Analysis
-
max time kernel
14s -
max time network
12s -
platform
debian-9_armhf -
resource
debian9-armhf-20231215-en -
resource tags
arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
05-02-2024 16:30
Static task
static1
Behavioral task
behavioral1
Sample
pg.sh
Resource
ubuntu1804-amd64-20231215-en
Behavioral task
behavioral2
Sample
pg.sh
Resource
debian9-armhf-20231215-en
Behavioral task
behavioral3
Sample
pg.sh
Resource
debian9-mipsbe-20231215-en
Behavioral task
behavioral4
Sample
pg.sh
Resource
debian9-mipsel-20231215-en
General
-
Target
pg.sh
-
Size
35KB
-
MD5
2550990d2d52581b213e7c9305c392d3
-
SHA1
f7f069915c9b97550dc1fb6cf631f6222416dcf5
-
SHA256
8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
-
SHA512
a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50
-
SSDEEP
768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z
Malware Config
Signatures
-
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
description ioc Process File deleted /var/log/syslog rm -
Flushes firewall rules 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
pid Process 674 iptables -
Attempts to change immutable files 6 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
pid Process 664 chattr 665 chattr 670 chattr 672 chattr 694 chattr 696 chattr -
Reads CPU attributes 1 TTPs 3 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online sysctl File opened for reading /sys/devices/system/cpu/online exim4 File opened for reading /sys/devices/system/cpu/online exim4 -
Reads runtime system information 24 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems ls File opened for reading /proc/11 ls File opened for reading /proc/sys/kernel/ngroups_max sudo File opened for reading /proc/filesystems sysctl File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/105 ls File opened for reading /proc/self/stat sudo File opened for reading /proc/10 ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/107 ls File opened for reading /proc/filesystems sudo File opened for reading /proc/filesystems userdel File opened for reading /proc/filesystems userdel File opened for reading /proc/1 ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems ls File opened for reading /proc/108 ls File opened for reading /proc/self/fd Process not Found File opened for reading /proc/sys/kernel/osrelease sysctl File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/filesystems ls File opened for reading /proc/12 ls -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/log_rot pg.sh
Processes
-
/tmp/pg.sh/tmp/pg.sh1⤵
- Writes file to tmp directory
PID:658 -
/bin/rmrm -rf /var/log/syslog2⤵
- Deletes system logs
PID:662
-
-
/usr/bin/chattrchattr -iua /tmp/2⤵
- Attempts to change immutable files
PID:664
-
-
/usr/bin/chattrchattr -iua /var/tmp/2⤵
- Attempts to change immutable files
PID:665
-
-
/usr/bin/chattrchattr -R -i /var/spool/cron2⤵
- Attempts to change immutable files
PID:670
-
-
/usr/bin/chattrchattr -i /etc/crontab2⤵
- Attempts to change immutable files
PID:672
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
PID:674
-
-
/usr/bin/sudosudo sysctl "kernel.nmi_watchdog=0"2⤵
- Reads runtime system information
PID:678 -
/sbin/sysctlsysctl "kernel.nmi_watchdog=0"3⤵
- Reads CPU attributes
- Reads runtime system information
PID:688
-
-
-
/usr/sbin/userdeluserdel akay2⤵
- Reads runtime system information
PID:690
-
-
/usr/sbin/userdeluserdel vfinder2⤵
- Reads runtime system information
PID:693
-
-
/usr/bin/chattrchattr -iae /root/.ssh/2⤵
- Attempts to change immutable files
PID:694
-
-
/usr/bin/chattrchattr -iae /root/.ssh/authorized_keys2⤵
- Attempts to change immutable files
PID:696
-
-
/bin/rmrm -rf "/tmp/addres*"2⤵PID:698
-
-
/bin/rmrm -rf "/tmp/walle*"2⤵PID:699
-
-
/bin/rmrm -rf /tmp/keys2⤵PID:700
-
-
/bin/grepgrep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"2⤵PID:705
-
-
/bin/grepgrep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"2⤵PID:712
-
-
/bin/grepgrep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"2⤵PID:719
-
-
/bin/grepgrep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"2⤵PID:724
-
-
/bin/grepgrep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"2⤵PID:729
-
-
/bin/grepgrep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"2⤵PID:736
-
-
/bin/grepgrep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"2⤵PID:743
-
-
/usr/sbin/sendmailsendmail -t1⤵
- Reads runtime system information
PID:684 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1rX0vI-0000B2-Uk2⤵
- Reads CPU attributes
PID:695
-
-
/usr/sbin/sendmailsendmail -t1⤵
- Reads runtime system information
PID:687 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1rX0vJ-0000B5-7M2⤵
- Reads CPU attributes
PID:697
-
-
/bin/lsls -latrh /proc/11⤵
- Reads runtime system information
PID:702
-
/bin/grepgrep exe1⤵PID:703
-
/bin/lsls -latrh /proc/101⤵
- Reads runtime system information
PID:707
-
/bin/grepgrep exe1⤵PID:708
-
/bin/grepgrep exe1⤵PID:717
-
/bin/lsls -latrh /proc/1051⤵
- Reads runtime system information
PID:716
-
/bin/lsls -latrh /proc/1071⤵
- Reads runtime system information
PID:721
-
/bin/grepgrep exe1⤵PID:722
-
/bin/lsls -latrh /proc/1081⤵
- Reads runtime system information
PID:726
-
/bin/grepgrep exe1⤵PID:727
-
/bin/lsls -latrh /proc/111⤵
- Reads runtime system information
PID:732
-
/bin/grepgrep exe1⤵PID:733
-
/bin/lsls -latrh /proc/121⤵
- Reads runtime system information
PID:739
-
/bin/grepgrep exe1⤵PID:740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5727479ef7cedf30c03459bec7d87b0f0
SHA12082e7f715f058acab2398d25d135cf5f4c0ce41
SHA25629872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6
SHA5124cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba
-
Filesize
820B
MD57515eec6c67426e420d002800bbab947
SHA1800758f9cdb4f653fdf3045b5f8f42e0dd7eb779
SHA256a3fecb84b246adba2c79d180db1a9e45bae1d6c23bfb2b6010490118de7cc145
SHA512d6d7ba4e680ecf99dc267bae98a663f30199d7050af3cdbfa4859896a8d62590c96b964548a2421860d45890ded621995e28061ab09182ba4416c55a09d48d4a
-
Filesize
1KB
MD574aeafa75559768bc9deb3bfa112414a
SHA10431fad5efb76e5323c7d50da2b8e61ab7734c30
SHA2566ee05699b874c730798fa419bc9ba10e33cc4d18d3cdbabf7e0ca628d99a2454
SHA51272415cdb56be8076d061358c887197f2bbf7f959e6fe320132fdce286621ea0bc8d62ed7c3855b02aff42db465e73f3de5e4d0f5816c36cc49a974ef5401deda
-
Filesize
126B
MD5f8bf9eadfb2f0d74c0fbfb4d651f3a48
SHA158a4a0ef4a64199968c315a38ac99c5209a50185
SHA25633b8a0741864ffa262a3d5bf9a92a7714d12c5cb4c2eb5c444d1336fd15f9369
SHA512940fd0c3a3f0a6ecbc994bad74e823b2a5d0fc5149dd26e9b176313df21927f97a44c64920240ef3ca3a80f57ff4cffb200e55aaf74ca0b6a97c0c98920cd410
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
145B
MD56a9608dd95967ec27129987920c0ba27
SHA10585031e2d1030476b043fdf63d4f269fc27e8d5
SHA2568570224504fba66d23551b8c05226b0d86df0286f28a6d637db19af969cef3e8
SHA5124736f0dc8e72ab7477537b486b051cc84364ee4cf00861e2b0793f34a6b66dcbf56b4010fc621b3c2420c3164f013e07303f9af078c42a16b463b76b309e495a
-
Filesize
912B
MD589f0934a24d7256c4e5adc504c540631
SHA1945552d2a4c2bef4cdaf2ec4b4fb861893576a68
SHA2569742ff1bb8f51b783198d210ee9cbc98b9af8966fe5d751f3958886fdbb120b6
SHA5124bafb1a2da509af5a8d3f9fa0d652228a3906f9bba893d978189d637fe3bf0a41baf68e6bf13ba968d6ef02679deb1d8e0461c2341d30f609cf5247a747154b3
-
Filesize
912B
MD59d04cdbb20070a851b72d43664e1abe9
SHA179d711973fd7b013d13f3e104f210e96a07ba183
SHA256826cb6324b21f679ceaf8ac3188914797093d79a24224969013825789aaeae67
SHA512aa45f1be22b1cae8ca04e3f9e948cb2ee9b2bb6147419fdced662922548a6ade3c5a51379b61427f4c775c0efd6e1e6bca905599e7741485037fb95b35b9b645
-
Filesize
288B
MD58983432b9a3eafc920028f0d16c7f3fa
SHA1242fcc7b1b65d2151d2a0e7538cc1e416a7eb716
SHA25611cc86d947124fd436364a1e2a0dc2dbe196deeb80371893ae0833aaa3e9dba9
SHA512d595e0f7d9f2a01b60331ba8745701ba08d37fba5b81af63dfee6a461c4008d05c18591a02e58fed6f05339aee3fed6b39c48d1e9c6b324199edd62bab0aee25
-
Filesize
89B
MD5eb7ef05fa1cd83e36bcd377a738f7a41
SHA1ad3f444679bb8ed5c4038f05215bcac20b376036
SHA2568312c39c828d6eb46ce012a9823ec46567c4e8966096311af70027deab134772
SHA512ed63a4d0dadb8b68476700a3839d4edd1df44052eead3a1183b52a0893a11587e75ff1eeddf973e3600df217363abeb5a38d37488003f49100affd097b0e9ccd
-
Filesize
288B
MD5a5ea5a01c14d58e292964a796cbcb26f
SHA1552a65f58bff6f4de41ebbb56ff49fd17f9b4ce3
SHA256210d26e4803ec689f230503e9029bbf37edcef7bbc2b2976671972072090917d
SHA5125a76cf5bd8b917671c18f48632456abe54f5e684e6c18bb3a5e1d38836872d0d1d9814feba236a1959fd533391fd1202b813bb1306c38dccd16467d4537b59cd
-
Filesize
89B
MD53527c2481917a5c2d53f432982dc7e8f
SHA1e4cdb3156622c7f220f21872c6c2cf6b81787b6f
SHA25631dd2ff8d805ef9715a1bfe8984c1aa9bf93a51c5a5e7e61ff1b59a57be3f1ea
SHA5129984fce96a4c4c0ade2c19b399ae49317cbf907cceb6def4f640c64287954d0c6fc084af4ec3ee5bbc91cfbe29e714dcffeb7e07d0e7e8782b43c6fa10a9400e