Analysis Overview
SHA256
52606b0a9624eb1dcd834eb3b926d0250bf2b514377d480f0e9b9c0fdcb708c5
Threat Level: Likely benign
The file gather.sh was found to be: Likely benign.
Malicious Activity Summary
Reads runtime system information
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-07 01:02
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-07 01:02
Reported
2024-05-07 01:04
Platform
debian9-armhf-20240226-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-07 01:02
Reported
2024-05-07 01:02
Platform
debian9-mipsbe-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-07 01:02
Reported
2024-05-07 01:02
Platform
debian9-mipsel-20240226-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-07 01:02
Reported
2024-05-07 01:04
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
0s
Max time network
128s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/version | /bin/cat | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /bin/mkdir | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
Processes
/tmp/gather.sh
[/tmp/gather.sh]
/bin/mkdir
[mkdir -p /tmp/report]
/bin/cat
[cat /proc/version]
/bin/sed
[sed s/metric.*$//g]
/bin/sed
[sed s/^.*src //g]
/bin/grep
[grep -n eth0\s*proto\s*kernel\s*scope\s*link\s*src]
/bin/ip
[ip route show]
/usr/bin/cut
[cut -d: -f1 /etc/passwd]
/usr/bin/id
[id root]
/usr/bin/id
[id daemon]
/usr/bin/id
[id bin]
/usr/bin/id
[id sys]
/usr/bin/id
[id sync]
/usr/bin/id
[id games]
/usr/bin/id
[id man]
/usr/bin/id
[id lp]
/usr/bin/id
[id mail]
/usr/bin/id
[id news]
/usr/bin/id
[id uucp]
/usr/bin/id
[id proxy]
/usr/bin/id
[id www-data]
/usr/bin/id
[id backup]
/usr/bin/id
[id list]
/usr/bin/id
[id irc]
/usr/bin/id
[id gnats]
/usr/bin/id
[id nobody]
/usr/bin/id
[id systemd-network]
/usr/bin/id
[id systemd-resolve]
/usr/bin/id
[id syslog]
/usr/bin/id
[id messagebus]
/usr/bin/id
[id _apt]
/usr/bin/id
[id uuidd]
/usr/bin/id
[id avahi-autoipd]
/usr/bin/id
[id usbmux]
/usr/bin/id
[id dnsmasq]
/usr/bin/id
[id rtkit]
/usr/bin/id
[id cups-pk-helper]
/usr/bin/id
[id saned]
/usr/bin/id
[id speech-dispatcher]
/usr/bin/id
[id whoopsie]
/usr/bin/id
[id colord]
/usr/bin/id
[id kernoops]
/usr/bin/id
[id pulse]
/usr/bin/id
[id avahi]
/usr/bin/id
[id hplip]
/usr/bin/id
[id geoclue]
/usr/bin/id
[id gnome-initial-setup]
/usr/bin/id
[id gdm]
/usr/bin/id
[id sshd]
/usr/bin/id
[id user]
/bin/hostname
[hostname]
/bin/uname
[uname -m]
/usr/bin/whoami
[whoami]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.2.49:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.21:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp |