24144660b3144ce7a288b6eab8f7c2c5386230ff06186f3a2517639c56d43fc9

General

Target

wireguard-install.sh
Size

29KB
MD5

6fb4cf22ce51158421e90ec0150ca3fb
SHA1

5f66f8d01cdb124481ad264d8444a42d486d70d9
SHA256

24144660b3144ce7a288b6eab8f7c2c5386230ff06186f3a2517639c56d43fc9
SHA512

979286c8803fbf050b4bab94223fb4689798c97b488aaf2e3ef79103f3f8c177ba2f45f0d900f449d2ea6d561ed79b0213f7e7ac8c1caa5cbc18b6078712e545
SSDEEP

384:JKq5OzpZPCaNQVqBjqJvekjS8VlGLEzzJ:JeplCaNQcBjqJvfJ3zzJ

Score

6^/10

antivm persistence

Malware Config

Signatures

Checks hardware identifiers (DMI) 1 TTPs 2 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

systemd-detect-virt

description	ioc	process
File opened for reading	/sys/class/dmi/id/product_name	systemd-detect-virt
File opened for reading	/sys/class/dmi/id/sys_vendor	systemd-detect-virt

Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

wireguard-install.sh

description ioc process

File opened for modification /etc/systemd/system/wg-iptables.service wireguard-install.sh

description	ioc	process
File opened for modification	/etc/systemd/system/wg-iptables.service	wireguard-install.sh

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

modprobe

description	ioc	process
File opened for reading	/sys/module/wireguard/initstate	modprobe
File opened for reading	/sys/module/udp_tunnel/initstate	modprobe
File opened for reading	/sys/module/ip6_udp_tunnel/initstate	modprobe

Reads runtime system information 57 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemd-detect-virtidsystemctlsystemctlmodprobesystemctlsystemctlsedsystemctlapt-getdpkgdpkgapt-getsystemd-detect-virtseddpkgsedxargsdpkgdpkg

description	ioc	process
File opened for reading	/proc/self/stat	systemd-detect-virt
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	modprobe
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemd-detect-virt
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemd-detect-virt
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/filesystems	systemd-detect-virt
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/cmdline	systemd-detect-virt
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemd-detect-virt
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemd-detect-virt
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/1/sched	systemd-detect-virt
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/filesystems	systemd-detect-virt
File opened for reading	/proc/self/stat	systemd-detect-virt
File opened for reading	/proc/sys/kernel/osrelease	systemd-detect-virt
File opened for reading	/proc/cmdline	systemd-detect-virt
File opened for reading	/proc/1/sched	systemctl

Writes file to tmp directory 43 IoCs

Malware often drops required files in the /tmp directory.

Processes:

apt-getapt-getwireguard-install.sh

description	ioc	process
File opened for modification	/tmp/fileutl.message.nohRDr	apt-get
File opened for modification	/tmp/fileutl.message.ffc9QZ	apt-get
File opened for modification	/tmp/fileutl.message.R6yPLq	apt-get
File opened for modification	/tmp/fileutl.message.dm29c8	apt-get
File opened for modification	/tmp/sh-thd.dr6DkI	wireguard-install.sh
File opened for modification	/tmp/sh-thd.39K4ds	wireguard-install.sh
File opened for modification	/tmp/fileutl.message.PzAxhA	apt-get
File opened for modification	/tmp/fileutl.message.3uVNDG	apt-get
File opened for modification	/tmp/fileutl.message.prScf3	apt-get
File opened for modification	/tmp/fileutl.message.JiSnom	apt-get
File opened for modification	/tmp/sh-thd.0JfNMH	wireguard-install.sh
File opened for modification	/tmp/fileutl.message.7IBdOV	apt-get
File opened for modification	/tmp/fileutl.message.5GkSPq	apt-get
File opened for modification	/tmp/fileutl.message.R0Tgs8	apt-get
File opened for modification	/tmp/sh-thd.ylXa8M	wireguard-install.sh
File opened for modification	/tmp/fileutl.message.hk0bel	apt-get
File opened for modification	/tmp/fileutl.message.FVMRm2	apt-get
File opened for modification	/tmp/fileutl.message.HlJNRw	apt-get
File opened for modification	/tmp/fileutl.message.vhD3EV	apt-get
File opened for modification	/tmp/sh-thd.nvhD3E	wireguard-install.sh
File opened for modification	/tmp/fileutl.message.N4EZzP	apt-get
File opened for modification	/tmp/fileutl.message.byaM1M	apt-get
File opened for modification	/tmp/fileutl.message.7pYFi6	apt-get
File opened for modification	/tmp/fileutl.message.xeKhOq	apt-get
File opened for modification	/tmp/fileutl.message.Xf2r87	apt-get
File opened for modification	/tmp/fileutl.message.zv4w4C	apt-get
File opened for modification	/tmp/fileutl.message.VR2kuk	apt-get
File opened for modification	/tmp/fileutl.message.3sI661	apt-get
File opened for modification	/tmp/fileutl.message.xxBK4x	apt-get
File opened for modification	/tmp/fileutl.message.nChTqT	apt-get
File opened for modification	/tmp/fileutl.message.ZzubuP	apt-get
File opened for modification	/tmp/fileutl.message.pAuXfe	apt-get
File opened for modification	/tmp/fileutl.message.XvbZkJ	apt-get
File opened for modification	/tmp/fileutl.message.zaxn7w	apt-get
File opened for modification	/tmp/sh-thd.SxxyyL	wireguard-install.sh
File opened for modification	/tmp/fileutl.message.DVyDGn	apt-get
File opened for modification	/tmp/fileutl.message.rVjNNH	apt-get
File opened for modification	/tmp/fileutl.message.dCfMb2	apt-get
File opened for modification	/tmp/fileutl.message.D8NuuJ	apt-get
File opened for modification	/tmp/fileutl.message.nmauU1	apt-get
File opened for modification	/tmp/fileutl.message.BKn0EP	apt-get
File opened for modification	/tmp/fileutl.message.TyCsXt	apt-get
File opened for modification	/tmp/fileutl.message.1hcEPe	apt-get

/tmp/wireguard-install.sh
/tmp/wireguard-install.sh
1⤵
- Modifies systemd
- Writes file to tmp directory
PID:1504

/bin/grep
grep -q dash
2⤵
PID:1506

/bin/readlink
readlink /proc/1504/exe
2⤵
PID:1505

/usr/bin/cut
cut -d . -f 1
2⤵
PID:1509

/bin/uname
uname -r
2⤵
PID:1508

/bin/grep
grep -qs ubuntu /etc/os-release
2⤵
PID:1510

/usr/bin/tr
tr -d .
2⤵
PID:1514

/usr/bin/cut
cut -d "\"" -f 2
2⤵
PID:1513

/bin/grep
grep VERSION_ID /etc/os-release
2⤵
PID:1512

/bin/grep
grep -q sbin
2⤵
PID:1515

/usr/bin/systemd-detect-virt
systemd-detect-virt -cq
2⤵
- Reads runtime system information
PID:1516

/usr/bin/clear
clear
2⤵
PID:1517

/bin/grep
grep -vEc "127(\\.[0-9]{1,3}){3}"
2⤵
PID:1521

/bin/grep
grep inet
2⤵
PID:1520

/sbin/ip
ip -4 addr
2⤵
PID:1519

/bin/grep
grep -vEc "127(\\.[0-9]{1,3}){3}"
2⤵
PID:1525

/bin/grep
grep inet
2⤵
PID:1524

/sbin/ip
ip -4 addr
2⤵
PID:1523

/usr/bin/nl
nl -s ") "
2⤵
PID:1537

/bin/grep
grep -oE "[0-9]{1,3}(\\.[0-9]{1,3}){3}"
2⤵
PID:1536

/usr/bin/cut
cut -d / -f 1
2⤵
PID:1535

/bin/grep
grep -vE "127(\\.[0-9]{1,3}){3}"
2⤵
PID:1534

/bin/grep
grep inet
2⤵
PID:1533

/sbin/ip
ip -4 addr
2⤵
PID:1532

/bin/grep
grep -oE "[0-9]{1,3}(\\.[0-9]{1,3}){3}"
2⤵
PID:1543

/bin/sed
sed -n 1p
2⤵
- Reads runtime system information
PID:1544

/usr/bin/cut
cut -d / -f 1
2⤵
PID:1542

/bin/grep
grep -vE "127(\\.[0-9]{1,3}){3}"
2⤵
PID:1541

/bin/grep
grep inet
2⤵
PID:1540

/sbin/ip
ip -4 addr
2⤵
PID:1539

/bin/grep
grep -qE "^(10\\.|172\\.1[6789]\\.|172\\.2[0-9]\\.|172\\.3[01]\\.|192\\.168)"
2⤵
PID:1552

/bin/grep
grep -c "inet6 [23]"
2⤵
PID:1555

/sbin/ip
ip -6 addr
2⤵
PID:1554

/bin/grep
grep -c "inet6 [23]"
2⤵
PID:1558

/sbin/ip
ip -6 addr
2⤵
PID:1557

/bin/sed
sed "s/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g"
2⤵
- Reads runtime system information
PID:1563

/bin/grep
grep -qv 127.0.0.53
2⤵
PID:1568

/bin/grep
grep "^nameserver" /etc/resolv.conf
2⤵
PID:1567

/bin/sed
sed -e "s/ /, /g"
2⤵
- Reads runtime system information
PID:1575

/usr/bin/xargs
xargs
2⤵
- Reads runtime system information
PID:1574

/usr/local/sbin/echo
echo 1.1.1.1
3⤵
PID:1576

/usr/local/bin/echo
echo 1.1.1.1
3⤵
PID:1576

/usr/sbin/echo
echo 1.1.1.1
3⤵
PID:1576

/usr/bin/echo
echo 1.1.1.1
3⤵
PID:1576

/sbin/echo
echo 1.1.1.1
3⤵
PID:1576

/bin/echo
echo 1.1.1.1
3⤵
PID:1576

/bin/grep
grep -oE "[0-9]{1,3}(\\.[0-9]{1,3}){3}"
2⤵
PID:1573

/bin/grep
grep -v 127.0.0.53
2⤵
PID:1572

/bin/grep
grep "^nameserver"
2⤵
PID:1571

/bin/grep
grep -v "^#\\|^;" /run/systemd/resolve/resolv.conf
2⤵
PID:1570

/bin/systemctl
systemctl is-active --quiet firewalld.service
2⤵
- Reads runtime system information
PID:1577

/usr/bin/apt-get
apt-get update
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1578

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1582

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
3⤵
PID:1583

/usr/lib/apt/methods/https
/usr/lib/apt/methods/https
3⤵
PID:1584

/bin/sh
sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
3⤵
PID:1586

/usr/bin/id
id -u
4⤵
- Reads runtime system information
PID:1587

/bin/systemctl
systemctl start --no-block apt-news.service esm-cache.service
4⤵
- Reads runtime system information
PID:1588

/usr/lib/apt/methods/https
/usr/lib/apt/methods/https
3⤵
PID:1592

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
3⤵
PID:1596

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
3⤵
PID:1597

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1604

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1605

/usr/bin/apt-get
apt-get install -y wireguard qrencode
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1606

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1607

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
3⤵
- Reads runtime system information
PID:1608

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
3⤵
PID:1609

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
3⤵
PID:1610

/bin/chmod
chmod 600 /etc/wireguard/wg0.conf
2⤵
PID:1618

/bin/systemctl
systemctl is-active --quiet firewalld.service
2⤵
- Reads runtime system information
PID:1619

/usr/bin/systemd-detect-virt
systemd-detect-virt
2⤵
- Checks hardware identifiers (DMI)
- Reads runtime system information
PID:1622

/bin/systemctl
systemctl enable --now wg-iptables.service
2⤵
- Reads runtime system information
PID:1626

/bin/grep
grep -q 2
2⤵
PID:1630

/usr/bin/cut
cut -d / -f 1
2⤵
PID:1629

/usr/bin/cut
cut -d . -f 4
2⤵
PID:1628

/bin/grep
grep AllowedIPs /etc/wireguard/wg0.conf
2⤵
PID:1627

/bin/grep
grep -q fddd:2c4:2c4:2c4::1 /etc/wireguard/wg0.conf
2⤵
PID:1640

/bin/grep
grep -q fddd:2c4:2c4:2c4::1 /etc/wireguard/wg0.conf
2⤵
PID:1643

/usr/bin/cut
cut -d " " -f 3
2⤵
PID:1646

/bin/grep
grep PrivateKey /etc/wireguard/wg0.conf
2⤵
PID:1645

/usr/bin/cut
cut -d " " -f 3
2⤵
PID:1650

/bin/grep
grep "^# ENDPOINT" /etc/wireguard/wg0.conf
2⤵
PID:1649

/usr/bin/cut
cut -d " " -f 3
2⤵
PID:1653

/bin/grep
grep ListenPort /etc/wireguard/wg0.conf
2⤵
PID:1652

/bin/cat
cat
2⤵
PID:1641

/bin/systemctl
systemctl enable --now "[email protected]"
2⤵
- Reads runtime system information
PID:1654

/sbin/modprobe
modprobe -nq wireguard
2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1659

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/sysctl.d/99-wireguard-forward.conf
Filesize
22B

MD5
4c34a122be1a37adc4161ae754d87b40

SHA1
b44af8c75ec83749700ddd8a789aaf1f0bac7093

SHA256
7de9e61bfd3ef0b34bcacfba0fcbd0896611812ed74015f2dac1446c3bacd743

SHA512
b178270f7535bf8a795766917a5bd0c5d375e280b6d54c7789dd59a665ebae85f6a880dfb5167c2084c6fb5ad4ba78780a2ca8456847e63c29db252b21fee4db

Download Submit
/etc/systemd/system/wg-iptables.service
Filesize
658B

MD5
c40e170cb3921aeea422d44a338c80db

SHA1
2f7ea2ba7bd8d6b20ac1ea95462d9b55380f9331

SHA256
49f53ef359f924e44e019cf2b1af98ff8903a67b824fb6d955f693ad311a3a72

SHA512
ff6ebeb3ee87751eb47c413b95ae15d988b82759ed44fba85e0eaa8e53828af94d5e90f469d2393c427dbeb886c0c50bbf29d9e709a0fb45c2bb6e8b4fbe64c2

Download Submit
/etc/systemd/system/wg-iptables.service
Filesize
715B

MD5
37e26953053bffa855489c1c4c331c4e

SHA1
44cf26611ab8dced5a62b3f9e204481a01d75780

SHA256
03f9ecfb80f113af4f3bd34668cb1ff98de54bce6d4aa0abf8c4b718096bfc84

SHA512
cef1f18b9f625190150532a33d844a33a07aa3fc3f2203f1cf5dba7f01c4100664e8a551f79cdd0c35a9e239166b4cc8de7476de398d7028da2c3bb503bd2600

Download Submit
/root/client.conf
Filesize
167B

MD5
2891184a4130abd6f96ff68fa6108abd

SHA1
51c06abe0ce0cb4a12047b4cb3f2c3b6b3f14f35

SHA256
c38866e3199a3221b97b3199f55b36e73d31760d99504ef571bfe42d50ec11da

SHA512
acaf620daedbfbf2e081df39efda4184f007943e8504993787a15c04c08c06d8d78b46bca64b4daadd0cdb02e72377eaedc0d7123f6ccc4cf0878adb1048c9d2

Download Submit
/tmp/fileutl.message.N4EZzP
Filesize
235KB

MD5
373fe2f2ef99005d2550a482f09a3e51

SHA1
68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

SHA256
7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

SHA512
def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Download Submit
/tmp/sh-thd.SxxyyL
Filesize
71B

MD5
6f4b7339a159ba1d9fa0efcaf5139228

SHA1
3bf8bb73dd70ffbbe5ce6cb42664e6672a43c077

SHA256
550e404887af5f1126258b0c09e96ad4bd49adc43dd7652bd67a1c298d090211

SHA512
a0cd9dc4d19a7921ac5eac6ade13ef8b7311521ce9dd252bf7750622d4b00ccb100ae08f73797f6f33abb73ec70f2e3e6428d5fd9e066672d372f1c7702a2908

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads