opened for modification	/tmp/vmoptions/dataspell.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedFRnwyk	sed
File opened for modification	/tmp/vmoptions/appcode.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedpsuFDe	sed
File opened for modification	/tmp/vmoptions/jetbrainsclient.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/studio.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/clion.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/phpstorm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedtRgLh5	sed
File opened for modification	/tmp/vmoptions/pycharm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sed0u1hOe	sed
File opened for modification	/tmp/vmoptions/sedKunB4S	sed
File opened for modification	/tmp/vmoptions/sedtoZ3Hc	sed
File opened for modification	/tmp/vmoptions/sedNo785D	sed
File opened for modification	/tmp/vmoptions/webstorm.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/devecostudio.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sed5HVIqJ	sed
File opened for modification	/tmp/vmoptions/idea.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/gateway.vmoptions	install.sh
File opened for modification	/tmp/vmoptions/sedhhHvdm	sed

/tmp/scripts/install.sh
/tmp/scripts/install.sh
1⤵
- Writes file to tmp directory
PID:705
- /bin/uname
  uname -s
  2⤵
  PID:708
- /usr/bin/dirname
  dirname /tmp/scripts
  2⤵
  PID:711
- /bin/mkdir
  mkdir -p /.config/plasma-workspace/env
  2⤵
  - Reads runtime system information
  PID:719
- /usr/bin/touch
  touch /.profile
  2⤵
  PID:721
- /usr/bin/touch
  touch /.bashrc
  2⤵
  PID:722
- /usr/bin/touch
  touch /.zshrc
  2⤵
  PID:723
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/idea.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:724
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/clion.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:730
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/phpstorm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:735
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/goland.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:741
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/pycharm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:745
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/webstorm.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:750
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/webide.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:754
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/rider.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:759
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/datagrip.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:763
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/rubymine.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:767
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/appcode.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:771
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/dataspell.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:775
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/gateway.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:779
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/jetbrains_client.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:783
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/jetbrainsclient.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:787
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/studio.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:791
- /bin/sed
  sed -i "/^\\-javaagent:.*[\\/\\\\]ja\\-netfilter\\.jar.*/d" /tmp/vmoptions/devecostudio.vmoptions
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:795
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.profile
  2⤵
  - Reads runtime system information
  PID:799
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.bashrc
  2⤵
  - Reads runtime system information
  PID:800
- /bin/sed
  sed -i "/___MY_VMOPTIONS_SHELL_FILE=\"\${HOME}\\/\\.jetbrains\\.vmoptions\\.sh\"; if /d" /.zshrc
  2⤵
  - Reads runtime system information
  PID:801
- /bin/ln
  ln -sf /.jetbrains.vmoptions.sh /.config/plasma-workspace/env/jetbrains.vmoptions.sh
  2⤵
  PID:802

/usr/bin/dirname
dirname /tmp/scripts/install.sh
1⤵
PID:716

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:729

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:733

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:739

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:744

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:749

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:753

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:757

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:762

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:766

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:770

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:774

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:778

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:782

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:786

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:790

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:794

/usr/bin/tr
tr "[a-z]" "[A-Z]"
1⤵
PID:798

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/.jetbrains.vmoptions.sh

Filesize
185B

MD5
c08ab06b32d96dc65c082b639ae4d467

SHA1
1fdde29652a4aea63c22b5c4d16b64258c13964e

SHA256
b68f22dd54acb66418b4332c5703286122ddc6c7bd257720e37363510991535c

SHA512
19a42319c55579405c2151577ad6d1af334ff8c9ce75648b3bbd1420a90284db84cf2bf477d06607017883574f118c3c1582257d77bc9cbfc4fbe98ade2833bf

Download Submit
/.jetbrains.vmoptions.sh

Filesize
244B

MD5
3342b3246910bdbe1f399104ea7316da

SHA1
c506673896507bc85db81ac242b4dfe833c6ebfd

SHA256
488bb2c04b0f32ca2f3065b311f64d57225923ef29332c7da26e1f9c1186d870

SHA512
c4953238cf15b3464d9120988667c98f67241874c8a81632282f403d1ec4a0e5272368849f9a75419b001351eae35bbde0b1744c412658adb4b1e9e7eda69e78

Download Submit
/.jetbrains.vmoptions.sh

Filesize
547B

MD5
1c8ac58d7cef0afba50bfe13f1060158

SHA1
1f4d40de808b4936df50a9800308f24ebd3a743a

SHA256
e3bbc6bc08cf35e2663fa7ee64c8023dbd5f66b08a1e4a6006e6dd7897691fff

SHA512
65a2d56b98204a80893888af4ff8932143a001b3278ea66c17a7d91d8630465974a111314df000a47d359e335afcd2e81413a8b47edd2c9f59d9fb5e1ea986ef

Download Submit
/.jetbrains.vmoptions.sh

Filesize
10B

MD5
3e2b31c72181b87149ff995e7202c0e3

SHA1
bd971bec88149956458a10fc9c5ecb3eb99dd452

SHA256
a8076d3d28d21e02012b20eaf7dbf75409a6277134439025f282e368e3305abf

SHA512
543f39af1ae7a2382ed869cbd1ee1ac598a88eb4e213cd64487c54b5c37722c6207ee6db4fa7e2ed53064259a44115c6da7bbc8c068378bb52a25e7088eeebd6

Download Submit
/.jetbrains.vmoptions.sh

Filesize
65B

MD5
d05e07f777d5a7262f27f009c709b6da

SHA1
d53ee0777afdc033a363017608f5d2137d3d4baf

SHA256
89cbe08b266f593d6db523a0207804ff6671fc77da7f955f8f9319f0be94cb05

SHA512
6fcf6e710c95726c196d825b34f5c34945270e124ef652b70faa4d74453d3a1a4703d169a81ef7c7791927a097958960c425c25c8e6bb184429a992d6d13aa40

Download Submit
/.jetbrains.vmoptions.sh

Filesize
122B

MD5
db429228e4713acf5bf4fbb18a8834a4

SHA1
dcfa6be754dbca2dca6d9b7d795b6eaedaedeb3c

SHA256
081d1c848695cbba6ab8453152f6d0561e4548c02da626c0c108416408b48d64

SHA512
5a23734d0a7e12abce44f74ff148ce8cb7b6bd60a2ca0e7c05be9041e8ca59e98ae7eca43caefc816cf1cf97de620e77619e10f51d792961adf81b2544803963

Download Submit
/.profile

Filesize
148B

MD5
d0cfbf4ab229cb0b8e351a1ccafc99ea

SHA1
c07864fefc64efa750b8f67f39f5d2e9443881f3

SHA256
f190a66f4f0d95e59170e1eb3a1f95352163d28ead4cc855ef06b3b112758e72

SHA512
ea741be9782d108e42716c7887b83d90689de76895d647d2602362d7ff4313c5c2643ecd81e9e7ac241ca58e49c77297669caa2b7389e1c4941caffa4e1d90df

Download Submit
/tmp/vmoptions/sed5HVIqJ

Filesize
636B

MD5
505d97467ea81e9b83a09a7738561ab7

SHA1
1a3698a91fbf5817433023a147adb0c715066b9f

SHA256
f5a4f7aec84eb0a45dd6abe9d4bfd2096e4bab775855f1447dc1bf8346c35b28

SHA512
20a01a513491681bf819129fa4cbba9062cff2ae5bd2d7b83a4d59f7c8410843790f1268b86ed28b3d99841f1d4c11fdc77fe46786a593e3c29551ef153a6310

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads