8c23aac0652074edcc8167f6b9416f2045a7e2b4a9c27912f30768ad85de283e

Analysis

max time kernel
148s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/05/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

recon.sh
Size

6KB
MD5

32139ce5a9bb0c114a7da5f1b0d1050e
SHA1

f5b127858426119ddd55b26650481d219ffd1aa7
SHA256

8c23aac0652074edcc8167f6b9416f2045a7e2b4a9c27912f30768ad85de283e
SHA512

26f33961a53eb2cee3dc87c19e9f05686eac4602f2d3c0e13dc87d14bf64eccb1aa6d91ea4d9789d65a1e7d3c242b6acefacd1a56f1a38140b2567ee8b550c88
SSDEEP

96:TAggJ1Ez2E2M74NL/i3VXO/3VXOBKnNRJOsUQ:kggJ1Eze/z6XONXOBKnrPp

Score

3^/10

Malware Config

Signatures

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mv

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/parameterized-urls.txt	recon.sh
File opened for modification	/tmp/illegal-characters-check.txt	recon.sh
File opened for modification	/tmp/output/-assetfinder.txt	recon.sh
File opened for modification	/tmp/output/sedxUhTsM	sed
File opened for modification	/tmp/.final	recon.sh
File opened for modification	/tmp/-subdomains.txt	recon.sh
File opened for modification	/tmp/output/-subdomains.txt	recon.sh
File opened for modification	/tmp/alive_subdomains.txt	recon.sh
File opened for modification	/tmp/waybackurls.txt	recon.sh

/tmp/recon.sh
/tmp/recon.sh
1⤵
- Writes file to tmp directory
PID:1494
- /bin/mkdir
  mkdir
  2⤵
  - Reads runtime system information
  PID:1495
- /bin/mkdir
  mkdir -p output
  2⤵
  - Reads runtime system information
  PID:1496
- /usr/bin/sort
  sort -u
  2⤵
  PID:1501
- /bin/cat
  cat output/-subfinder.txt output/-chaos.txt output/-assetfinder.txt
  2⤵
  PID:1500
- /bin/sed
  sed -i "s/^*\\.//" output/-subdomains.txt
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1502
- /bin/cp
  cp output/-subdomains.txt /root/taha/tools/regulator
  2⤵
  - Reads runtime system information
  PID:1503
- /bin/mv
  mv -subdomains.txt
  2⤵
  - Reads runtime system information
  PID:1504
- /usr/bin/python3
  python3 main.py -t -f -o .brute
  2⤵
  PID:1505
- /usr/bin/sort
  sort -u
  2⤵
  PID:1512
- /usr/bin/sort
  sort -u .valid
  2⤵
  PID:1513
- /usr/bin/comm
  comm -23 /dev/fd/63 /dev/fd/62
  2⤵
  PID:1511
- /bin/mv
  mv .final /root/taha/tools//output/
  2⤵
  - Reads runtime system information
  PID:1514
- /bin/cat
  cat /root/taha/tools//output/.final
  2⤵
  PID:1515
- /bin/cat
  cat /output/-subdomains.txt
  2⤵
  PID:1516
- /bin/mv
  mv alive_subdomains.txt /output/
  2⤵
  - Reads runtime system information
  PID:1518
- /bin/sed
  sed -i "s/http\\:\\/\\/\\|https\\:\\/\\///g; /\\[SUCCESS\\]/d; s/\\[FAILED\\]//" /output/dead-hosts.txt
  2⤵
  - Reads runtime system information
  PID:1520
- /bin/rm
  rm /output/-subfinder.txt /output/-chaos.txt /output/-assetfinder.txt
  2⤵
  PID:1522
- /usr/bin/python
  python ip-shodan.py
  2⤵
  PID:1523
- /bin/mv
  mv ips.txt /output/
  2⤵
  - Reads runtime system information
  PID:1528
- /bin/sed
  sed -i "s/^/https:\\/\\//" /output/ips.txt
  2⤵
  - Reads runtime system information
  PID:1530
- /bin/mv
  mv -portscan.txt /output/
  2⤵
  - Reads runtime system information
  PID:1535
- /bin/sed
  sed -i "/https:\\/\\/\\([0-9]\\{1,3\\}\\.\\)\\{3\\}[0-9]\\{1,3\\}/d" /output/alive_subdomains.txt
  2⤵
  - Reads runtime system information
  PID:1536
- /bin/cat
  cat /root/taha/tools//output/alive_subdomains.txt
  2⤵
  PID:1537
- /bin/mv
  mv waybackurls.txt /root/taha/tools/urldedupe
  2⤵
  - Reads runtime system information
  PID:1540
- /tmp/urldedupe
  ./urldedupe -u waybackurls.txt -s
  2⤵
  PID:1541
- /bin/cat
  cat parameterized-urls.txt
  2⤵
  PID:1542
- /bin/rm
  rm waybackurls.txt
  2⤵
  PID:1544
- /bin/mv
  mv parameterized-urls.txt /root/taha/tools//output/
  2⤵
  - Reads runtime system information
  PID:1545
- /bin/mv
  mv illegal-characters-check.txt /root/taha/tools//output/
  2⤵
  - Reads runtime system information
  PID:1546
- /bin/rm
  rm alive_subdomains.txt config-err-1Qwliu illegal-characters-check.txt netplan_1_vso8z9 output parameterized-urls.txt recon.sh snap-private-tmp ssh-Zj4yocKTXPlu -subdomains.txt systemd-private-32a7e6446132403b8bbb09551c5d81d4-bolt.service-661c3x systemd-private-32a7e6446132403b8bbb09551c5d81d4-colord.service-2NfnbD systemd-private-32a7e6446132403b8bbb09551c5d81d4-ModemManager.service-mMQZ6W systemd-private-32a7e6446132403b8bbb09551c5d81d4-systemd-resolved.service-mKK7ua systemd-private-32a7e6446132403b8bbb09551c5d81d4-systemd-timedated.service-4GR0V4
  2⤵
  PID:1548
- /bin/mv
  mv "/root/taha/tools//output/*" /root/taha/tools//
  2⤵
  - Reads runtime system information
  PID:1549
- /bin/rm
  rm -rf /root/taha/tools//output
  2⤵
  PID:1550
- /bin/mkdir
  mkdir ffuf-results
  2⤵
  - Reads runtime system information
  PID:1551
- /bin/mv
  mv "*.html" ffuf-results
  2⤵
  - Reads runtime system information
  PID:1552
- /bin/mv
  mv .final -regulator.txt
  2⤵
  - Reads runtime system information
  PID:1553
- /bin/mv
  mv recon-results
  2⤵
  - Reads runtime system information
  PID:1554
- /usr/bin/curl
  curl -X POST -H "Content-type: application/json" --data "{\"text\":\"The Recon Scan for is completed, Review your Results from http://167.88.168.42:1337/recon-results/\"}" https://hooks.slack.com/services/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
  2⤵
  PID:1555

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/output/-subdomains.txt

Filesize
18B

MD5
b1f1ab11f8f2811b8b1419d19b0caebb

SHA1
e4ec8fdc4ba9cccd35e635abbcd86d578e586522

SHA256
808a5bb13a00bc59c48d5a318144ea02f2313d9bbe3d408fc48377deda1b20bf

SHA512
991ff374962d8b805d8a0f047ebe82213ad0bbf80d32c0f1b6a90f5e0d0c85f14c973b63239e3dca39dba0499ab4ff1de3a659ec3f316881911fd9953ed1ebe1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads