Analysis Overview
SHA256
ed76a56e70e67195e15d8d08554631d387518bf8594182b94c9200fc96c6f64b
Threat Level: Shows suspicious behavior
The file wireguard-install.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks hardware identifiers (DMI)
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 11:40
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 11:40
Reported
2024-05-22 11:40
Platform
debian9-mipsbe-20240226-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 11:40
Reported
2024-05-22 11:40
Platform
debian9-mipsel-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 11:40
Reported
2024-05-22 11:42
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
149s
Max time network
129s
Command Line
Signatures
Checks hardware identifiers (DMI)
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/dmi/id/product_name | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /sys/class/dmi/id/sys_vendor | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /sys/class/dmi/id/product_name | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /sys/class/dmi/id/sys_vendor | /usr/bin/systemd-detect-virt | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1/sched | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/1/sched | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/cmdline | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/self/stat | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/cmdline | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/1/environ | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/1/environ | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/self/stat | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
Processes
/tmp/wireguard-install.sh
[/tmp/wireguard-install.sh]
/usr/bin/systemd-detect-virt
[systemd-detect-virt]
/usr/bin/systemd-detect-virt
[systemd-detect-virt]
/usr/bin/head
[head -1]
/bin/sed
[sed -ne s|^.* inet \([^/]*\)/.* scope global.*$|\1|p]
/sbin/ip
[ip -4 addr]
/usr/bin/head
[head -1]
/bin/sed
[sed -ne s|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p]
/sbin/ip
[ip -6 addr]
/usr/bin/head
[head -1]
/bin/grep
[grep -Po (?<=dev )(\S+)]
/bin/grep
[grep default]
/sbin/ip
[ip -4 route ls]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.14:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 11:40
Reported
2024-05-22 11:42
Platform
debian9-armhf-20240226-en