Analysis
-
max time kernel
2s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
21-05-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
wireguard-install.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
wireguard-install.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
wireguard-install.sh
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
wireguard-install.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
wireguard-install.sh
-
Size
29KB
-
MD5
6fb4cf22ce51158421e90ec0150ca3fb
-
SHA1
5f66f8d01cdb124481ad264d8444a42d486d70d9
-
SHA256
24144660b3144ce7a288b6eab8f7c2c5386230ff06186f3a2517639c56d43fc9
-
SHA512
979286c8803fbf050b4bab94223fb4689798c97b488aaf2e3ef79103f3f8c177ba2f45f0d900f449d2ea6d561ed79b0213f7e7ac8c1caa5cbc18b6078712e545
-
SSDEEP
384:JKq5OzpZPCaNQVqBjqJvekjS8VlGLEzzJ:JeplCaNQcBjqJvfJ3zzJ
Malware Config
Signatures
-
Checks hardware identifiers (DMI) 1 TTPs 2 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
systemd-detect-virtdescription ioc process File opened for reading /sys/class/dmi/id/product_name systemd-detect-virt File opened for reading /sys/class/dmi/id/sys_vendor systemd-detect-virt -
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
Processes:
wireguard-install.shdescription ioc process File opened for modification /etc/systemd/system/wg-iptables.service wireguard-install.sh -
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
modprobedescription ioc process File opened for reading /sys/module/wireguard/initstate modprobe File opened for reading /sys/module/udp_tunnel/initstate modprobe File opened for reading /sys/module/ip6_udp_tunnel/initstate modprobe -
Reads runtime system information 57 IoCs
Reads data from /proc virtual filesystem.
Processes:
systemd-detect-virtidsystemctlsystemctlmodprobesystemctlsystemctlsedsystemctlapt-getdpkgdpkgapt-getsystemd-detect-virtseddpkgsedxargsdpkgdpkgdescription ioc process File opened for reading /proc/self/stat systemd-detect-virt File opened for reading /proc/filesystems id File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline modprobe File opened for reading /proc/1/sched systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/sys/kernel/osrelease systemd-detect-virt File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/1/environ systemd-detect-virt File opened for reading /proc/filesystems sed File opened for reading /proc/1/environ systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/fd apt-get File opened for reading /proc/filesystems systemd-detect-virt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/cmdline systemctl File opened for reading /proc/cmdline systemd-detect-virt File opened for reading /proc/filesystems systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems systemctl File opened for reading /proc/self/fd apt-get File opened for reading /proc/filesystems systemctl File opened for reading /proc/1/environ systemd-detect-virt File opened for reading /proc/1/sched systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems sed File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/filesystems sed File opened for reading /proc/1/sched systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/1/sched systemd-detect-virt File opened for reading /proc/self/fd xargs File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/kernel/ngroups_max apt-get File opened for reading /proc/1/sched systemd-detect-virt File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/kernel/ngroups_max apt-get File opened for reading /proc/filesystems systemd-detect-virt File opened for reading /proc/self/stat systemd-detect-virt File opened for reading /proc/sys/kernel/osrelease systemd-detect-virt File opened for reading /proc/cmdline systemd-detect-virt File opened for reading /proc/1/sched systemctl -
Writes file to tmp directory 43 IoCs
Malware often drops required files in the /tmp directory.
Processes:
apt-getapt-getwireguard-install.shdescription ioc process File opened for modification /tmp/fileutl.message.nohRDr apt-get File opened for modification /tmp/fileutl.message.ffc9QZ apt-get File opened for modification /tmp/fileutl.message.R6yPLq apt-get File opened for modification /tmp/fileutl.message.dm29c8 apt-get File opened for modification /tmp/sh-thd.dr6DkI wireguard-install.sh File opened for modification /tmp/sh-thd.39K4ds wireguard-install.sh File opened for modification /tmp/fileutl.message.PzAxhA apt-get File opened for modification /tmp/fileutl.message.3uVNDG apt-get File opened for modification /tmp/fileutl.message.prScf3 apt-get File opened for modification /tmp/fileutl.message.JiSnom apt-get File opened for modification /tmp/sh-thd.0JfNMH wireguard-install.sh File opened for modification /tmp/fileutl.message.7IBdOV apt-get File opened for modification /tmp/fileutl.message.5GkSPq apt-get File opened for modification /tmp/fileutl.message.R0Tgs8 apt-get File opened for modification /tmp/sh-thd.ylXa8M wireguard-install.sh File opened for modification /tmp/fileutl.message.hk0bel apt-get File opened for modification /tmp/fileutl.message.FVMRm2 apt-get File opened for modification /tmp/fileutl.message.HlJNRw apt-get File opened for modification /tmp/fileutl.message.vhD3EV apt-get File opened for modification /tmp/sh-thd.nvhD3E wireguard-install.sh File opened for modification /tmp/fileutl.message.N4EZzP apt-get File opened for modification /tmp/fileutl.message.byaM1M apt-get File opened for modification /tmp/fileutl.message.7pYFi6 apt-get File opened for modification /tmp/fileutl.message.xeKhOq apt-get File opened for modification /tmp/fileutl.message.Xf2r87 apt-get File opened for modification /tmp/fileutl.message.zv4w4C apt-get File opened for modification /tmp/fileutl.message.VR2kuk apt-get File opened for modification /tmp/fileutl.message.3sI661 apt-get File opened for modification /tmp/fileutl.message.xxBK4x apt-get File opened for modification /tmp/fileutl.message.nChTqT apt-get File opened for modification /tmp/fileutl.message.ZzubuP apt-get File opened for modification /tmp/fileutl.message.pAuXfe apt-get File opened for modification /tmp/fileutl.message.XvbZkJ apt-get File opened for modification /tmp/fileutl.message.zaxn7w apt-get File opened for modification /tmp/sh-thd.SxxyyL wireguard-install.sh File opened for modification /tmp/fileutl.message.DVyDGn apt-get File opened for modification /tmp/fileutl.message.rVjNNH apt-get File opened for modification /tmp/fileutl.message.dCfMb2 apt-get File opened for modification /tmp/fileutl.message.D8NuuJ apt-get File opened for modification /tmp/fileutl.message.nmauU1 apt-get File opened for modification /tmp/fileutl.message.BKn0EP apt-get File opened for modification /tmp/fileutl.message.TyCsXt apt-get File opened for modification /tmp/fileutl.message.1hcEPe apt-get
Processes
-
/tmp/wireguard-install.sh/tmp/wireguard-install.sh1⤵
- Modifies systemd
- Writes file to tmp directory
-
/bin/grepgrep -q dash2⤵
-
/bin/readlinkreadlink /proc/1504/exe2⤵
-
/usr/bin/cutcut -d . -f 12⤵
-
/bin/unameuname -r2⤵
-
/bin/grepgrep -qs ubuntu /etc/os-release2⤵
-
/usr/bin/trtr -d .2⤵
-
/usr/bin/cutcut -d "\"" -f 22⤵
-
/bin/grepgrep VERSION_ID /etc/os-release2⤵
-
/bin/grepgrep -q sbin2⤵
-
/usr/bin/systemd-detect-virtsystemd-detect-virt -cq2⤵
- Reads runtime system information
-
/usr/bin/clearclear2⤵
-
/bin/grepgrep -vEc "127(\\.[0-9]{1,3}){3}"2⤵
-
/bin/grepgrep inet2⤵
-
/sbin/ipip -4 addr2⤵
-
/bin/grepgrep -vEc "127(\\.[0-9]{1,3}){3}"2⤵
-
/bin/grepgrep inet2⤵
-
/sbin/ipip -4 addr2⤵
-
/usr/bin/nlnl -s ") "2⤵
-
/bin/grepgrep -oE "[0-9]{1,3}(\\.[0-9]{1,3}){3}"2⤵
-
/usr/bin/cutcut -d / -f 12⤵
-
/bin/grepgrep -vE "127(\\.[0-9]{1,3}){3}"2⤵
-
/bin/grepgrep inet2⤵
-
/sbin/ipip -4 addr2⤵
-
/bin/grepgrep -oE "[0-9]{1,3}(\\.[0-9]{1,3}){3}"2⤵
-
/bin/sedsed -n 1p2⤵
- Reads runtime system information
-
/usr/bin/cutcut -d / -f 12⤵
-
/bin/grepgrep -vE "127(\\.[0-9]{1,3}){3}"2⤵
-
/bin/grepgrep inet2⤵
-
/sbin/ipip -4 addr2⤵
-
/bin/grepgrep -qE "^(10\\.|172\\.1[6789]\\.|172\\.2[0-9]\\.|172\\.3[01]\\.|192\\.168)"2⤵
-
/bin/grepgrep -c "inet6 [23]"2⤵
-
/sbin/ipip -6 addr2⤵
-
/bin/grepgrep -c "inet6 [23]"2⤵
-
/sbin/ipip -6 addr2⤵
-
/bin/sedsed "s/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g"2⤵
- Reads runtime system information
-
/bin/grepgrep -qv 127.0.0.532⤵
-
/bin/grepgrep "^nameserver" /etc/resolv.conf2⤵
-
/bin/sedsed -e "s/ /, /g"2⤵
- Reads runtime system information
-
/usr/bin/xargsxargs2⤵
- Reads runtime system information
-
/usr/local/sbin/echoecho 1.1.1.13⤵
-
/usr/local/bin/echoecho 1.1.1.13⤵
-
/usr/sbin/echoecho 1.1.1.13⤵
-
/usr/bin/echoecho 1.1.1.13⤵
-
/sbin/echoecho 1.1.1.13⤵
-
/bin/echoecho 1.1.1.13⤵
-
/bin/grepgrep -oE "[0-9]{1,3}(\\.[0-9]{1,3}){3}"2⤵
-
/bin/grepgrep -v 127.0.0.532⤵
-
/bin/grepgrep "^nameserver"2⤵
-
/bin/grepgrep -v "^#\\|^;" /run/systemd/resolve/resolv.conf2⤵
-
/bin/systemctlsystemctl is-active --quiet firewalld.service2⤵
- Reads runtime system information
-
/usr/bin/apt-getapt-get update2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
-
/bin/shsh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"3⤵
-
/usr/bin/idid -u4⤵
- Reads runtime system information
-
/bin/systemctlsystemctl start --no-block apt-news.service esm-cache.service4⤵
- Reads runtime system information
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/bin/apt-getapt-get install -y wireguard qrencode2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
/bin/chmodchmod 600 /etc/wireguard/wg0.conf2⤵
-
/bin/systemctlsystemctl is-active --quiet firewalld.service2⤵
- Reads runtime system information
-
/usr/bin/systemd-detect-virtsystemd-detect-virt2⤵
- Checks hardware identifiers (DMI)
- Reads runtime system information
-
/bin/systemctlsystemctl enable --now wg-iptables.service2⤵
- Reads runtime system information
-
/bin/grepgrep -q 22⤵
-
/usr/bin/cutcut -d / -f 12⤵
-
/usr/bin/cutcut -d . -f 42⤵
-
/bin/grepgrep AllowedIPs /etc/wireguard/wg0.conf2⤵
-
/bin/grepgrep -q fddd:2c4:2c4:2c4::1 /etc/wireguard/wg0.conf2⤵
-
/bin/grepgrep -q fddd:2c4:2c4:2c4::1 /etc/wireguard/wg0.conf2⤵
-
/usr/bin/cutcut -d " " -f 32⤵
-
/bin/grepgrep PrivateKey /etc/wireguard/wg0.conf2⤵
-
/usr/bin/cutcut -d " " -f 32⤵
-
/bin/grepgrep "^# ENDPOINT" /etc/wireguard/wg0.conf2⤵
-
/usr/bin/cutcut -d " " -f 32⤵
-
/bin/grepgrep ListenPort /etc/wireguard/wg0.conf2⤵
-
/bin/catcat2⤵
-
/bin/systemctl
-
/sbin/modprobemodprobe -nq wireguard2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/etc/sysctl.d/99-wireguard-forward.confFilesize
22B
MD54c34a122be1a37adc4161ae754d87b40
SHA1b44af8c75ec83749700ddd8a789aaf1f0bac7093
SHA2567de9e61bfd3ef0b34bcacfba0fcbd0896611812ed74015f2dac1446c3bacd743
SHA512b178270f7535bf8a795766917a5bd0c5d375e280b6d54c7789dd59a665ebae85f6a880dfb5167c2084c6fb5ad4ba78780a2ca8456847e63c29db252b21fee4db
-
/etc/systemd/system/wg-iptables.serviceFilesize
658B
MD5c40e170cb3921aeea422d44a338c80db
SHA12f7ea2ba7bd8d6b20ac1ea95462d9b55380f9331
SHA25649f53ef359f924e44e019cf2b1af98ff8903a67b824fb6d955f693ad311a3a72
SHA512ff6ebeb3ee87751eb47c413b95ae15d988b82759ed44fba85e0eaa8e53828af94d5e90f469d2393c427dbeb886c0c50bbf29d9e709a0fb45c2bb6e8b4fbe64c2
-
/etc/systemd/system/wg-iptables.serviceFilesize
715B
MD537e26953053bffa855489c1c4c331c4e
SHA144cf26611ab8dced5a62b3f9e204481a01d75780
SHA25603f9ecfb80f113af4f3bd34668cb1ff98de54bce6d4aa0abf8c4b718096bfc84
SHA512cef1f18b9f625190150532a33d844a33a07aa3fc3f2203f1cf5dba7f01c4100664e8a551f79cdd0c35a9e239166b4cc8de7476de398d7028da2c3bb503bd2600
-
/root/client.confFilesize
167B
MD52891184a4130abd6f96ff68fa6108abd
SHA151c06abe0ce0cb4a12047b4cb3f2c3b6b3f14f35
SHA256c38866e3199a3221b97b3199f55b36e73d31760d99504ef571bfe42d50ec11da
SHA512acaf620daedbfbf2e081df39efda4184f007943e8504993787a15c04c08c06d8d78b46bca64b4daadd0cdb02e72377eaedc0d7123f6ccc4cf0878adb1048c9d2
-
/tmp/fileutl.message.N4EZzPFilesize
235KB
MD5373fe2f2ef99005d2550a482f09a3e51
SHA168e6572b55b1e77f7d171ebac7b2579b7a6bd51d
SHA2567552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5
SHA512def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b
-
/tmp/sh-thd.SxxyyLFilesize
71B
MD56f4b7339a159ba1d9fa0efcaf5139228
SHA13bf8bb73dd70ffbbe5ce6cb42664e6672a43c077
SHA256550e404887af5f1126258b0c09e96ad4bd49adc43dd7652bd67a1c298d090211
SHA512a0cd9dc4d19a7921ac5eac6ade13ef8b7311521ce9dd252bf7750622d4b00ccb100ae08f73797f6f33abb73ec70f2e3e6428d5fd9e066672d372f1c7702a2908