b089fcd4a23591b5b94198f4efeb166d81aea76e5a5785d5e0c5e5c885ad9c5f

Analysis

max time kernel
105s
max time network
65s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-12-2023 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gosh/scam
Size

6KB
MD5

4762f7c5b88e7364ea279a0243621e74
SHA1

68a29a852ea6afaa6356ea0fcba9c11427093b51
SHA256

0d32ce2878d76061f526d74c06409a5364af287cf03f8862d63e3fc1dab662df
SHA512

dfed05cb0b07375e84090514871f374ee240782bce5a4dcf00bd84398c9c59251be6d0e9ab33920ee05cc5986048e2b5963ec39f2efe91d9a5193eb2571f3f9a
SSDEEP

96:XydtVfnZ77p8zW9wnqF2VISbgxrKhI/uVcT+6bEkIev45CL5MDmNA36+nw9Wz8pn:UfGVbb6f

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	uptime

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	uptime
File opened for reading	/proc/uptime	uptime
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/kernel/ngroups_max	id
File opened for reading	/proc/self/mountinfo	df

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/gosh/info2	scam
File opened for modification	/tmp/gosh/info2	Process not Found

/tmp/gosh/scam
/tmp/gosh/scam
1⤵
- Writes file to tmp directory
PID:1536
- /sbin/ifconfig
  /sbin/ifconfig -a
  2⤵
  PID:1537
- /usr/bin/uptime
  uptime
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1538
- /bin/uname
  uname -a
  2⤵
  PID:1539
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1540
- /bin/cat
  cat /etc/passwd
  2⤵
  PID:1541
- /usr/bin/id
  id
  2⤵
  - Reads runtime system information
  PID:1542
- /bin/df
  df -h
  2⤵
  - Reads runtime system information
  PID:1543
- /bin/cat
  cat info2
  2⤵
  PID:1544
- /bin/rm
  rm -rf info2
  2⤵
  PID:1546
- /usr/bin/clear
  clear
  2⤵
  PID:1551
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1552
- /tmp/gosh/a
  ./a .0
  2⤵
  PID:1554
- /tmp/gosh/a
  ./a .1
  2⤵
  PID:1555
- /tmp/gosh/a
  ./a .2
  2⤵
  PID:1556
- /tmp/gosh/a
  ./a .3
  2⤵
  PID:1557
- /tmp/gosh/a
  ./a .4
  2⤵
  PID:1558
- /tmp/gosh/a
  ./a .5
  2⤵
  PID:1559
- /tmp/gosh/a
  ./a .6
  2⤵
  PID:1560
- /tmp/gosh/a
  ./a .7
  2⤵
  PID:1561
- /tmp/gosh/a
  ./a .8
  2⤵
  PID:1562
- /tmp/gosh/a
  ./a .9
  2⤵
  PID:1563
- /tmp/gosh/a
  ./a .10
  2⤵
  PID:1564
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1565
- /tmp/gosh/a
  ./a .11
  2⤵
  PID:1567
- /tmp/gosh/a
  ./a .12
  2⤵
  PID:1568
- /tmp/gosh/a
  ./a .13
  2⤵
  PID:1569
- /tmp/gosh/a
  ./a .14
  2⤵
  PID:1570
- /tmp/gosh/a
  ./a .15
  2⤵
  PID:1571
- /tmp/gosh/a
  ./a .16
  2⤵
  PID:1572
- /tmp/gosh/a
  ./a .17
  2⤵
  PID:1573
- /tmp/gosh/a
  ./a .18
  2⤵
  PID:1574
- /tmp/gosh/a
  ./a .19
  2⤵
  PID:1575
- /tmp/gosh/a
  ./a .20
  2⤵
  PID:1576
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1577
- /tmp/gosh/a
  ./a .21
  2⤵
  PID:1579
- /tmp/gosh/a
  ./a .22
  2⤵
  PID:1580
- /tmp/gosh/a
  ./a .23
  2⤵
  PID:1581
- /tmp/gosh/a
  ./a .24
  2⤵
  PID:1582
- /tmp/gosh/a
  ./a .25
  2⤵
  PID:1583
- /tmp/gosh/a
  ./a .26
  2⤵
  PID:1584
- /tmp/gosh/a
  ./a .27
  2⤵
  PID:1585
- /tmp/gosh/a
  ./a .28
  2⤵
  PID:1586
- /tmp/gosh/a
  ./a .29
  2⤵
  PID:1587
- /tmp/gosh/a
  ./a .30
  2⤵
  PID:1588
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1589
- /tmp/gosh/a
  ./a .31
  2⤵
  PID:1591
- /tmp/gosh/a
  ./a .32
  2⤵
  PID:1594
- /tmp/gosh/a
  ./a .33
  2⤵
  PID:1595
- /tmp/gosh/a
  ./a .34
  2⤵
  PID:1596
- /tmp/gosh/a
  ./a .35
  2⤵
  PID:1597
- /tmp/gosh/a
  ./a .36
  2⤵
  PID:1598
- /tmp/gosh/a
  ./a .37
  2⤵
  PID:1599
- /tmp/gosh/a
  ./a .38
  2⤵
  PID:1600
- /tmp/gosh/a
  ./a .39
  2⤵
  PID:1601
- /tmp/gosh/a
  ./a .40
  2⤵
  PID:1602
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1604
- /tmp/gosh/a
  ./a .41
  2⤵
  PID:1606
- /tmp/gosh/a
  ./a .42
  2⤵
  PID:1607
- /tmp/gosh/a
  ./a .43
  2⤵
  PID:1608
- /tmp/gosh/a
  ./a .44
  2⤵
  PID:1609
- /tmp/gosh/a
  ./a .45
  2⤵
  PID:1610
- /tmp/gosh/a
  ./a .46
  2⤵
  PID:1611
- /tmp/gosh/a
  ./a .47
  2⤵
  PID:1612
- /tmp/gosh/a
  ./a .48
  2⤵
  PID:1613
- /tmp/gosh/a
  ./a .49
  2⤵
  PID:1614
- /tmp/gosh/a
  ./a .50
  2⤵
  PID:1615
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1616
- /tmp/gosh/a
  ./a .51
  2⤵
  PID:1618
- /tmp/gosh/a
  ./a .52
  2⤵
  PID:1619
- /tmp/gosh/a
  ./a .53
  2⤵
  PID:1620
- /tmp/gosh/a
  ./a .54
  2⤵
  PID:1621
- /tmp/gosh/a
  ./a .55
  2⤵
  PID:1622
- /tmp/gosh/a
  ./a .56
  2⤵
  PID:1623
- /tmp/gosh/a
  ./a .57
  2⤵
  PID:1624
- /tmp/gosh/a
  ./a .58
  2⤵
  PID:1625
- /tmp/gosh/a
  ./a .59
  2⤵
  PID:1626
- /tmp/gosh/a
  ./a .60
  2⤵
  PID:1627
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1628
- /tmp/gosh/a
  ./a .61
  2⤵
  PID:1630
- /tmp/gosh/a
  ./a .62
  2⤵
  PID:1631
- /tmp/gosh/a
  ./a .63
  2⤵
  PID:1632
- /tmp/gosh/a
  ./a .64
  2⤵
  PID:1633
- /tmp/gosh/a
  ./a .65
  2⤵
  PID:1634
- /tmp/gosh/a
  ./a .66
  2⤵
  PID:1635
- /tmp/gosh/a
  ./a .67
  2⤵
  PID:1636
- /tmp/gosh/a
  ./a .68
  2⤵
  PID:1637
- /tmp/gosh/a
  ./a .69
  2⤵
  PID:1638
- /tmp/gosh/a
  ./a .70
  2⤵
  PID:1639
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1640
- /tmp/gosh/a
  ./a .71
  2⤵
  PID:1642
- /tmp/gosh/a
  ./a .72
  2⤵
  PID:1643
- /tmp/gosh/a
  ./a .73
  2⤵
  PID:1644
- /tmp/gosh/a
  ./a .74
  2⤵
  PID:1645
- /tmp/gosh/a
  ./a .75
  2⤵
  PID:1646
- /tmp/gosh/a
  ./a .76
  2⤵
  PID:1647
- /tmp/gosh/a
  ./a .77
  2⤵
  PID:1648
- /tmp/gosh/a
  ./a .78
  2⤵
  PID:1649
- /tmp/gosh/a
  ./a .79
  2⤵
  PID:1650
- /tmp/gosh/a
  ./a .80
  2⤵
  PID:1651
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1652
- /tmp/gosh/a
  ./a .81
  2⤵
  PID:1654
- /tmp/gosh/a
  ./a .82
  2⤵
  PID:1655
- /tmp/gosh/a
  ./a .83
  2⤵
  PID:1656
- /tmp/gosh/a
  ./a .84
  2⤵
  PID:1657
- /tmp/gosh/a
  ./a .85
  2⤵
  PID:1658
- /tmp/gosh/a
  ./a .86
  2⤵
  PID:1659
- /tmp/gosh/a
  ./a .87
  2⤵
  PID:1660
- /tmp/gosh/a
  ./a .88
  2⤵
  PID:1661
- /tmp/gosh/a
  ./a .89
  2⤵
  PID:1662
- /tmp/gosh/a
  ./a .90
  2⤵
  PID:1663
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1666
- /tmp/gosh/a
  ./a .91
  2⤵
  PID:1668
- /tmp/gosh/a
  ./a .92
  2⤵
  PID:1669
- /tmp/gosh/a
  ./a .93
  2⤵
  PID:1670
- /tmp/gosh/a
  ./a .94
  2⤵
  PID:1671
- /tmp/gosh/a
  ./a .95
  2⤵
  PID:1672
- /tmp/gosh/a
  ./a .96
  2⤵
  PID:1673
- /tmp/gosh/a
  ./a .97
  2⤵
  PID:1674
- /tmp/gosh/a
  ./a .98
  2⤵
  PID:1675
- /tmp/gosh/a
  ./a .99
  2⤵
  PID:1676
- /tmp/gosh/a
  ./a .100
  2⤵
  PID:1677
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1678
- /tmp/gosh/a
  ./a .101
  2⤵
  PID:1680
- /tmp/gosh/a
  ./a .102
  2⤵
  PID:1681
- /tmp/gosh/a
  ./a .103
  2⤵
  PID:1682
- /tmp/gosh/a
  ./a .104
  2⤵
  PID:1683
- /tmp/gosh/a
  ./a .105
  2⤵
  PID:1684
- /tmp/gosh/a
  ./a .106
  2⤵
  PID:1685
- /tmp/gosh/a
  ./a .107
  2⤵
  PID:1686
- /tmp/gosh/a
  ./a .108
  2⤵
  PID:1687
- /tmp/gosh/a
  ./a .109
  2⤵
  PID:1688
- /tmp/gosh/a
  ./a .110
  2⤵
  PID:1689
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1690
- /tmp/gosh/a
  ./a .111
  2⤵
  PID:1692
- /tmp/gosh/a
  ./a .112
  2⤵
  PID:1693
- /tmp/gosh/a
  ./a .113
  2⤵
  PID:1694
- /tmp/gosh/a
  ./a .114
  2⤵
  PID:1695
- /tmp/gosh/a
  ./a .115
  2⤵
  PID:1696
- /tmp/gosh/a
  ./a .116
  2⤵
  PID:1697
- /tmp/gosh/a
  ./a .117
  2⤵
  PID:1698
- /tmp/gosh/a
  ./a .118
  2⤵
  PID:1699
- /tmp/gosh/a
  ./a .119
  2⤵
  PID:1700
- /tmp/gosh/a
  ./a .120
  2⤵
  PID:1701
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1702
- /tmp/gosh/a
  ./a .121
  2⤵
  PID:1704
- /tmp/gosh/a
  ./a .122
  2⤵
  PID:1705
- /tmp/gosh/a
  ./a .123
  2⤵
  PID:1706
- /tmp/gosh/a
  ./a .124
  2⤵
  PID:1707
- /tmp/gosh/a
  ./a .125
  2⤵
  PID:1708
- /tmp/gosh/a
  ./a .126
  2⤵
  PID:1709
- /tmp/gosh/a
  ./a .127
  2⤵
  PID:1710
- /tmp/gosh/a
  ./a .128
  2⤵
  PID:1711
- /tmp/gosh/a
  ./a .129
  2⤵
  PID:1712
- /tmp/gosh/a
  ./a .13
  2⤵
  PID:1713
- /bin/cat
  cat vuln.txt
  2⤵
  PID:1714
- /tmp/gosh/a
  ./a .131
  2⤵
  PID:1716
- /tmp/gosh/a
  ./a .132
  2⤵
  PID:1717
- /tmp/gosh/a
  ./a .133
  2⤵
  PID:1718
- /tmp/gosh/a
  ./a .134
  2⤵
  PID:1719
- /tmp/gosh/a
  ./a .135
  2⤵
  PID:1720
- /tmp/gosh/a
  ./a .136
  2⤵
  PID:1721
- /tmp/gosh/a
  ./a .137
  2⤵
  PID:1722
- /tmp/gosh/a
  ./a .138
  2⤵
  PID:1723

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/gosh/info2

Filesize
27B

MD5
210e3691abde94aba36fd981c007118b

SHA1
fbed82767e1e597632436aa2b4d5aed2c2585ac2

SHA256
a9913f505a1275a5c00a630ae232b04a982bb19efa5b00d5e22ca14e414b84c9

SHA512
65a8f42b99268ba4bc17f51f0e2e17d530b344c80bc483c510014bbf2920715517f5be0f770e30f55e1f2603f203fd4af9295bd979a82897e15b1593f08e1580

Download Submit
/tmp/gosh/info2

Filesize
54B

MD5
a2709419d80ba6b7fb126a5ed3cbebf1

SHA1
2400112d846a896b8bfee9d8c1791718ef0695b8

SHA256
24259785df747f8a38f250211b544b5885e937254a0a3d17658696f8515ca20a

SHA512
2f897325d3791ab80619d52978907900e0431518ae44906d06ccfe0dcae412c3d46a034f40da724bd4045d9c33258478bb6c96d33ea0f6c649ac81b7d4a62e8d

Download Submit
/tmp/gosh/info2

Filesize
85B

MD5
68e6530a51c4c7bf17dcf7051a6be710

SHA1
81380900211b5eca427f5632ff97cfd91eaaf7eb

SHA256
0b17dee730444d635adf2892a570927015e1bac71bf869df56bf25d104b1f529

SHA512
a103bbcdee57bafed8aa53eb08723aa1653e6e426e66ab6a1aca2e43f94200a2efd9288b0f51f67cc350beb08eb9648432e05feaca95f80179d6701c95b577e0

Download Submit
/tmp/gosh/info2

Filesize
146B

MD5
829711e8cab8d92c32149d66e114ad85

SHA1
ebfbf64c93a3ec1fafa5492eeecf2aab1b3d2304

SHA256
f12cbb6cec098438e27404c65fa849f47cbd012cafd5a4f7449f1bc33c323937

SHA512
de6864c398d17fd7dfcc57ecc9700fcaf2be39e13bb8ff107f55c174ecb2a3434e8d0d85b00a9bc446b7886e8202c70e6da9e3461501ac1889906919837163e0

Download Submit
/tmp/gosh/info2

Filesize
179B

MD5
9d74864f3e4e9e1eca2cd24b63e09747

SHA1
4f19337e192efb8d5fe8adda3e93b20cba4f618e

SHA256
318bccd290e7399a9ed6c4378b94fe8f8cde7cf6b2690e4ec52dfe82bb724afb

SHA512
317c54298818e76d0c0fbf8b70cd4905c358693c024ed1c64e98a52c3ce2c0d2228c59ba9c0232ed9ac507e75c247bd736467825a078132d0005502f81d56de7

Download Submit
/tmp/gosh/info2

Filesize
3KB

MD5
8b6067b8c0738630150da3255fbf7ac8

SHA1
c254e93ba74a0cb49b26d4bd6440e25403127cae

SHA256
75ad6cf52b45b26c050ee8acd83dc3a450989063140dd30f64ae7940542665ed

SHA512
b4d7e726ee2a19241f5f44dd49be3d45d8a3189c9b1ab81a663d5856f08130f1e4958e672c47b13e9507666f574ef57ad05c3d8bcbdad1d533c3c679a98f228e

Download Submit