Malware Analysis Report

2024-10-24 21:47

Sample ID 240521-gnfsjsgg4s
Target mainteanace.sh
SHA256 1660c83ed3ff61e9658e5cc7372c353eca5fe08c71c3d49e20f5c1a91ee29a4b
Tags
antivm
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

1660c83ed3ff61e9658e5cc7372c353eca5fe08c71c3d49e20f5c1a91ee29a4b

Threat Level: Shows suspicious behavior

The file mainteanace.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Checks system information (zLinux)

Checks CPU configuration

Reads CPU attributes

Enumerates kernel/hardware configuration

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 05:56

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 05:56

Reported

2024-05-21 07:01

Platform

debian9-armhf-20240226-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp
US 1.1.1.1:53 debian9-armhf-20240226-en-1 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 05:56

Reported

2024-05-21 06:59

Platform

debian9-mipsbe-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-21 05:56

Reported

2024-05-21 07:00

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 05:56

Reported

2024-05-21 07:02

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

129s

Command Line

[/tmp/mainteanace.sh]

Signatures

Checks system information (zLinux)

antivm
Description Indicator Process Target
File opened for reading /proc/sysinfo /usr/bin/lscpu N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/lscpu N/A

Reads CPU attributes

Description Indicator Process Target
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/online /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/level /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/type /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/level /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/size /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/present /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/thread_siblings /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/core_id /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/physical_package_id /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index0/type /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/type /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index1/level /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index2/level /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/kernel_max /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/possible /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/topology/core_siblings /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/cpu/cpu0/cache/index3/type /usr/bin/lscpu N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/devices/system/node /usr/bin/lscpu N/A
File opened for reading /sys/devices/system/node/node0/cpumap /usr/bin/lscpu N/A
File opened for reading /sys/firmware/dmi/tables/DMI /usr/bin/lscpu N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /usr/bin/sudo N/A
File opened for reading /proc/filesystems /usr/bin/find N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/bus/pci/devices /usr/bin/lscpu N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/sudo N/A
File opened for reading /proc/filesystems /usr/bin/find N/A
File opened for reading /proc/self/fd /usr/bin/xargs N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /bin/ls N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/device-tree/compatible /usr/bin/lscpu N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/stat /usr/bin/sudo N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/lscpu N/A
File opened for reading /proc/self/status /usr/bin/lscpu N/A
File opened for reading /proc/self/mountinfo /bin/df N/A
File opened for reading /proc/filesystems /bin/ls N/A

Processes

/tmp/mainteanace.sh

[/tmp/mainteanace.sh]

/usr/bin/awk

[awk {print $2, $3, $4}]

/usr/bin/lsb_release

[lsb_release -d]

/usr/bin/xargs

[xargs]

/usr/bin/awk

[awk -F: {print $2}]

/bin/grep

[grep Model name]

/usr/bin/lscpu

[lscpu]

/usr/local/sbin/echo

[echo Intel Core Processor (Broadwell)]

/usr/local/bin/echo

[echo Intel Core Processor (Broadwell)]

/usr/sbin/echo

[echo Intel Core Processor (Broadwell)]

/usr/bin/echo

[echo Intel Core Processor (Broadwell)]

/sbin/echo

[echo Intel Core Processor (Broadwell)]

/bin/echo

[echo Intel Core Processor (Broadwell)]

/usr/bin/awk

[awk {print }]

/bin/df

[df -H]

/usr/bin/awk

[awk {print}]

/usr/bin/whoami

[whoami]

/usr/bin/awk

[awk {print}]

/bin/ls

[ls /etc/nginx/sites-available]

/usr/bin/awk

[awk {print}]

/bin/ls

[ls /etc/apache/sites-available]

/usr/bin/awk

[awk {print}]

/usr/bin/node

[node -v]

/usr/bin/awk

[awk {print}]

/usr/bin/awk

[awk FNR == 1 {print}]

/bin/grep

[grep mysql]

/usr/bin/dpkg

[dpkg -l]

/usr/local/sbin/dpkg-query

[dpkg-query --list --]

/usr/local/bin/dpkg-query

[dpkg-query --list --]

/usr/sbin/dpkg-query

[dpkg-query --list --]

/usr/bin/dpkg-query

[dpkg-query --list --]

/usr/bin/awk

[awk FNR == 1 {print}]

/bin/grep

[grep mongo]

/usr/bin/dpkg

[dpkg -l]

/usr/local/sbin/dpkg-query

[dpkg-query --list --]

/usr/local/bin/dpkg-query

[dpkg-query --list --]

/usr/sbin/dpkg-query

[dpkg-query --list --]

/usr/bin/dpkg-query

[dpkg-query --list --]

/usr/bin/awk

[awk {print}]

/usr/bin/sudo

[sudo find /var/log/ -name *.gz -type f -delete]

/usr/bin/sort

[sort -u]

/usr/bin/find

[find /opt/bitnami -type d -perm 777]

/usr/bin/sort

[sort -u]

/usr/bin/find

[find /var/www/html -maxdepth 3 -type d -perm 777]

/usr/bin/awk

[awk FNR == 1 {print}]

/usr/bin/last

[last -xF reboot]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
GB 195.181.164.15:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
GB 195.181.164.17:443 1527653184.rsc.cdn77.org tcp

Files

N/A