Analysis Overview
SHA256
24144660b3144ce7a288b6eab8f7c2c5386230ff06186f3a2517639c56d43fc9
Threat Level: Shows suspicious behavior
The file wireguard-install.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks hardware identifiers (DMI)
Modifies systemd
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 05:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 05:38
Reported
2024-05-21 06:10
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
2s
Max time network
128s
Command Line
Signatures
Checks hardware identifiers (DMI)
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/dmi/id/product_name | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /sys/class/dmi/id/sys_vendor | /usr/bin/systemd-detect-virt | N/A |
Modifies systemd
| Description | Indicator | Process | Target |
| File opened for modification | /etc/systemd/system/wg-iptables.service | /tmp/wireguard-install.sh | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/module/wireguard/initstate | /sbin/modprobe | N/A |
| File opened for reading | /sys/module/udp_tunnel/initstate | /sbin/modprobe | N/A |
| File opened for reading | /sys/module/ip6_udp_tunnel/initstate | /sbin/modprobe | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/self/stat | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /sbin/modprobe | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/1/environ | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/1/sched | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/xargs | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/1/sched | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/self/stat | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/cmdline | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/fileutl.message.nohRDr | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.ffc9QZ | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.R6yPLq | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.dm29c8 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/sh-thd.dr6DkI | /tmp/wireguard-install.sh | N/A |
| File opened for modification | /tmp/sh-thd.39K4ds | /tmp/wireguard-install.sh | N/A |
| File opened for modification | /tmp/fileutl.message.PzAxhA | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.3uVNDG | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.prScf3 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.JiSnom | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/sh-thd.0JfNMH | /tmp/wireguard-install.sh | N/A |
| File opened for modification | /tmp/fileutl.message.7IBdOV | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.5GkSPq | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.R0Tgs8 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/sh-thd.ylXa8M | /tmp/wireguard-install.sh | N/A |
| File opened for modification | /tmp/fileutl.message.hk0bel | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.FVMRm2 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.HlJNRw | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.vhD3EV | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/sh-thd.nvhD3E | /tmp/wireguard-install.sh | N/A |
| File opened for modification | /tmp/fileutl.message.N4EZzP | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.byaM1M | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.7pYFi6 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.xeKhOq | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.Xf2r87 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.zv4w4C | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.VR2kuk | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.3sI661 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.xxBK4x | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.nChTqT | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.ZzubuP | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.pAuXfe | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.XvbZkJ | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.zaxn7w | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/sh-thd.SxxyyL | /tmp/wireguard-install.sh | N/A |
| File opened for modification | /tmp/fileutl.message.DVyDGn | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.rVjNNH | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.dCfMb2 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.D8NuuJ | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.nmauU1 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.BKn0EP | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.TyCsXt | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.1hcEPe | /usr/bin/apt-get | N/A |
Processes
/tmp/wireguard-install.sh
[/tmp/wireguard-install.sh]
/bin/grep
[grep -q dash]
/bin/readlink
[readlink /proc/1504/exe]
/usr/bin/cut
[cut -d . -f 1]
/bin/uname
[uname -r]
/bin/grep
[grep -qs ubuntu /etc/os-release]
/usr/bin/tr
[tr -d .]
/usr/bin/cut
[cut -d " -f 2]
/bin/grep
[grep VERSION_ID /etc/os-release]
/bin/grep
[grep -q sbin]
/usr/bin/systemd-detect-virt
[systemd-detect-virt -cq]
/usr/bin/clear
[clear]
/bin/grep
[grep -vEc 127(\.[0-9]{1,3}){3}]
/bin/grep
[grep inet]
/sbin/ip
[ip -4 addr]
/bin/grep
[grep -vEc 127(\.[0-9]{1,3}){3}]
/bin/grep
[grep inet]
/sbin/ip
[ip -4 addr]
/usr/bin/nl
[nl -s ) ]
/bin/grep
[grep -oE [0-9]{1,3}(\.[0-9]{1,3}){3}]
/usr/bin/cut
[cut -d / -f 1]
/bin/grep
[grep -vE 127(\.[0-9]{1,3}){3}]
/bin/grep
[grep inet]
/sbin/ip
[ip -4 addr]
/bin/grep
[grep -oE [0-9]{1,3}(\.[0-9]{1,3}){3}]
/bin/sed
[sed -n 1p]
/usr/bin/cut
[cut -d / -f 1]
/bin/grep
[grep -vE 127(\.[0-9]{1,3}){3}]
/bin/grep
[grep inet]
/sbin/ip
[ip -4 addr]
/bin/grep
[grep -qE ^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)]
/bin/grep
[grep -c inet6 [23]]
/sbin/ip
[ip -6 addr]
/bin/grep
[grep -c inet6 [23]]
/sbin/ip
[ip -6 addr]
/bin/sed
[sed s/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g]
/bin/grep
[grep -qv 127.0.0.53]
/bin/grep
[grep ^nameserver /etc/resolv.conf]
/bin/sed
[sed -e s/ /, /g]
/usr/bin/xargs
[xargs]
/bin/grep
[grep -oE [0-9]{1,3}(\.[0-9]{1,3}){3}]
/bin/grep
[grep -v 127.0.0.53]
/bin/grep
[grep ^nameserver]
/bin/grep
[grep -v ^#\|^; /run/systemd/resolve/resolv.conf]
/usr/local/sbin/echo
[echo 1.1.1.1]
/usr/local/bin/echo
[echo 1.1.1.1]
/usr/sbin/echo
[echo 1.1.1.1]
/usr/bin/echo
[echo 1.1.1.1]
/sbin/echo
[echo 1.1.1.1]
/bin/echo
[echo 1.1.1.1]
/bin/systemctl
[systemctl is-active --quiet firewalld.service]
/usr/bin/apt-get
[apt-get update]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/lib/apt/methods/https
[/usr/lib/apt/methods/https]
/bin/sh
[sh -c [ ! -e /run/systemd/system ] || [ $(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true]
/usr/bin/id
[id -u]
/bin/systemctl
[systemctl start --no-block apt-news.service esm-cache.service]
/usr/lib/apt/methods/https
[/usr/lib/apt/methods/https]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/apt-get
[apt-get install -y wireguard qrencode]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/bin/chmod
[chmod 600 /etc/wireguard/wg0.conf]
/bin/systemctl
[systemctl is-active --quiet firewalld.service]
/usr/bin/systemd-detect-virt
[systemd-detect-virt]
/bin/systemctl
[systemctl enable --now wg-iptables.service]
/bin/grep
[grep -q 2]
/usr/bin/cut
[cut -d / -f 1]
/usr/bin/cut
[cut -d . -f 4]
/bin/grep
[grep AllowedIPs /etc/wireguard/wg0.conf]
/bin/grep
[grep -q fddd:2c4:2c4:2c4::1 /etc/wireguard/wg0.conf]
/bin/grep
[grep -q fddd:2c4:2c4:2c4::1 /etc/wireguard/wg0.conf]
/usr/bin/cut
[cut -d -f 3]
/bin/grep
[grep PrivateKey /etc/wireguard/wg0.conf]
/usr/bin/cut
[cut -d -f 3]
/bin/grep
[grep ^# ENDPOINT /etc/wireguard/wg0.conf]
/usr/bin/cut
[cut -d -f 3]
/bin/grep
[grep ListenPort /etc/wireguard/wg0.conf]
/bin/cat
[cat]
/bin/systemctl
[systemctl enable --now [email protected]]
/sbin/modprobe
[modprobe -nq wireguard]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | _http._tcp.security.ubuntu.com | udp |
| US | 1.1.1.1:53 | _https._tcp.deb.nodesource.com | udp |
| US | 1.1.1.1:53 | _http._tcp.nl.archive.ubuntu.com | udp |
| GB | 195.181.164.19:443 | tcp |
Files
/tmp/sh-thd.SxxyyL
| MD5 | 6f4b7339a159ba1d9fa0efcaf5139228 |
| SHA1 | 3bf8bb73dd70ffbbe5ce6cb42664e6672a43c077 |
| SHA256 | 550e404887af5f1126258b0c09e96ad4bd49adc43dd7652bd67a1c298d090211 |
| SHA512 | a0cd9dc4d19a7921ac5eac6ade13ef8b7311521ce9dd252bf7750622d4b00ccb100ae08f73797f6f33abb73ec70f2e3e6428d5fd9e066672d372f1c7702a2908 |
/tmp/fileutl.message.N4EZzP
| MD5 | 373fe2f2ef99005d2550a482f09a3e51 |
| SHA1 | 68e6572b55b1e77f7d171ebac7b2579b7a6bd51d |
| SHA256 | 7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5 |
| SHA512 | def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b |
/etc/sysctl.d/99-wireguard-forward.conf
| MD5 | 4c34a122be1a37adc4161ae754d87b40 |
| SHA1 | b44af8c75ec83749700ddd8a789aaf1f0bac7093 |
| SHA256 | 7de9e61bfd3ef0b34bcacfba0fcbd0896611812ed74015f2dac1446c3bacd743 |
| SHA512 | b178270f7535bf8a795766917a5bd0c5d375e280b6d54c7789dd59a665ebae85f6a880dfb5167c2084c6fb5ad4ba78780a2ca8456847e63c29db252b21fee4db |
/etc/systemd/system/wg-iptables.service
| MD5 | c40e170cb3921aeea422d44a338c80db |
| SHA1 | 2f7ea2ba7bd8d6b20ac1ea95462d9b55380f9331 |
| SHA256 | 49f53ef359f924e44e019cf2b1af98ff8903a67b824fb6d955f693ad311a3a72 |
| SHA512 | ff6ebeb3ee87751eb47c413b95ae15d988b82759ed44fba85e0eaa8e53828af94d5e90f469d2393c427dbeb886c0c50bbf29d9e709a0fb45c2bb6e8b4fbe64c2 |
/etc/systemd/system/wg-iptables.service
| MD5 | 37e26953053bffa855489c1c4c331c4e |
| SHA1 | 44cf26611ab8dced5a62b3f9e204481a01d75780 |
| SHA256 | 03f9ecfb80f113af4f3bd34668cb1ff98de54bce6d4aa0abf8c4b718096bfc84 |
| SHA512 | cef1f18b9f625190150532a33d844a33a07aa3fc3f2203f1cf5dba7f01c4100664e8a551f79cdd0c35a9e239166b4cc8de7476de398d7028da2c3bb503bd2600 |
/root/client.conf
| MD5 | 2891184a4130abd6f96ff68fa6108abd |
| SHA1 | 51c06abe0ce0cb4a12047b4cb3f2c3b6b3f14f35 |
| SHA256 | c38866e3199a3221b97b3199f55b36e73d31760d99504ef571bfe42d50ec11da |
| SHA512 | acaf620daedbfbf2e081df39efda4184f007943e8504993787a15c04c08c06d8d78b46bca64b4daadd0cdb02e72377eaedc0d7123f6ccc4cf0878adb1048c9d2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 05:38
Reported
2024-05-21 06:11
Platform
debian9-armhf-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-21 05:38
Reported
2024-05-21 06:08
Platform
debian9-mipsbe-20240226-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-21 05:38
Reported
2024-05-21 06:09
Platform
debian9-mipsel-20240418-en