Overview

overview

3

Static

static

1

upgrade.billmgr5.sh

ubuntu-18.04-amd64

3

upgrade.billmgr5.sh

debian-9-armhf

1

upgrade.billmgr5.sh

debian-9-mips

upgrade.billmgr5.sh

debian-9-mipsel

Analysis

  • max time kernel
    5s
  • max time network
    128s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    22/05/2024, 11:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    upgrade.billmgr5.sh

  • Size

    8KB

  • MD5

    6d9424bfb6b02149ac33695740faa9f6

  • SHA1

    4d9bf2b2fefc4e172e6a6b46bc3e1ce54b20c9fe

  • SHA256

    2621e538367be91a85bb623cf1a8a836a1fa15980dd5878f1952e4605d2b7d42

  • SHA512

    275461d726ffd4d0d8720e94b694dcf36082fab3f5ac6dc4adcefadd9ce2330a64bfd14be46901802e363561bf60b162bd5379f5d164208bce59f134ee402e02

  • SSDEEP

    192:FwYwlshNalYCLNq47i1zYwsS0SwdwsV08UlundYSIqmYvzHqYhcOAm6EZvWMqouG:FwYwleELtbwsS5wdwsVu6YxqvbHqYhc8

Score
3/10

Malware Config

Signatures

  • Reads runtime system information 35 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 64 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/upgrade.billmgr5.sh
    /tmp/upgrade.billmgr5.sh
    1⤵
      PID:1492
      • /bin/uname
        uname -s
        2⤵
          PID:1493
        • /usr/bin/apt-get
          /usr/bin/apt-get -qy update
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:1494
          • /usr/bin/dpkg
            /usr/bin/dpkg --print-foreign-architectures
            3⤵
            • Reads runtime system information
            PID:1495
          • /usr/lib/apt/methods/http
            /usr/lib/apt/methods/http
            3⤵
              PID:1496
            • /usr/lib/apt/methods/https
              /usr/lib/apt/methods/https
              3⤵
                PID:1497
              • /bin/sh
                sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
                3⤵
                  PID:1499
                  • /usr/bin/id
                    id -u
                    4⤵
                    • Reads runtime system information
                    PID:1500
                  • /bin/systemctl
                    systemctl start --no-block apt-news.service esm-cache.service
                    4⤵
                    • Reads runtime system information
                    PID:1501
                • /usr/lib/apt/methods/https
                  /usr/lib/apt/methods/https
                  3⤵
                    PID:1502
                  • /usr/lib/apt/methods/http
                    /usr/lib/apt/methods/http
                    3⤵
                      PID:1506
                    • /usr/lib/apt/methods/http
                      /usr/lib/apt/methods/http
                      3⤵
                        PID:1507
                      • /usr/bin/dpkg
                        /usr/bin/dpkg --print-foreign-architectures
                        3⤵
                        • Reads runtime system information
                        PID:1521
                      • /usr/bin/dpkg
                        /usr/bin/dpkg --print-foreign-architectures
                        3⤵
                        • Reads runtime system information
                        PID:1527
                    • /usr/bin/apt-get
                      apt-get -qy --allow-unauthenticated -u install ca-certificates
                      2⤵
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:1528
                      • /usr/bin/dpkg
                        /usr/bin/dpkg --print-foreign-architectures
                        3⤵
                        • Reads runtime system information
                        PID:1529
                      • /usr/bin/dpkg
                        /usr/bin/dpkg --print-foreign-architectures
                        3⤵
                        • Reads runtime system information
                        PID:1530
                    • /usr/bin/which
                      which which
                      2⤵
                        PID:1531
                      • /usr/bin/which
                        which lsb_release
                        2⤵
                          PID:1532
                        • /usr/bin/which
                          which hexdump
                          2⤵
                            PID:1533
                          • /usr/bin/which
                            which logger
                            2⤵
                              PID:1534
                            • /usr/bin/which
                              which free
                              2⤵
                                PID:1535
                              • /usr/bin/which
                                which python
                                2⤵
                                  PID:1536
                                • /usr/bin/which
                                  which gpg
                                  2⤵
                                    PID:1537
                                  • /usr/bin/which
                                    which wget curl
                                    2⤵
                                      PID:1538
                                    • /usr/bin/lsb_release
                                      lsb_release -s -c
                                      2⤵
                                        PID:1539
                                      • /bin/grep
                                        grep -q -w bionic
                                        2⤵
                                          PID:1541
                                        • /usr/bin/lsb_release
                                          lsb_release -s -i
                                          2⤵
                                            PID:1542
                                          • /bin/grep
                                            grep -q install.sh
                                            2⤵
                                              PID:1544
                                            • /usr/bin/wget
                                              /usr/bin/wget -T 30 -t 10 "--waitretry=5" -q -O - http://download.ispsystem.com/
                                              2⤵
                                                PID:1543
                                              • /bin/grep
                                                grep -q install.sh
                                                2⤵
                                                  PID:1546
                                                • /usr/bin/wget
                                                  /usr/bin/wget -T 30 -t 10 "--waitretry=5" -q -O - http://download.ispsystem.com/
                                                  2⤵
                                                    PID:1545
                                                  • /bin/grep
                                                    grep beta /usr/local/mgr5/etc/repo.version
                                                    2⤵
                                                      PID:1550
                                                    • /bin/rm
                                                      rm -f /etc/apt/sources.list.d/ispsystem.list
                                                      2⤵
                                                        PID:1551
                                                      • /bin/grep
                                                        grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
                                                        2⤵
                                                          PID:1553
                                                        • /bin/rm
                                                          rm -f /etc/apt/sources.list.d/exosoft.list
                                                          2⤵
                                                            PID:1557
                                                          • /bin/grep
                                                            grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
                                                            2⤵
                                                              PID:1559
                                                            • /bin/grep
                                                              grep Version
                                                              2⤵
                                                                PID:1563
                                                              • /usr/bin/dpkg
                                                                dpkg -s coremanager
                                                                2⤵
                                                                • Reads runtime system information
                                                                PID:1562
                                                              • /usr/bin/awk
                                                                awk "{print \$2}"
                                                                2⤵
                                                                • Reads runtime system information
                                                                PID:1564
                                                              • /usr/local/sbin/dpkg-query
                                                                dpkg-query --status -- coremanager
                                                                2⤵
                                                                  PID:1562
                                                                • /usr/local/bin/dpkg-query
                                                                  dpkg-query --status -- coremanager
                                                                  2⤵
                                                                    PID:1562
                                                                  • /usr/sbin/dpkg-query
                                                                    dpkg-query --status -- coremanager
                                                                    2⤵
                                                                      PID:1562
                                                                    • /usr/bin/dpkg-query
                                                                      dpkg-query --status -- coremanager
                                                                      2⤵
                                                                        PID:1562
                                                                      • /usr/bin/cut
                                                                        cut -d. "-f1,2"
                                                                        2⤵
                                                                          PID:1567
                                                                        • /usr/bin/awk
                                                                          awk -F- "{print \$1}"
                                                                          2⤵
                                                                          • Reads runtime system information
                                                                          PID:1566
                                                                        • /usr/bin/apt-get
                                                                          apt-get -y update
                                                                          2⤵
                                                                          • Reads runtime system information
                                                                          • Writes file to tmp directory
                                                                          PID:1570
                                                                          • /usr/bin/dpkg
                                                                            /usr/bin/dpkg --print-foreign-architectures
                                                                            3⤵
                                                                            • Reads runtime system information
                                                                            PID:1571
                                                                          • /usr/lib/apt/methods/http
                                                                            /usr/lib/apt/methods/http
                                                                            3⤵
                                                                              PID:1572
                                                                            • /usr/lib/apt/methods/https
                                                                              /usr/lib/apt/methods/https
                                                                              3⤵
                                                                                PID:1573
                                                                              • /bin/sh
                                                                                sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
                                                                                3⤵
                                                                                  PID:1575
                                                                                  • /usr/bin/id
                                                                                    id -u
                                                                                    4⤵
                                                                                    • Reads runtime system information
                                                                                    PID:1576
                                                                                  • /bin/systemctl
                                                                                    systemctl start --no-block apt-news.service esm-cache.service
                                                                                    4⤵
                                                                                    • Reads runtime system information
                                                                                    PID:1577
                                                                                • /usr/lib/apt/methods/https
                                                                                  /usr/lib/apt/methods/https
                                                                                  3⤵
                                                                                    PID:1581
                                                                                  • /usr/lib/apt/methods/http
                                                                                    /usr/lib/apt/methods/http
                                                                                    3⤵
                                                                                      PID:1582
                                                                                    • /usr/lib/apt/methods/http
                                                                                      /usr/lib/apt/methods/http
                                                                                      3⤵
                                                                                        PID:1583
                                                                                      • /usr/lib/apt/methods/http
                                                                                        /usr/lib/apt/methods/http
                                                                                        3⤵
                                                                                          PID:1584
                                                                                        • /usr/bin/dpkg
                                                                                          /usr/bin/dpkg --print-foreign-architectures
                                                                                          3⤵
                                                                                          • Reads runtime system information
                                                                                          PID:1586
                                                                                        • /usr/bin/dpkg
                                                                                          /usr/bin/dpkg --print-foreign-architectures
                                                                                          3⤵
                                                                                          • Reads runtime system information
                                                                                          PID:1592
                                                                                      • /usr/bin/tail
                                                                                        tail -1
                                                                                        2⤵
                                                                                          PID:1596
                                                                                        • /usr/bin/sort
                                                                                          sort -V
                                                                                          2⤵
                                                                                            PID:1595
                                                                                          • /usr/bin/apt-cache
                                                                                            apt-cache madison coremanager
                                                                                            2⤵
                                                                                            • Reads runtime system information
                                                                                            • Writes file to tmp directory
                                                                                            PID:1593
                                                                                            • /usr/bin/dpkg
                                                                                              /usr/bin/dpkg --print-foreign-architectures
                                                                                              3⤵
                                                                                              • Reads runtime system information
                                                                                              PID:1598
                                                                                            • /usr/bin/dpkg
                                                                                              /usr/bin/dpkg --print-foreign-architectures
                                                                                              3⤵
                                                                                              • Reads runtime system information
                                                                                              PID:1599
                                                                                          • /usr/bin/lsb_release
                                                                                            lsb_release -c -s
                                                                                            2⤵
                                                                                              PID:1597
                                                                                            • /usr/bin/awk
                                                                                              awk -v "rel=stable5" -v "dist=bionic" "\$6 == rel\"-\"dist\"/main\" {print \$3}"
                                                                                              2⤵
                                                                                              • Reads runtime system information
                                                                                              PID:1594
                                                                                            • /usr/bin/cut
                                                                                              cut -d. "-f1,2"
                                                                                              2⤵
                                                                                                PID:1602
                                                                                              • /usr/bin/awk
                                                                                                awk -F- "{print \$1}"
                                                                                                2⤵
                                                                                                • Reads runtime system information
                                                                                                PID:1601
                                                                                              • /usr/bin/head
                                                                                                head -n1
                                                                                                2⤵
                                                                                                  PID:1606
                                                                                                • /usr/bin/sort
                                                                                                  sort -V
                                                                                                  2⤵
                                                                                                    PID:1605
                                                                                                  • /bin/rm
                                                                                                    rm -f /etc/apt/sources.list.d/ispsystem.list
                                                                                                    2⤵
                                                                                                      PID:1607
                                                                                                    • /bin/grep
                                                                                                      grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
                                                                                                      2⤵
                                                                                                        PID:1609
                                                                                                      • /bin/rm
                                                                                                        rm -f /etc/apt/sources.list.d/exosoft.list
                                                                                                        2⤵
                                                                                                          PID:1610
                                                                                                        • /bin/grep
                                                                                                          grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
                                                                                                          2⤵
                                                                                                            PID:1612
                                                                                                          • /usr/local/mgr5/sbin/pkgupgrade.sh
                                                                                                            /usr/local/mgr5/sbin/pkgupgrade.sh coremanager
                                                                                                            2⤵
                                                                                                              PID:1613

                                                                                                          Network

                                                                                                                MITRE ATT&CK Matrix

                                                                                                                Replay Monitor

                                                                                                                Loading Replay Monitor...

                                                                                                                Downloads

                                                                                                                • /etc/apt/sources.list.d/exosoft.list
                                                                                                                  Filesize

                                                                                                                  76B

                                                                                                                  MD5

                                                                                                                  005693353ac5137f01f539e04c664f6b

                                                                                                                  SHA1

                                                                                                                  ab5e95d1f13d172ea02bc913cef3f97133cabbb6

                                                                                                                  SHA256

                                                                                                                  6d06d1f140d0a70631933da585757193f251390f8449f250ca71275a748efe6f

                                                                                                                  SHA512

                                                                                                                  2d5a178d2d172a4d48e5285dfec9fc5f7ab2277237cfe1db88e748fa459b317af7fd4934ab164e6bf84af39db97fa099f9d801ac677ff4b225a2c9b07788e3fa

                                                                                                                  Download Submit

                                                                                                                • /etc/apt/sources.list.d/exosoft.list
                                                                                                                  Filesize

                                                                                                                  69B

                                                                                                                  MD5

                                                                                                                  7784ee22bd64575866c491777cf0dd4d

                                                                                                                  SHA1

                                                                                                                  702cafc7de000f566e2b81f9d8385e29c7bb90e8

                                                                                                                  SHA256

                                                                                                                  8b8b03487b6204e4fb923794a7bd4d7c8ebe8f4b95ae4832cc741cb02b7fdc5e

                                                                                                                  SHA512

                                                                                                                  e12a29f065cd274469cc1e838c2bbc796f66c3d0d1c73dedccc4ff8b17b000c88291806d6b4c2f96f425038ef112f85181e231441766241f8dc7b57a55bb9383

                                                                                                                  Download Submit

                                                                                                                • /etc/apt/sources.list.d/ispsystem.list
                                                                                                                  Filesize

                                                                                                                  74B

                                                                                                                  MD5

                                                                                                                  199589eb63248bceee908030e0e92030

                                                                                                                  SHA1

                                                                                                                  cad8f68944e2f648dceef8cdf652affa1f0e673b

                                                                                                                  SHA256

                                                                                                                  7561f95028aff50caef84e7e19afa44d8a5059a9413d3a7887e7ff791e1a042f

                                                                                                                  SHA512

                                                                                                                  ba16f462d48fe8f9ba44067a007f0f322051a728da4ff8b61cae772e300091bd1598c12932348f1d32d65d1cf905da61a1678c325f535c3cb6867b4815ebd924

                                                                                                                  Download Submit

                                                                                                                • /etc/apt/sources.list.d/ispsystem.list
                                                                                                                  Filesize

                                                                                                                  67B

                                                                                                                  MD5

                                                                                                                  6b0e1659e45e52b36929045805489a90

                                                                                                                  SHA1

                                                                                                                  1e8bfb50b7f4cbac1fdfd5ae64851babad1ab627

                                                                                                                  SHA256

                                                                                                                  fc2edb7f543703760d3fb7a77bdbbda8ac68d03068ac27ab247f931dabe5c273

                                                                                                                  SHA512

                                                                                                                  ffd4d0d0a781322304584dc7fc0f4f0c09638985e6b5ff144671979730b184b2050ede1a875438c784fbb54dc018961a1eabfa72082b9e32ded00b546958f410

                                                                                                                  Download Submit

                                                                                                                • /tmp/fileutl.message.YaqSbL
                                                                                                                  Filesize

                                                                                                                  235KB

                                                                                                                  MD5

                                                                                                                  373fe2f2ef99005d2550a482f09a3e51

                                                                                                                  SHA1

                                                                                                                  68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

                                                                                                                  SHA256

                                                                                                                  7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

                                                                                                                  SHA512

                                                                                                                  def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

                                                                                                                  Download Submit