Overview

overview

10

Static

static

1

script_mal...6c1.sh

ubuntu-20.04-amd64

9

script_malware/1.sh

ubuntu-20.04-amd64

10

script_mal...459.sh

ubuntu-20.04-amd64

7

script_mal...ux.elf

ubuntu-20.04-amd64

1

script_mal...da.elf

ubuntu-20.04-amd64

1

script_malware/23.sh

ubuntu-20.04-amd64

10

script_malware/404

ubuntu-20.04-amd64

script_mal...c5b.py

ubuntu-20.04-amd64

1

script_mal...006.sh

ubuntu-20.04-amd64

10

script_mal...oPy.sh

ubuntu-20.04-amd64

1

script_mal...617.sh

ubuntu-20.04-amd64

script_mal...dc0.sh

ubuntu-20.04-amd64

9

script_mal...e58.sh

ubuntu-20.04-amd64

7

script_mal...d28.sh

ubuntu-20.04-amd64

7

script_mal...ail.sh

ubuntu-20.04-amd64

script_malware/rs.sh

ubuntu-20.04-amd64

6

script_mal...tup.sh

ubuntu-20.04-amd64

7

script_mal...ll.elf

ubuntu-20.04-amd64

1

script_malware/ta.sh

ubuntu-20.04-amd64

10

Resubmissions

15-03-2024 16:07

240315-tkykeacf7z 1

25-02-2024 14:29

240225-rtjrhaee9z 10

Analysis

  • max time kernel
    2s
  • max time network
    1681s
  • platform
    ubuntu-20.04_amd64
  • resource
    ubuntu2004-amd64-20240221-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
  • submitted
    25-02-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    script_malware/setup.sh

  • Size

    1KB

  • MD5

    37d7c910159cf1d62dbcf5b7bff399ea

  • SHA1

    90a783bc89f7fbfb52da193849d5d849b9a3a1e6

  • SHA256

    29acfdc8b457d7b56d5eb443fe6d22f8169db3786605e37be0bdac9bfb1503fb

  • SHA512

    dc78fbcfd58d8383842de7eb18b3f9f72b7255db8f670e93230916e98b8f6dbf77f8ba28cd93f9d3f740243adec500e9f245e4ebbb440aa882eff7907e9fe0c0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

Processes

  • /tmp/script_malware/setup.sh
    /tmp/script_malware/setup.sh
    1⤵
      PID:1474
      • /usr/bin/uname
        uname -mp
        2⤵
          PID:1475
        • /usr/bin/grep
          grep -q x86_64
          2⤵
            PID:1477
          • /usr/bin/nproc
            nproc
            2⤵
              PID:1478
            • /usr/sbin/sysctl
              sysctl -w "vm.nr_hugepages=1"
              2⤵
                PID:1479
              • /usr/bin/find
                find /sys/devices/system/node/node0 -maxdepth 0 -type d
                2⤵
                • Reads runtime system information
                PID:1480
              • /usr/bin/mv
                mv redtail.sh /
                2⤵
                • Reads runtime system information
                PID:1492
              • /usr/bin/cat
                cat redtail.x86_64
                2⤵
                  PID:1495
                • /usr/bin/chmod
                  chmod +x .redtail
                  2⤵
                    PID:1496
                  • /.redtail
                    ./.redtail
                    2⤵
                    • Executes dropped EXE
                    PID:1497
                  • /usr/bin/rm
                    rm -rf redtail.sh
                    2⤵
                      PID:1501
                  • /usr/bin/head
                    head -n 1
                    1⤵
                      PID:1483
                    • /usr/bin/find
                      find / -writable -executable -readable -not -path "/proc/*"
                      1⤵
                      • Reads runtime system information
                      PID:1482

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads