Malware Analysis Report

2025-08-06 00:00

Sample ID 240507-bds28seb87
Target gather.sh
SHA256 52606b0a9624eb1dcd834eb3b926d0250bf2b514377d480f0e9b9c0fdcb708c5
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

SHA256

52606b0a9624eb1dcd834eb3b926d0250bf2b514377d480f0e9b9c0fdcb708c5

Threat Level: Likely benign

The file gather.sh was found to be: Likely benign.

Malicious Activity Summary


Reads runtime system information

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-07 01:02

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 01:02

Reported

2024-05-07 01:04

Platform

debian9-armhf-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 01:02

Reported

2024-05-07 01:02

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-07 01:02

Reported

2024-05-07 01:02

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 01:02

Reported

2024-05-07 01:04

Platform

ubuntu1804-amd64-20240226-en

Max time kernel

0s

Max time network

128s

Command Line

[/tmp/gather.sh]

Signatures

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/version /bin/cat N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /bin/mkdir N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/id N/A

Processes

/tmp/gather.sh

[/tmp/gather.sh]

/bin/mkdir

[mkdir -p /tmp/report]

/bin/cat

[cat /proc/version]

/bin/sed

[sed s/metric.*$//g]

/bin/sed

[sed s/^.*src //g]

/bin/grep

[grep -n eth0\s*proto\s*kernel\s*scope\s*link\s*src]

/bin/ip

[ip route show]

/usr/bin/cut

[cut -d: -f1 /etc/passwd]

/usr/bin/id

[id root]

/usr/bin/id

[id daemon]

/usr/bin/id

[id bin]

/usr/bin/id

[id sys]

/usr/bin/id

[id sync]

/usr/bin/id

[id games]

/usr/bin/id

[id man]

/usr/bin/id

[id lp]

/usr/bin/id

[id mail]

/usr/bin/id

[id news]

/usr/bin/id

[id uucp]

/usr/bin/id

[id proxy]

/usr/bin/id

[id www-data]

/usr/bin/id

[id backup]

/usr/bin/id

[id list]

/usr/bin/id

[id irc]

/usr/bin/id

[id gnats]

/usr/bin/id

[id nobody]

/usr/bin/id

[id systemd-network]

/usr/bin/id

[id systemd-resolve]

/usr/bin/id

[id syslog]

/usr/bin/id

[id messagebus]

/usr/bin/id

[id _apt]

/usr/bin/id

[id uuidd]

/usr/bin/id

[id avahi-autoipd]

/usr/bin/id

[id usbmux]

/usr/bin/id

[id dnsmasq]

/usr/bin/id

[id rtkit]

/usr/bin/id

[id cups-pk-helper]

/usr/bin/id

[id saned]

/usr/bin/id

[id speech-dispatcher]

/usr/bin/id

[id whoopsie]

/usr/bin/id

[id colord]

/usr/bin/id

[id kernoops]

/usr/bin/id

[id pulse]

/usr/bin/id

[id avahi]

/usr/bin/id

[id hplip]

/usr/bin/id

[id geoclue]

/usr/bin/id

[id gnome-initial-setup]

/usr/bin/id

[id gdm]

/usr/bin/id

[id sshd]

/usr/bin/id

[id user]

/bin/hostname

[hostname]

/bin/uname

[uname -m]

/usr/bin/whoami

[whoami]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.2.49:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.21:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp

Files

N/A