05724d24487493904a39633fec07cc0110ee3c1cfe47d0cd1508a3ff68edf322

Analysis

max time kernel
92s
max time network
137s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231215-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231215-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22-12-2023 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gosh/scam
Size

4KB
MD5

5c878c64f37185a368eac850e748ca28
SHA1

67179b79b85ea4c8a68b3fa5989fa0586ba59cb3
SHA256

65f7062a00c89eab78d87087af9f6fcf89a781af717d449731b0c104ee1d5652
SHA512

f803b78b5a028068b6e67123abea53daa007fbbd5f08c34ccd63e1ac782797535c44262c1b212498bf38511bacc89216e69a2820cebdf523ede7bc404155305f
SSDEEP

96:XWtsfqymUyp8zW9wnqoZpIo2baUrKhI/uVcTR6bEkIev45CC5MDmNA36Rnw9Wz8V:TfqGeHbmf

Score

6^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	uptime

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	uptime
File opened for reading	/proc/uptime	uptime
File opened for reading	/proc/loadavg	uptime
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/kernel/ngroups_max	id
File opened for reading	/proc/self/mountinfo	df

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/gosh/info2	scam
File opened for modification	/tmp/gosh/info2	Process not Found

/tmp/gosh/scam
/tmp/gosh/scam
1⤵
- Writes file to tmp directory
PID:1535
- /sbin/ifconfig
  /sbin/ifconfig -a
  2⤵
  PID:1536
- /usr/bin/uptime
  uptime
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1537
- /bin/uname
  uname -a
  2⤵
  PID:1538
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1539
- /bin/cat
  cat /etc/passwd
  2⤵
  PID:1540
- /usr/bin/id
  id
  2⤵
  - Reads runtime system information
  PID:1541
- /bin/df
  df -h
  2⤵
  - Reads runtime system information
  PID:1542
- /bin/rm
  rm -rf info2
  2⤵
  PID:1543
- /usr/bin/clear
  clear
  2⤵
  PID:1544
- /tmp/gosh/a
  ./a .0
  2⤵
  PID:1545
- /tmp/gosh/a
  ./a .1
  2⤵
  PID:1546
- /tmp/gosh/a
  ./a .2
  2⤵
  PID:1547
- /tmp/gosh/a
  ./a .3
  2⤵
  PID:1548
- /tmp/gosh/a
  ./a .4
  2⤵
  PID:1549
- /tmp/gosh/a
  ./a .5
  2⤵
  PID:1550
- /tmp/gosh/a
  ./a .6
  2⤵
  PID:1551
- /tmp/gosh/a
  ./a .7
  2⤵
  PID:1552
- /tmp/gosh/a
  ./a .8
  2⤵
  PID:1553
- /tmp/gosh/a
  ./a .9
  2⤵
  PID:1554
- /tmp/gosh/a
  ./a .10
  2⤵
  PID:1555
- /tmp/gosh/a
  ./a .11
  2⤵
  PID:1556
- /tmp/gosh/a
  ./a .12
  2⤵
  PID:1557
- /tmp/gosh/a
  ./a .13
  2⤵
  PID:1558
- /tmp/gosh/a
  ./a .14
  2⤵
  PID:1559
- /tmp/gosh/a
  ./a .15
  2⤵
  PID:1560
- /tmp/gosh/a
  ./a .16
  2⤵
  PID:1561
- /tmp/gosh/a
  ./a .17
  2⤵
  PID:1562
- /tmp/gosh/a
  ./a .18
  2⤵
  PID:1563
- /tmp/gosh/a
  ./a .19
  2⤵
  PID:1567
- /tmp/gosh/a
  ./a .20
  2⤵
  PID:1568
- /tmp/gosh/a
  ./a .21
  2⤵
  PID:1569
- /tmp/gosh/a
  ./a .22
  2⤵
  PID:1570
- /tmp/gosh/a
  ./a .23
  2⤵
  PID:1571
- /tmp/gosh/a
  ./a .24
  2⤵
  PID:1572
- /tmp/gosh/a
  ./a .25
  2⤵
  PID:1573
- /tmp/gosh/a
  ./a .26
  2⤵
  PID:1574
- /tmp/gosh/a
  ./a .27
  2⤵
  PID:1575
- /tmp/gosh/a
  ./a .28
  2⤵
  PID:1576
- /tmp/gosh/a
  ./a .29
  2⤵
  PID:1577
- /tmp/gosh/a
  ./a .30
  2⤵
  PID:1578
- /tmp/gosh/a
  ./a .31
  2⤵
  PID:1579
- /tmp/gosh/a
  ./a .32
  2⤵
  PID:1580
- /tmp/gosh/a
  ./a .33
  2⤵
  PID:1581
- /tmp/gosh/a
  ./a .34
  2⤵
  PID:1582
- /tmp/gosh/a
  ./a .35
  2⤵
  PID:1583
- /tmp/gosh/a
  ./a .36
  2⤵
  PID:1584
- /tmp/gosh/a
  ./a .37
  2⤵
  PID:1585
- /tmp/gosh/a
  ./a .38
  2⤵
  PID:1586
- /tmp/gosh/a
  ./a .39
  2⤵
  PID:1587
- /tmp/gosh/a
  ./a .40
  2⤵
  PID:1588
- /tmp/gosh/a
  ./a .41
  2⤵
  PID:1589
- /tmp/gosh/a
  ./a .42
  2⤵
  PID:1590
- /tmp/gosh/a
  ./a .43
  2⤵
  PID:1591
- /tmp/gosh/a
  ./a .44
  2⤵
  PID:1592
- /tmp/gosh/a
  ./a .45
  2⤵
  PID:1593
- /tmp/gosh/a
  ./a .46
  2⤵
  PID:1594
- /tmp/gosh/a
  ./a .47
  2⤵
  PID:1595
- /tmp/gosh/a
  ./a .48
  2⤵
  PID:1596
- /tmp/gosh/a
  ./a .49
  2⤵
  PID:1597
- /tmp/gosh/a
  ./a .50
  2⤵
  PID:1598
- /tmp/gosh/a
  ./a .51
  2⤵
  PID:1599
- /tmp/gosh/a
  ./a .52
  2⤵
  PID:1600
- /tmp/gosh/a
  ./a .53
  2⤵
  PID:1601
- /tmp/gosh/a
  ./a .54
  2⤵
  PID:1602
- /tmp/gosh/a
  ./a .55
  2⤵
  PID:1603
- /tmp/gosh/a
  ./a .56
  2⤵
  PID:1604
- /tmp/gosh/a
  ./a .57
  2⤵
  PID:1605
- /tmp/gosh/a
  ./a .58
  2⤵
  PID:1606
- /tmp/gosh/a
  ./a .59
  2⤵
  PID:1607
- /tmp/gosh/a
  ./a .60
  2⤵
  PID:1608
- /tmp/gosh/a
  ./a .61
  2⤵
  PID:1609
- /tmp/gosh/a
  ./a .62
  2⤵
  PID:1610
- /tmp/gosh/a
  ./a .63
  2⤵
  PID:1611
- /tmp/gosh/a
  ./a .64
  2⤵
  PID:1612
- /tmp/gosh/a
  ./a .65
  2⤵
  PID:1613
- /tmp/gosh/a
  ./a .66
  2⤵
  PID:1614
- /tmp/gosh/a
  ./a .67
  2⤵
  PID:1615
- /tmp/gosh/a
  ./a .68
  2⤵
  PID:1616
- /tmp/gosh/a
  ./a .69
  2⤵
  PID:1617
- /tmp/gosh/a
  ./a .70
  2⤵
  PID:1618
- /tmp/gosh/a
  ./a .71
  2⤵
  PID:1619
- /tmp/gosh/a
  ./a .72
  2⤵
  PID:1620
- /tmp/gosh/a
  ./a .73
  2⤵
  PID:1621
- /tmp/gosh/a
  ./a .74
  2⤵
  PID:1622
- /tmp/gosh/a
  ./a .75
  2⤵
  PID:1623
- /tmp/gosh/a
  ./a .76
  2⤵
  PID:1624
- /tmp/gosh/a
  ./a .77
  2⤵
  PID:1625
- /tmp/gosh/a
  ./a .78
  2⤵
  PID:1626
- /tmp/gosh/a
  ./a .79
  2⤵
  PID:1627
- /tmp/gosh/a
  ./a .80
  2⤵
  PID:1628
- /tmp/gosh/a
  ./a .81
  2⤵
  PID:1629
- /tmp/gosh/a
  ./a .82
  2⤵
  PID:1630
- /tmp/gosh/a
  ./a .83
  2⤵
  PID:1631
- /tmp/gosh/a
  ./a .84
  2⤵
  PID:1632
- /tmp/gosh/a
  ./a .85
  2⤵
  PID:1633
- /tmp/gosh/a
  ./a .86
  2⤵
  PID:1634
- /tmp/gosh/a
  ./a .87
  2⤵
  PID:1635
- /tmp/gosh/a
  ./a .88
  2⤵
  PID:1636
- /tmp/gosh/a
  ./a .89
  2⤵
  PID:1637
- /tmp/gosh/a
  ./a .90
  2⤵
  PID:1638
- /tmp/gosh/a
  ./a .91
  2⤵
  PID:1639
- /tmp/gosh/a
  ./a .92
  2⤵
  PID:1640
- /tmp/gosh/a
  ./a .93
  2⤵
  PID:1641
- /tmp/gosh/a
  ./a .94
  2⤵
  PID:1642
- /tmp/gosh/a
  ./a .95
  2⤵
  PID:1643
- /tmp/gosh/a
  ./a .96
  2⤵
  PID:1644
- /tmp/gosh/a
  ./a .97
  2⤵
  PID:1645
- /tmp/gosh/a
  ./a .98
  2⤵
  PID:1646
- /tmp/gosh/a
  ./a .99
  2⤵
  PID:1647
- /tmp/gosh/a
  ./a .100
  2⤵
  PID:1648
- /tmp/gosh/a
  ./a .101
  2⤵
  PID:1649
- /tmp/gosh/a
  ./a .102
  2⤵
  PID:1650
- /tmp/gosh/a
  ./a .103
  2⤵
  PID:1651
- /tmp/gosh/a
  ./a .104
  2⤵
  PID:1652
- /tmp/gosh/a
  ./a .105
  2⤵
  PID:1653
- /tmp/gosh/a
  ./a .106
  2⤵
  PID:1654
- /tmp/gosh/a
  ./a .107
  2⤵
  PID:1655
- /tmp/gosh/a
  ./a .108
  2⤵
  PID:1656
- /tmp/gosh/a
  ./a .109
  2⤵
  PID:1657
- /tmp/gosh/a
  ./a .110
  2⤵
  PID:1658
- /tmp/gosh/a
  ./a .111
  2⤵
  PID:1659
- /tmp/gosh/a
  ./a .112
  2⤵
  PID:1660
- /tmp/gosh/a
  ./a .113
  2⤵
  PID:1661
- /tmp/gosh/a
  ./a .114
  2⤵
  PID:1662
- /tmp/gosh/a
  ./a .115
  2⤵
  PID:1663
- /tmp/gosh/a
  ./a .116
  2⤵
  PID:1664
- /tmp/gosh/a
  ./a .117
  2⤵
  PID:1665
- /tmp/gosh/a
  ./a .118
  2⤵
  PID:1666
- /tmp/gosh/a
  ./a .119
  2⤵
  PID:1667
- /tmp/gosh/a
  ./a .120
  2⤵
  PID:1668
- /tmp/gosh/a
  ./a .121
  2⤵
  PID:1669
- /tmp/gosh/a
  ./a .122
  2⤵
  PID:1670
- /tmp/gosh/a
  ./a .123
  2⤵
  PID:1671
- /tmp/gosh/a
  ./a .124
  2⤵
  PID:1672
- /tmp/gosh/a
  ./a .125
  2⤵
  PID:1673
- /tmp/gosh/a
  ./a .126
  2⤵
  PID:1674
- /tmp/gosh/a
  ./a .127
  2⤵
  PID:1675
- /tmp/gosh/a
  ./a .128
  2⤵
  PID:1676
- /tmp/gosh/a
  ./a .129
  2⤵
  PID:1677
- /tmp/gosh/a
  ./a .13
  2⤵
  PID:1678
- /tmp/gosh/a
  ./a .131
  2⤵
  PID:1679
- /tmp/gosh/a
  ./a .132
  2⤵
  PID:1680
- /tmp/gosh/a
  ./a .133
  2⤵
  PID:1683
- /tmp/gosh/a
  ./a .134
  2⤵
  PID:1684
- /tmp/gosh/a
  ./a .135
  2⤵
  PID:1685
- /tmp/gosh/a
  ./a .136
  2⤵
  PID:1686
- /tmp/gosh/a
  ./a .137
  2⤵
  PID:1687
- /tmp/gosh/a
  ./a .138
  2⤵
  PID:1688
- /tmp/gosh/a
  ./a .139
  2⤵
  PID:1689
- /tmp/gosh/a
  ./a .140
  2⤵
  PID:1690
- /tmp/gosh/a
  ./a .141
  2⤵
  PID:1691
- /tmp/gosh/a
  ./a .142
  2⤵
  PID:1692
- /tmp/gosh/a
  ./a .143
  2⤵
  PID:1693
- /tmp/gosh/a
  ./a .144
  2⤵
  PID:1694
- /tmp/gosh/a
  ./a .145
  2⤵
  PID:1695
- /tmp/gosh/a
  ./a .146
  2⤵
  PID:1696
- /tmp/gosh/a
  ./a .147
  2⤵
  PID:1697
- /tmp/gosh/a
  ./a .148
  2⤵
  PID:1698
- /tmp/gosh/a
  ./a .149
  2⤵
  PID:1699
- /tmp/gosh/a
  ./a .150
  2⤵
  PID:1700
- /tmp/gosh/a
  ./a .151
  2⤵
  PID:1701
- /tmp/gosh/a
  ./a .152
  2⤵
  PID:1702
- /tmp/gosh/a
  ./a .153
  2⤵
  PID:1703
- /tmp/gosh/a
  ./a .154
  2⤵
  PID:1704
- /tmp/gosh/a
  ./a .155
  2⤵
  PID:1705
- /tmp/gosh/a
  ./a .156
  2⤵
  PID:1706
- /tmp/gosh/a
  ./a .157
  2⤵
  PID:1707
- /tmp/gosh/a
  ./a .158
  2⤵
  PID:1708
- /tmp/gosh/a
  ./a .159
  2⤵
  PID:1709
- /tmp/gosh/a
  ./a .160
  2⤵
  PID:1710
- /tmp/gosh/a
  ./a .161
  2⤵
  PID:1711
- /tmp/gosh/a
  ./a .162
  2⤵
  PID:1712
- /tmp/gosh/a
  ./a .163
  2⤵
  PID:1713
- /tmp/gosh/a
  ./a .164
  2⤵
  PID:1714
- /tmp/gosh/a
  ./a .165
  2⤵
  PID:1715
- /tmp/gosh/a
  ./a .166
  2⤵
  PID:1716
- /tmp/gosh/a
  ./a .167
  2⤵
  PID:1717
- /tmp/gosh/a
  ./a .168
  2⤵
  PID:1718

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/gosh/info2

Filesize
27B

MD5
210e3691abde94aba36fd981c007118b

SHA1
fbed82767e1e597632436aa2b4d5aed2c2585ac2

SHA256
a9913f505a1275a5c00a630ae232b04a982bb19efa5b00d5e22ca14e414b84c9

SHA512
65a8f42b99268ba4bc17f51f0e2e17d530b344c80bc483c510014bbf2920715517f5be0f770e30f55e1f2603f203fd4af9295bd979a82897e15b1593f08e1580

Download Submit
/tmp/gosh/info2

Filesize
54B

MD5
a2709419d80ba6b7fb126a5ed3cbebf1

SHA1
2400112d846a896b8bfee9d8c1791718ef0695b8

SHA256
24259785df747f8a38f250211b544b5885e937254a0a3d17658696f8515ca20a

SHA512
2f897325d3791ab80619d52978907900e0431518ae44906d06ccfe0dcae412c3d46a034f40da724bd4045d9c33258478bb6c96d33ea0f6c649ac81b7d4a62e8d

Download Submit
/tmp/gosh/info2

Filesize
85B

MD5
68e6530a51c4c7bf17dcf7051a6be710

SHA1
81380900211b5eca427f5632ff97cfd91eaaf7eb

SHA256
0b17dee730444d635adf2892a570927015e1bac71bf869df56bf25d104b1f529

SHA512
a103bbcdee57bafed8aa53eb08723aa1653e6e426e66ab6a1aca2e43f94200a2efd9288b0f51f67cc350beb08eb9648432e05feaca95f80179d6701c95b577e0

Download Submit
/tmp/gosh/info2

Filesize
146B

MD5
378f8a71493f24c3e91b5aec2ce2cb3f

SHA1
d208f12626b272c3dc752584f69abb96e0a4168a

SHA256
5450bfa6bfe21c9422ef59c335b0472d3ff614fa74bf6dd12894bf1123e6c1c7

SHA512
0ea8b45599b278ebfceed7780326e4f75e7e962b90aef96e158b0242489c1cbaadc8d30ee897052531896b307401af1ed9f024e56f0a2544386711f7544ab903

Download Submit
/tmp/gosh/info2

Filesize
179B

MD5
7eef2998194a372b9291f7612b6c9cf7

SHA1
8b45c138565cc45b57d1c62aac55b22832590b9e

SHA256
0f953c9194c23b0d87dab698612dc8e930e5c93d4e30df69b8648e420dfa5551

SHA512
ea53309f49fc6fb292f1c3c4cae8a10e618c69c49b7af7fa6edcfa4cd700a50e8de9c80d9f4b9b180ed37a0f3da012a81fad7632b67e19261307a6ec643fbe2a

Download Submit
/tmp/gosh/info2

Filesize
3KB

MD5
d014240d1cc676f364ee654f56c8c459

SHA1
113b7caab31d41b2e48a7a099dd5505a71f954d0

SHA256
e107e3595a97bc8cf5071b679c357e3feee2a53a5b84e9ad8a154d395422dd2f

SHA512
394df1c1a103dd791f3e327a6b623ff8d84f64e3aac10a817c0152fc5e5f3513b4d34b7570c5734a5db00054270ac1ce176d97418bb33e5f9f842f4eebec6584

Download Submit