Overview

overview

7

Static

static

1

pg.sh

ubuntu-18.04-amd64

7

pg.sh

debian-9-armhf

7

pg.sh

debian-9-mips

1

pg.sh

debian-9-mipsel

7

Resubmissions

28-02-2024 16:39

240228-t5z9qsge8w 10

05-02-2024 16:30

240205-tzsygacbb5 7

Analysis

  • max time kernel
    14s
  • max time network
    12s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20231215-en
  • resource tags

    arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    05-02-2024 16:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pg.sh

  • Size

    35KB

  • MD5

    2550990d2d52581b213e7c9305c392d3

  • SHA1

    f7f069915c9b97550dc1fb6cf631f6222416dcf5

  • SHA256

    8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

  • SHA512

    a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50

  • SSDEEP

    768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

Score
7/10
evasion

Malware Config

Signatures

  • Deletes system logs 1 TTPs 1 IoCs

    Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

    evasion
  • Flushes firewall rules 1 IoCs

    Flushes/ disables firewall rules inside the Linux kernel.

  • Attempts to change immutable files 6 IoCs

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Reads CPU attributes 1 TTPs 3 IoCs
  • Reads runtime system information 24 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/pg.sh
    /tmp/pg.sh
    1⤵
    • Writes file to tmp directory
    PID:658
    • /bin/rm
      rm -rf /var/log/syslog
      2⤵
      • Deletes system logs
      PID:662
    • /usr/bin/chattr
      chattr -iua /tmp/
      2⤵
      • Attempts to change immutable files
      PID:664
    • /usr/bin/chattr
      chattr -iua /var/tmp/
      2⤵
      • Attempts to change immutable files
      PID:665
    • /usr/bin/chattr
      chattr -R -i /var/spool/cron
      2⤵
      • Attempts to change immutable files
      PID:670
    • /usr/bin/chattr
      chattr -i /etc/crontab
      2⤵
      • Attempts to change immutable files
      PID:672
    • /sbin/iptables
      iptables -F
      2⤵
      • Flushes firewall rules
      PID:674
    • /usr/bin/sudo
      sudo sysctl "kernel.nmi_watchdog=0"
      2⤵
      • Reads runtime system information
      PID:678
      • /sbin/sysctl
        sysctl "kernel.nmi_watchdog=0"
        3⤵
        • Reads CPU attributes
        • Reads runtime system information
        PID:688
    • /usr/sbin/userdel
      userdel akay
      2⤵
      • Reads runtime system information
      PID:690
    • /usr/sbin/userdel
      userdel vfinder
      2⤵
      • Reads runtime system information
      PID:693
    • /usr/bin/chattr
      chattr -iae /root/.ssh/
      2⤵
      • Attempts to change immutable files
      PID:694
    • /usr/bin/chattr
      chattr -iae /root/.ssh/authorized_keys
      2⤵
      • Attempts to change immutable files
      PID:696
    • /bin/rm
      rm -rf "/tmp/addres*"
      2⤵
        PID:698
      • /bin/rm
        rm -rf "/tmp/walle*"
        2⤵
          PID:699
        • /bin/rm
          rm -rf /tmp/keys
          2⤵
            PID:700
          • /bin/grep
            grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
            2⤵
              PID:705
            • /bin/grep
              grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
              2⤵
                PID:712
              • /bin/grep
                grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
                2⤵
                  PID:719
                • /bin/grep
                  grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
                  2⤵
                    PID:724
                  • /bin/grep
                    grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
                    2⤵
                      PID:729
                    • /bin/grep
                      grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
                      2⤵
                        PID:736
                      • /bin/grep
                        grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
                        2⤵
                          PID:743
                      • /usr/sbin/sendmail
                        sendmail -t
                        1⤵
                        • Reads runtime system information
                        PID:684
                        • /usr/sbin/exim4
                          /usr/sbin/exim4 -Mc 1rX0vI-0000B2-Uk
                          2⤵
                          • Reads CPU attributes
                          PID:695
                      • /usr/sbin/sendmail
                        sendmail -t
                        1⤵
                        • Reads runtime system information
                        PID:687
                        • /usr/sbin/exim4
                          /usr/sbin/exim4 -Mc 1rX0vJ-0000B5-7M
                          2⤵
                          • Reads CPU attributes
                          PID:697
                      • /bin/ls
                        ls -latrh /proc/1
                        1⤵
                        • Reads runtime system information
                        PID:702
                      • /bin/grep
                        grep exe
                        1⤵
                          PID:703
                        • /bin/ls
                          ls -latrh /proc/10
                          1⤵
                          • Reads runtime system information
                          PID:707
                        • /bin/grep
                          grep exe
                          1⤵
                            PID:708
                          • /bin/grep
                            grep exe
                            1⤵
                              PID:717
                            • /bin/ls
                              ls -latrh /proc/105
                              1⤵
                              • Reads runtime system information
                              PID:716
                            • /bin/ls
                              ls -latrh /proc/107
                              1⤵
                              • Reads runtime system information
                              PID:721
                            • /bin/grep
                              grep exe
                              1⤵
                                PID:722
                              • /bin/ls
                                ls -latrh /proc/108
                                1⤵
                                • Reads runtime system information
                                PID:726
                              • /bin/grep
                                grep exe
                                1⤵
                                  PID:727
                                • /bin/ls
                                  ls -latrh /proc/11
                                  1⤵
                                  • Reads runtime system information
                                  PID:732
                                • /bin/grep
                                  grep exe
                                  1⤵
                                    PID:733
                                  • /bin/ls
                                    ls -latrh /proc/12
                                    1⤵
                                    • Reads runtime system information
                                    PID:739
                                  • /bin/grep
                                    grep exe
                                    1⤵
                                      PID:740

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • /tmp/log_rot
                                      Filesize

                                      5B

                                      MD5

                                      727479ef7cedf30c03459bec7d87b0f0

                                      SHA1

                                      2082e7f715f058acab2398d25d135cf5f4c0ce41

                                      SHA256

                                      29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

                                      SHA512

                                      4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

                                      Download Submit

                                    • /var/mail/user
                                      Filesize

                                      820B

                                      MD5

                                      7515eec6c67426e420d002800bbab947

                                      SHA1

                                      800758f9cdb4f653fdf3045b5f8f42e0dd7eb779

                                      SHA256

                                      a3fecb84b246adba2c79d180db1a9e45bae1d6c23bfb2b6010490118de7cc145

                                      SHA512

                                      d6d7ba4e680ecf99dc267bae98a663f30199d7050af3cdbfa4859896a8d62590c96b964548a2421860d45890ded621995e28061ab09182ba4416c55a09d48d4a

                                      Download Submit

                                    • /var/mail/user
                                      Filesize

                                      1KB

                                      MD5

                                      74aeafa75559768bc9deb3bfa112414a

                                      SHA1

                                      0431fad5efb76e5323c7d50da2b8e61ab7734c30

                                      SHA256

                                      6ee05699b874c730798fa419bc9ba10e33cc4d18d3cdbabf7e0ca628d99a2454

                                      SHA512

                                      72415cdb56be8076d061358c887197f2bbf7f959e6fe320132fdce286621ea0bc8d62ed7c3855b02aff42db465e73f3de5e4d0f5816c36cc49a974ef5401deda

                                      Download Submit

                                    • /var/spool/exim4/input/1rX0vI-0000B2-Uk-D
                                      Filesize

                                      126B

                                      MD5

                                      f8bf9eadfb2f0d74c0fbfb4d651f3a48

                                      SHA1

                                      58a4a0ef4a64199968c315a38ac99c5209a50185

                                      SHA256

                                      33b8a0741864ffa262a3d5bf9a92a7714d12c5cb4c2eb5c444d1336fd15f9369

                                      SHA512

                                      940fd0c3a3f0a6ecbc994bad74e823b2a5d0fc5149dd26e9b176313df21927f97a44c64920240ef3ca3a80f57ff4cffb200e55aaf74ca0b6a97c0c98920cd410

                                      Download Submit

                                    • /var/spool/exim4/input/1rX0vI-0000B2-Uk-J
                                      Filesize

                                      34B

                                      MD5

                                      d7d96d63d643a4ce3e408eba7dfcedc5

                                      SHA1

                                      c53607f95c5c57beafc1d8266646797a035f76ea

                                      SHA256

                                      21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

                                      SHA512

                                      703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

                                      Download Submit

                                    • /var/spool/exim4/input/1rX0vJ-0000B5-7M-D
                                      Filesize

                                      145B

                                      MD5

                                      6a9608dd95967ec27129987920c0ba27

                                      SHA1

                                      0585031e2d1030476b043fdf63d4f269fc27e8d5

                                      SHA256

                                      8570224504fba66d23551b8c05226b0d86df0286f28a6d637db19af969cef3e8

                                      SHA512

                                      4736f0dc8e72ab7477537b486b051cc84364ee4cf00861e2b0793f34a6b66dcbf56b4010fc621b3c2420c3164f013e07303f9af078c42a16b463b76b309e495a

                                      Download Submit

                                    • /var/spool/exim4/input/hdr.684
                                      Filesize

                                      912B

                                      MD5

                                      89f0934a24d7256c4e5adc504c540631

                                      SHA1

                                      945552d2a4c2bef4cdaf2ec4b4fb861893576a68

                                      SHA256

                                      9742ff1bb8f51b783198d210ee9cbc98b9af8966fe5d751f3958886fdbb120b6

                                      SHA512

                                      4bafb1a2da509af5a8d3f9fa0d652228a3906f9bba893d978189d637fe3bf0a41baf68e6bf13ba968d6ef02679deb1d8e0461c2341d30f609cf5247a747154b3

                                      Download Submit

                                    • /var/spool/exim4/input/hdr.687
                                      Filesize

                                      912B

                                      MD5

                                      9d04cdbb20070a851b72d43664e1abe9

                                      SHA1

                                      79d711973fd7b013d13f3e104f210e96a07ba183

                                      SHA256

                                      826cb6324b21f679ceaf8ac3188914797093d79a24224969013825789aaeae67

                                      SHA512

                                      aa45f1be22b1cae8ca04e3f9e948cb2ee9b2bb6147419fdced662922548a6ade3c5a51379b61427f4c775c0efd6e1e6bca905599e7741485037fb95b35b9b645

                                      Download Submit

                                    • /var/spool/exim4/msglog/1rX0vI-0000B2-Uk
                                      Filesize

                                      288B

                                      MD5

                                      8983432b9a3eafc920028f0d16c7f3fa

                                      SHA1

                                      242fcc7b1b65d2151d2a0e7538cc1e416a7eb716

                                      SHA256

                                      11cc86d947124fd436364a1e2a0dc2dbe196deeb80371893ae0833aaa3e9dba9

                                      SHA512

                                      d595e0f7d9f2a01b60331ba8745701ba08d37fba5b81af63dfee6a461c4008d05c18591a02e58fed6f05339aee3fed6b39c48d1e9c6b324199edd62bab0aee25

                                      Download Submit

                                    • /var/spool/exim4/msglog/1rX0vI-0000B2-Uk
                                      Filesize

                                      89B

                                      MD5

                                      eb7ef05fa1cd83e36bcd377a738f7a41

                                      SHA1

                                      ad3f444679bb8ed5c4038f05215bcac20b376036

                                      SHA256

                                      8312c39c828d6eb46ce012a9823ec46567c4e8966096311af70027deab134772

                                      SHA512

                                      ed63a4d0dadb8b68476700a3839d4edd1df44052eead3a1183b52a0893a11587e75ff1eeddf973e3600df217363abeb5a38d37488003f49100affd097b0e9ccd

                                      Download Submit

                                    • /var/spool/exim4/msglog/1rX0vJ-0000B5-7M
                                      Filesize

                                      288B

                                      MD5

                                      a5ea5a01c14d58e292964a796cbcb26f

                                      SHA1

                                      552a65f58bff6f4de41ebbb56ff49fd17f9b4ce3

                                      SHA256

                                      210d26e4803ec689f230503e9029bbf37edcef7bbc2b2976671972072090917d

                                      SHA512

                                      5a76cf5bd8b917671c18f48632456abe54f5e684e6c18bb3a5e1d38836872d0d1d9814feba236a1959fd533391fd1202b813bb1306c38dccd16467d4537b59cd

                                      Download Submit

                                    • /var/spool/exim4/msglog/1rX0vJ-0000B5-7M
                                      Filesize

                                      89B

                                      MD5

                                      3527c2481917a5c2d53f432982dc7e8f

                                      SHA1

                                      e4cdb3156622c7f220f21872c6c2cf6b81787b6f

                                      SHA256

                                      31dd2ff8d805ef9715a1bfe8984c1aa9bf93a51c5a5e7e61ff1b59a57be3f1ea

                                      SHA512

                                      9984fce96a4c4c0ade2c19b399ae49317cbf907cceb6def4f640c64287954d0c6fc084af4ec3ee5bbc91cfbe29e714dcffeb7e07d0e7e8782b43c6fa10a9400e

                                      Download Submit