Malware Analysis Report

2024-10-24 21:45

Sample ID 240521-gbxwasde39
Target wireguard-install.sh
SHA256 24144660b3144ce7a288b6eab8f7c2c5386230ff06186f3a2517639c56d43fc9
Tags
antivm persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

24144660b3144ce7a288b6eab8f7c2c5386230ff06186f3a2517639c56d43fc9

Threat Level: Shows suspicious behavior

The file wireguard-install.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm persistence

Checks hardware identifiers (DMI)

Modifies systemd

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 05:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 05:38

Reported

2024-05-21 06:10

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

2s

Max time network

128s

Command Line

[/tmp/wireguard-install.sh]

Signatures

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A

Modifies systemd

persistence
Description Indicator Process Target
File opened for modification /etc/systemd/system/wg-iptables.service /tmp/wireguard-install.sh N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/module/wireguard/initstate /sbin/modprobe N/A
File opened for reading /sys/module/udp_tunnel/initstate /sbin/modprobe N/A
File opened for reading /sys/module/ip6_udp_tunnel/initstate /sbin/modprobe N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/self/stat /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /sbin/modprobe N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/environ /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/fd /usr/bin/apt-get N/A
File opened for reading /proc/filesystems /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/cmdline /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/fd /usr/bin/apt-get N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/1/environ /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/1/sched /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/self/fd /usr/bin/xargs N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/apt-get N/A
File opened for reading /proc/1/sched /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/apt-get N/A
File opened for reading /proc/filesystems /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/self/stat /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/cmdline /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/1/sched /bin/systemctl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fileutl.message.nohRDr /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.ffc9QZ /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.R6yPLq /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.dm29c8 /usr/bin/apt-get N/A
File opened for modification /tmp/sh-thd.dr6DkI /tmp/wireguard-install.sh N/A
File opened for modification /tmp/sh-thd.39K4ds /tmp/wireguard-install.sh N/A
File opened for modification /tmp/fileutl.message.PzAxhA /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.3uVNDG /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.prScf3 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.JiSnom /usr/bin/apt-get N/A
File opened for modification /tmp/sh-thd.0JfNMH /tmp/wireguard-install.sh N/A
File opened for modification /tmp/fileutl.message.7IBdOV /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.5GkSPq /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.R0Tgs8 /usr/bin/apt-get N/A
File opened for modification /tmp/sh-thd.ylXa8M /tmp/wireguard-install.sh N/A
File opened for modification /tmp/fileutl.message.hk0bel /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.FVMRm2 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.HlJNRw /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.vhD3EV /usr/bin/apt-get N/A
File opened for modification /tmp/sh-thd.nvhD3E /tmp/wireguard-install.sh N/A
File opened for modification /tmp/fileutl.message.N4EZzP /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.byaM1M /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.7pYFi6 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.xeKhOq /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.Xf2r87 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.zv4w4C /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.VR2kuk /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.3sI661 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.xxBK4x /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.nChTqT /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.ZzubuP /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.pAuXfe /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.XvbZkJ /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.zaxn7w /usr/bin/apt-get N/A
File opened for modification /tmp/sh-thd.SxxyyL /tmp/wireguard-install.sh N/A
File opened for modification /tmp/fileutl.message.DVyDGn /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.rVjNNH /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.dCfMb2 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.D8NuuJ /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.nmauU1 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.BKn0EP /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.TyCsXt /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.1hcEPe /usr/bin/apt-get N/A

Processes

/tmp/wireguard-install.sh

[/tmp/wireguard-install.sh]

/bin/grep

[grep -q dash]

/bin/readlink

[readlink /proc/1504/exe]

/usr/bin/cut

[cut -d . -f 1]

/bin/uname

[uname -r]

/bin/grep

[grep -qs ubuntu /etc/os-release]

/usr/bin/tr

[tr -d .]

/usr/bin/cut

[cut -d " -f 2]

/bin/grep

[grep VERSION_ID /etc/os-release]

/bin/grep

[grep -q sbin]

/usr/bin/systemd-detect-virt

[systemd-detect-virt -cq]

/usr/bin/clear

[clear]

/bin/grep

[grep -vEc 127(\.[0-9]{1,3}){3}]

/bin/grep

[grep inet]

/sbin/ip

[ip -4 addr]

/bin/grep

[grep -vEc 127(\.[0-9]{1,3}){3}]

/bin/grep

[grep inet]

/sbin/ip

[ip -4 addr]

/usr/bin/nl

[nl -s ) ]

/bin/grep

[grep -oE [0-9]{1,3}(\.[0-9]{1,3}){3}]

/usr/bin/cut

[cut -d / -f 1]

/bin/grep

[grep -vE 127(\.[0-9]{1,3}){3}]

/bin/grep

[grep inet]

/sbin/ip

[ip -4 addr]

/bin/grep

[grep -oE [0-9]{1,3}(\.[0-9]{1,3}){3}]

/bin/sed

[sed -n 1p]

/usr/bin/cut

[cut -d / -f 1]

/bin/grep

[grep -vE 127(\.[0-9]{1,3}){3}]

/bin/grep

[grep inet]

/sbin/ip

[ip -4 addr]

/bin/grep

[grep -qE ^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)]

/bin/grep

[grep -c inet6 [23]]

/sbin/ip

[ip -6 addr]

/bin/grep

[grep -c inet6 [23]]

/sbin/ip

[ip -6 addr]

/bin/sed

[sed s/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g]

/bin/grep

[grep -qv 127.0.0.53]

/bin/grep

[grep ^nameserver /etc/resolv.conf]

/bin/sed

[sed -e s/ /, /g]

/usr/bin/xargs

[xargs]

/bin/grep

[grep -oE [0-9]{1,3}(\.[0-9]{1,3}){3}]

/bin/grep

[grep -v 127.0.0.53]

/bin/grep

[grep ^nameserver]

/bin/grep

[grep -v ^#\|^; /run/systemd/resolve/resolv.conf]

/usr/local/sbin/echo

[echo 1.1.1.1]

/usr/local/bin/echo

[echo 1.1.1.1]

/usr/sbin/echo

[echo 1.1.1.1]

/usr/bin/echo

[echo 1.1.1.1]

/sbin/echo

[echo 1.1.1.1]

/bin/echo

[echo 1.1.1.1]

/bin/systemctl

[systemctl is-active --quiet firewalld.service]

/usr/bin/apt-get

[apt-get update]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/lib/apt/methods/https

[/usr/lib/apt/methods/https]

/bin/sh

[sh -c [ ! -e /run/systemd/system ] || [ $(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true]

/usr/bin/id

[id -u]

/bin/systemctl

[systemctl start --no-block apt-news.service esm-cache.service]

/usr/lib/apt/methods/https

[/usr/lib/apt/methods/https]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt-get

[apt-get install -y wireguard qrencode]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/bin/chmod

[chmod 600 /etc/wireguard/wg0.conf]

/bin/systemctl

[systemctl is-active --quiet firewalld.service]

/usr/bin/systemd-detect-virt

[systemd-detect-virt]

/bin/systemctl

[systemctl enable --now wg-iptables.service]

/bin/grep

[grep -q 2]

/usr/bin/cut

[cut -d / -f 1]

/usr/bin/cut

[cut -d . -f 4]

/bin/grep

[grep AllowedIPs /etc/wireguard/wg0.conf]

/bin/grep

[grep -q fddd:2c4:2c4:2c4::1 /etc/wireguard/wg0.conf]

/bin/grep

[grep -q fddd:2c4:2c4:2c4::1 /etc/wireguard/wg0.conf]

/usr/bin/cut

[cut -d -f 3]

/bin/grep

[grep PrivateKey /etc/wireguard/wg0.conf]

/usr/bin/cut

[cut -d -f 3]

/bin/grep

[grep ^# ENDPOINT /etc/wireguard/wg0.conf]

/usr/bin/cut

[cut -d -f 3]

/bin/grep

[grep ListenPort /etc/wireguard/wg0.conf]

/bin/cat

[cat]

/bin/systemctl

[systemctl enable --now [email protected]]

/sbin/modprobe

[modprobe -nq wireguard]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
US 1.1.1.1:53 _https._tcp.deb.nodesource.com udp
US 1.1.1.1:53 _http._tcp.nl.archive.ubuntu.com udp
GB 195.181.164.19:443 tcp

Files

/tmp/sh-thd.SxxyyL

MD5 6f4b7339a159ba1d9fa0efcaf5139228
SHA1 3bf8bb73dd70ffbbe5ce6cb42664e6672a43c077
SHA256 550e404887af5f1126258b0c09e96ad4bd49adc43dd7652bd67a1c298d090211
SHA512 a0cd9dc4d19a7921ac5eac6ade13ef8b7311521ce9dd252bf7750622d4b00ccb100ae08f73797f6f33abb73ec70f2e3e6428d5fd9e066672d372f1c7702a2908

/tmp/fileutl.message.N4EZzP

MD5 373fe2f2ef99005d2550a482f09a3e51
SHA1 68e6572b55b1e77f7d171ebac7b2579b7a6bd51d
SHA256 7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5
SHA512 def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

/etc/sysctl.d/99-wireguard-forward.conf

MD5 4c34a122be1a37adc4161ae754d87b40
SHA1 b44af8c75ec83749700ddd8a789aaf1f0bac7093
SHA256 7de9e61bfd3ef0b34bcacfba0fcbd0896611812ed74015f2dac1446c3bacd743
SHA512 b178270f7535bf8a795766917a5bd0c5d375e280b6d54c7789dd59a665ebae85f6a880dfb5167c2084c6fb5ad4ba78780a2ca8456847e63c29db252b21fee4db

/etc/systemd/system/wg-iptables.service

MD5 c40e170cb3921aeea422d44a338c80db
SHA1 2f7ea2ba7bd8d6b20ac1ea95462d9b55380f9331
SHA256 49f53ef359f924e44e019cf2b1af98ff8903a67b824fb6d955f693ad311a3a72
SHA512 ff6ebeb3ee87751eb47c413b95ae15d988b82759ed44fba85e0eaa8e53828af94d5e90f469d2393c427dbeb886c0c50bbf29d9e709a0fb45c2bb6e8b4fbe64c2

/etc/systemd/system/wg-iptables.service

MD5 37e26953053bffa855489c1c4c331c4e
SHA1 44cf26611ab8dced5a62b3f9e204481a01d75780
SHA256 03f9ecfb80f113af4f3bd34668cb1ff98de54bce6d4aa0abf8c4b718096bfc84
SHA512 cef1f18b9f625190150532a33d844a33a07aa3fc3f2203f1cf5dba7f01c4100664e8a551f79cdd0c35a9e239166b4cc8de7476de398d7028da2c3bb503bd2600

/root/client.conf

MD5 2891184a4130abd6f96ff68fa6108abd
SHA1 51c06abe0ce0cb4a12047b4cb3f2c3b6b3f14f35
SHA256 c38866e3199a3221b97b3199f55b36e73d31760d99504ef571bfe42d50ec11da
SHA512 acaf620daedbfbf2e081df39efda4184f007943e8504993787a15c04c08c06d8d78b46bca64b4daadd0cdb02e72377eaedc0d7123f6ccc4cf0878adb1048c9d2

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 05:38

Reported

2024-05-21 06:11

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 05:38

Reported

2024-05-21 06:08

Platform

debian9-mipsbe-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-21 05:38

Reported

2024-05-21 06:09

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A