3c8d82009cfdecc57c0dd6ce42bdaef5df6142c1f949dc7616641fc876619382

Analysis

max time kernel
25s
max time network
69s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/12/2023, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gosh/scam
Size

4KB
MD5

fc457f091269f8303f5499043a655c24
SHA1

cb8be781eb141222fe1f617911b6e89f40ecab06
SHA256

c574d640d3e80fdc76992c4b872b7a3768a7dc54213cf49c0cc6b6c47608cfc3
SHA512

770bce5e962feaede5800aa27e3dad89ee364eccb5aa4f01ad2c8bec6fcc32a27b16ea4833911b768c24d939fdb4fac7cb8af4dd7b204e975fafa2d427d5b092
SSDEEP

96:Fymtc3nmUyp8zW9wnqoZpIS2baUrKhI/uVcTR6bEkIev45CC5MDmNA36Rnw9Wz8Z:S35eNbWf

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	uptime

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	uptime
File opened for reading	/proc/uptime	uptime
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/kernel/ngroups_max	id
File opened for reading	/proc/self/mountinfo	df

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/gosh/info2	scam
File opened for modification	/tmp/gosh/info2	Process not Found

/tmp/gosh/scam
/tmp/gosh/scam
1⤵
- Writes file to tmp directory
PID:1543
- /sbin/ifconfig
  /sbin/ifconfig -a
  2⤵
  PID:1544
- /usr/bin/uptime
  uptime
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1545
- /bin/uname
  uname -a
  2⤵
  PID:1546
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1547
- /bin/cat
  cat /etc/passwd
  2⤵
  PID:1548
- /usr/bin/id
  id
  2⤵
  - Reads runtime system information
  PID:1549
- /bin/df
  df -h
  2⤵
  - Reads runtime system information
  PID:1553
- /bin/cat
  cat info2
  2⤵
  PID:1554
- /bin/rm
  rm -rf info2
  2⤵
  PID:1556
- /usr/bin/clear
  clear
  2⤵
  PID:1557
- /tmp/gosh/a
  ./a .0
  2⤵
  PID:1558
- /tmp/gosh/a
  ./a .1
  2⤵
  PID:1559
- /tmp/gosh/a
  ./a .2
  2⤵
  PID:1560
- /tmp/gosh/a
  ./a .3
  2⤵
  PID:1561
- /tmp/gosh/a
  ./a .4
  2⤵
  PID:1562
- /tmp/gosh/a
  ./a .5
  2⤵
  PID:1563
- /tmp/gosh/a
  ./a .6
  2⤵
  PID:1564
- /tmp/gosh/a
  ./a .7
  2⤵
  PID:1565
- /tmp/gosh/a
  ./a .8
  2⤵
  PID:1566
- /tmp/gosh/a
  ./a .9
  2⤵
  PID:1567
- /tmp/gosh/a
  ./a .10
  2⤵
  PID:1568
- /tmp/gosh/a
  ./a .11
  2⤵
  PID:1569
- /tmp/gosh/a
  ./a .12
  2⤵
  PID:1570
- /tmp/gosh/a
  ./a .13
  2⤵
  PID:1571
- /tmp/gosh/a
  ./a .14
  2⤵
  PID:1572
- /tmp/gosh/a
  ./a .15
  2⤵
  PID:1573
- /tmp/gosh/a
  ./a .16
  2⤵
  PID:1574
- /tmp/gosh/a
  ./a .17
  2⤵
  PID:1575
- /tmp/gosh/a
  ./a .18
  2⤵
  PID:1576
- /tmp/gosh/a
  ./a .19
  2⤵
  PID:1577
- /tmp/gosh/a
  ./a .20
  2⤵
  PID:1578
- /tmp/gosh/a
  ./a .21
  2⤵
  PID:1579
- /tmp/gosh/a
  ./a .22
  2⤵
  PID:1580
- /tmp/gosh/a
  ./a .23
  2⤵
  PID:1581
- /tmp/gosh/a
  ./a .24
  2⤵
  PID:1582
- /tmp/gosh/a
  ./a .25
  2⤵
  PID:1583
- /tmp/gosh/a
  ./a .26
  2⤵
  PID:1584
- /tmp/gosh/a
  ./a .27
  2⤵
  PID:1585
- /tmp/gosh/a
  ./a .28
  2⤵
  PID:1586
- /tmp/gosh/a
  ./a .29
  2⤵
  PID:1587
- /tmp/gosh/a
  ./a .30
  2⤵
  PID:1588
- /tmp/gosh/a
  ./a .31
  2⤵
  PID:1589
- /tmp/gosh/a
  ./a .32
  2⤵
  PID:1590
- /tmp/gosh/a
  ./a .33
  2⤵
  PID:1591
- /tmp/gosh/a
  ./a .34
  2⤵
  PID:1592
- /tmp/gosh/a
  ./a .35
  2⤵
  PID:1593
- /tmp/gosh/a
  ./a .36
  2⤵
  PID:1594
- /tmp/gosh/a
  ./a .37
  2⤵
  PID:1595
- /tmp/gosh/a
  ./a .38
  2⤵
  PID:1596
- /tmp/gosh/a
  ./a .39
  2⤵
  PID:1597
- /tmp/gosh/a
  ./a .40
  2⤵
  PID:1598
- /tmp/gosh/a
  ./a .41
  2⤵
  PID:1599
- /tmp/gosh/a
  ./a .42
  2⤵
  PID:1600
- /tmp/gosh/a
  ./a .43
  2⤵
  PID:1601
- /tmp/gosh/a
  ./a .44
  2⤵
  PID:1602
- /tmp/gosh/a
  ./a .45
  2⤵
  PID:1603
- /tmp/gosh/a
  ./a .46
  2⤵
  PID:1604
- /tmp/gosh/a
  ./a .47
  2⤵
  PID:1605
- /tmp/gosh/a
  ./a .48
  2⤵
  PID:1606
- /tmp/gosh/a
  ./a .49
  2⤵
  PID:1607
- /tmp/gosh/a
  ./a .50
  2⤵
  PID:1608
- /tmp/gosh/a
  ./a .51
  2⤵
  PID:1609
- /tmp/gosh/a
  ./a .52
  2⤵
  PID:1610
- /tmp/gosh/a
  ./a .53
  2⤵
  PID:1611
- /tmp/gosh/a
  ./a .54
  2⤵
  PID:1612
- /tmp/gosh/a
  ./a .55
  2⤵
  PID:1613
- /tmp/gosh/a
  ./a .56
  2⤵
  PID:1614
- /tmp/gosh/a
  ./a .57
  2⤵
  PID:1615
- /tmp/gosh/a
  ./a .58
  2⤵
  PID:1616
- /tmp/gosh/a
  ./a .59
  2⤵
  PID:1617
- /tmp/gosh/a
  ./a .60
  2⤵
  PID:1618
- /tmp/gosh/a
  ./a .61
  2⤵
  PID:1619
- /tmp/gosh/a
  ./a .62
  2⤵
  PID:1620
- /tmp/gosh/a
  ./a .63
  2⤵
  PID:1621
- /tmp/gosh/a
  ./a .64
  2⤵
  PID:1622
- /tmp/gosh/a
  ./a .65
  2⤵
  PID:1623
- /tmp/gosh/a
  ./a .66
  2⤵
  PID:1624
- /tmp/gosh/a
  ./a .67
  2⤵
  PID:1625
- /tmp/gosh/a
  ./a .68
  2⤵
  PID:1626
- /tmp/gosh/a
  ./a .69
  2⤵
  PID:1627
- /tmp/gosh/a
  ./a .70
  2⤵
  PID:1628
- /tmp/gosh/a
  ./a .71
  2⤵
  PID:1629
- /tmp/gosh/a
  ./a .72
  2⤵
  PID:1630
- /tmp/gosh/a
  ./a .73
  2⤵
  PID:1631
- /tmp/gosh/a
  ./a .74
  2⤵
  PID:1632
- /tmp/gosh/a
  ./a .75
  2⤵
  PID:1633
- /tmp/gosh/a
  ./a .76
  2⤵
  PID:1634
- /tmp/gosh/a
  ./a .77
  2⤵
  PID:1635
- /tmp/gosh/a
  ./a .78
  2⤵
  PID:1636
- /tmp/gosh/a
  ./a .79
  2⤵
  PID:1637
- /tmp/gosh/a
  ./a .80
  2⤵
  PID:1638
- /tmp/gosh/a
  ./a .81
  2⤵
  PID:1639
- /tmp/gosh/a
  ./a .82
  2⤵
  PID:1640
- /tmp/gosh/a
  ./a .83
  2⤵
  PID:1641
- /tmp/gosh/a
  ./a .84
  2⤵
  PID:1642
- /tmp/gosh/a
  ./a .85
  2⤵
  PID:1643
- /tmp/gosh/a
  ./a .86
  2⤵
  PID:1644
- /tmp/gosh/a
  ./a .87
  2⤵
  PID:1645
- /tmp/gosh/a
  ./a .88
  2⤵
  PID:1646
- /tmp/gosh/a
  ./a .89
  2⤵
  PID:1647
- /tmp/gosh/a
  ./a .90
  2⤵
  PID:1648
- /tmp/gosh/a
  ./a .91
  2⤵
  PID:1649
- /tmp/gosh/a
  ./a .92
  2⤵
  PID:1650
- /tmp/gosh/a
  ./a .93
  2⤵
  PID:1651
- /tmp/gosh/a
  ./a .94
  2⤵
  PID:1652
- /tmp/gosh/a
  ./a .95
  2⤵
  PID:1653
- /tmp/gosh/a
  ./a .96
  2⤵
  PID:1654
- /tmp/gosh/a
  ./a .97
  2⤵
  PID:1655
- /tmp/gosh/a
  ./a .98
  2⤵
  PID:1656
- /tmp/gosh/a
  ./a .99
  2⤵
  PID:1657
- /tmp/gosh/a
  ./a .100
  2⤵
  PID:1658
- /tmp/gosh/a
  ./a .101
  2⤵
  PID:1659
- /tmp/gosh/a
  ./a .102
  2⤵
  PID:1660
- /tmp/gosh/a
  ./a .103
  2⤵
  PID:1661
- /tmp/gosh/a
  ./a .104
  2⤵
  PID:1662
- /tmp/gosh/a
  ./a .105
  2⤵
  PID:1663
- /tmp/gosh/a
  ./a .106
  2⤵
  PID:1664
- /tmp/gosh/a
  ./a .107
  2⤵
  PID:1665
- /tmp/gosh/a
  ./a .108
  2⤵
  PID:1666
- /tmp/gosh/a
  ./a .109
  2⤵
  PID:1667
- /tmp/gosh/a
  ./a .110
  2⤵
  PID:1668
- /tmp/gosh/a
  ./a .111
  2⤵
  PID:1669
- /tmp/gosh/a
  ./a .112
  2⤵
  PID:1670
- /tmp/gosh/a
  ./a .113
  2⤵
  PID:1671
- /tmp/gosh/a
  ./a .114
  2⤵
  PID:1672
- /tmp/gosh/a
  ./a .115
  2⤵
  PID:1673
- /tmp/gosh/a
  ./a .116
  2⤵
  PID:1674
- /tmp/gosh/a
  ./a .117
  2⤵
  PID:1675
- /tmp/gosh/a
  ./a .118
  2⤵
  PID:1676
- /tmp/gosh/a
  ./a .119
  2⤵
  PID:1677
- /tmp/gosh/a
  ./a .120
  2⤵
  PID:1678
- /tmp/gosh/a
  ./a .121
  2⤵
  PID:1679
- /tmp/gosh/a
  ./a .122
  2⤵
  PID:1680
- /tmp/gosh/a
  ./a .123
  2⤵
  PID:1681
- /tmp/gosh/a
  ./a .124
  2⤵
  PID:1682
- /tmp/gosh/a
  ./a .125
  2⤵
  PID:1683
- /tmp/gosh/a
  ./a .126
  2⤵
  PID:1684
- /tmp/gosh/a
  ./a .127
  2⤵
  PID:1685
- /tmp/gosh/a
  ./a .128
  2⤵
  PID:1686
- /tmp/gosh/a
  ./a .129
  2⤵
  PID:1687
- /tmp/gosh/a
  ./a .130
  2⤵
  PID:1688
- /tmp/gosh/a
  ./a .131
  2⤵
  PID:1689
- /tmp/gosh/a
  ./a .132
  2⤵
  PID:1690
- /tmp/gosh/a
  ./a .133
  2⤵
  PID:1691
- /tmp/gosh/a
  ./a .134
  2⤵
  PID:1692
- /tmp/gosh/a
  ./a .135
  2⤵
  PID:1693
- /tmp/gosh/a
  ./a .136
  2⤵
  PID:1694
- /tmp/gosh/a
  ./a .137
  2⤵
  PID:1695
- /tmp/gosh/a
  ./a .138
  2⤵
  PID:1696
- /tmp/gosh/a
  ./a .139
  2⤵
  PID:1697
- /tmp/gosh/a
  ./a .140
  2⤵
  PID:1698
- /tmp/gosh/a
  ./a .141
  2⤵
  PID:1699
- /tmp/gosh/a
  ./a .142
  2⤵
  PID:1700
- /tmp/gosh/a
  ./a .143
  2⤵
  PID:1701
- /tmp/gosh/a
  ./a .144
  2⤵
  PID:1702
- /tmp/gosh/a
  ./a .145
  2⤵
  PID:1703
- /tmp/gosh/a
  ./a .146
  2⤵
  PID:1704
- /tmp/gosh/a
  ./a .147
  2⤵
  PID:1705
- /tmp/gosh/a
  ./a .148
  2⤵
  PID:1706
- /tmp/gosh/a
  ./a .149
  2⤵
  PID:1707
- /tmp/gosh/a
  ./a .150
  2⤵
  PID:1708
- /tmp/gosh/a
  ./a .151
  2⤵
  PID:1709
- /tmp/gosh/a
  ./a .152
  2⤵
  PID:1710
- /tmp/gosh/a
  ./a .153
  2⤵
  PID:1711
- /tmp/gosh/a
  ./a .154
  2⤵
  PID:1712
- /tmp/gosh/a
  ./a .155
  2⤵
  PID:1713
- /tmp/gosh/a
  ./a .156
  2⤵
  PID:1714
- /tmp/gosh/a
  ./a .157
  2⤵
  PID:1715
- /tmp/gosh/a
  ./a .158
  2⤵
  PID:1716
- /tmp/gosh/a
  ./a .159
  2⤵
  PID:1717
- /tmp/gosh/a
  ./a .160
  2⤵
  PID:1718
- /tmp/gosh/a
  ./a .161
  2⤵
  PID:1719
- /tmp/gosh/a
  ./a .162
  2⤵
  PID:1720
- /tmp/gosh/a
  ./a .163
  2⤵
  PID:1721
- /tmp/gosh/a
  ./a .164
  2⤵
  PID:1722
- /tmp/gosh/a
  ./a .165
  2⤵
  PID:1723
- /tmp/gosh/a
  ./a .166
  2⤵
  PID:1724
- /tmp/gosh/a
  ./a .167
  2⤵
  PID:1725

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/gosh/info2

Filesize
27B

MD5
176cc35a4c2033f0b8415b228e43ef9a

SHA1
fea20e6170240e12abb1969a72dd2160b5bbeffe

SHA256
879af0d43308e769dd98b058c70139debaf32cec4e38468e2b70a594ca07126c

SHA512
a14f93dae504c3af640dcded90b7055643eb45f16a4b9a0eeadde3027b8eed5039b66e80a0162642c43903cdc1e57f9b37dc69990b737df8be8a48ae166d7d8f

Download Submit
/tmp/gosh/info2

Filesize
58B

MD5
5918e36a07ca38388c2c13f43cc1ba98

SHA1
69c6b025b6152166ef4bd9d6f089d3e11a330327

SHA256
e4406e7b27668619ca6862a415948a41f5750f44e1e65bb7c3e620b6531a1a70

SHA512
71a837652c629d66bdd3a7363c6949fd7d8b61e5ec7e300f1b4c393f4fa5a79bec463c7065da9889fa355cd0a12be9b8d809f95dc10b9df45cf1c82352589233

Download Submit
/tmp/gosh/info2

Filesize
119B

MD5
d5fbe875b1ef17f30a446604e65a4669

SHA1
3ba3a1cd3a8f51382b5bb3a08bd1e733c75fb70a

SHA256
193423d5e5856d564d7decae4288071d6f723c1632f3393f1191b05db646e37d

SHA512
461a9208411260ff1e2eb14a5500cf54ad8d934c187e3a81fe14693c5f4f9ea6a324bf19551a21e1902ca81646d9e623aea6e3434ebaf8ff228cbcccaa6a0eac

Download Submit
/tmp/gosh/info2

Filesize
152B

MD5
e5d438c2de236c918af0d63a241bd58a

SHA1
916b09183c27cfcae53dc57113840dbf934212bf

SHA256
0064020d94a9a5de6cf6931d180b4955c15df5567756da8bf1a820dafcbbc3c9

SHA512
662d8a8ad064400e90dbd25bdc00dae2bf5241d4b0f28f935a237953b655284624edc052bfba4a5018c0e69d9f43c01d979b8faeacdf29eb1dab808f4fc6df6e

Download Submit
/tmp/gosh/info2

Filesize
284B

MD5
03b6ada7be1a5b30db31a283b955e9d2

SHA1
f56e5427cd7b629d8d041475e63d985db434bd6a

SHA256
e64998d5de5e8a83016d98691e80809e75f39f6cd47bd8ff37f67065ee565e43

SHA512
8ef4d1731c79d963d1ff303384383e0b8c4504539be5879d843e039b279e6dcc01b43cd7692970e81e3e326c5b979b0a807359965f75a8c18d46a0f15c97ac79

Download Submit