e1f92fb2b1e2fea0a7a795759b9b71aa6a991b4d006dce83f5ae951545fdf9c7

Analysis

max time kernel
148s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/05/2024, 11:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

install.sh
Size

3KB
MD5

69285e15904249ac63d70d4b5ef5a588
SHA1

24013d1d035c064611786a260e0d67f1a712e853
SHA256

e1f92fb2b1e2fea0a7a795759b9b71aa6a991b4d006dce83f5ae951545fdf9c7
SHA512

97ada08e46508ab222ae4b263715e9fe328bc5a6c357707978c35661790df662b74483eca4264735be9f3e8ae1403f1eeac80c7c7e1e92b96387f26114e1f84d

Score

3^/10

Malware Config

Signatures

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo

/tmp/install.sh
/tmp/install.sh
1⤵
PID:1511
- /usr/bin/sudo
  sudo apt-get update
  2⤵
  - Reads runtime system information
  PID:1512
- /usr/bin/sudo
  sudo apt-get install -y ntp ntpdate
  2⤵
  PID:1513
- /usr/bin/sudo
  sudo service ntp stop
  2⤵
  - Reads runtime system information
  PID:1514
- /usr/bin/sudo
  sudo ntpdate 3.ubuntu.pool.ntp.org
  2⤵
  - Reads runtime system information
  PID:1521
- /usr/bin/sudo
  sudo service ntp start
  2⤵
  PID:1525
- /usr/bin/sudo
  sudo apt-get install -y apache2
  2⤵
  PID:1529
- /usr/bin/sudo
  sudo a2enmod rewrite
  2⤵
  - Reads runtime system information
  PID:1530
- /usr/bin/sudo
  sudo service apache2 restart
  2⤵
  - Reads runtime system information
  PID:1540
- /usr/bin/sudo
  sudo apt-get install -y php5
  2⤵
  PID:1541
- /usr/bin/sudo
  sudo apt-get install -y libapache2-mod-php5
  2⤵
  - Reads runtime system information
  PID:1548
- /usr/bin/sudo
  sudo service apache2 restart
  2⤵
  - Reads runtime system information
  PID:1549
- /usr/bin/sudo
  sudo apt-get install -y php5-mysql
  2⤵
  - Reads runtime system information
  PID:1550
- /usr/bin/sudo
  sudo apt-get install -y php5-curl
  2⤵
  - Reads runtime system information
  PID:1560
- /usr/bin/sudo
  sudo service apache2 restart
  2⤵
  - Reads runtime system information
  PID:1561
- /usr/bin/sudo
  sudo apt-get install -y php5-intl
  2⤵
  - Reads runtime system information
  PID:1565
- /usr/bin/sudo
  sudo service apache2 restart
  2⤵
  PID:1569
- /usr/bin/sudo
  sudo apt-get install -y php5-mcrypt
  2⤵
  - Reads runtime system information
  PID:1576
- /usr/bin/sudo
  sudo mv -i /etc/php5/conf.d/mcrypt.ini /etc/php5/mods-available/
  2⤵
  PID:1577
- /usr/bin/sudo
  sudo php5enmod mcrypt
  2⤵
  - Reads runtime system information
  PID:1581
- /usr/bin/sudo
  sudo service apache2 restart
  2⤵
  - Reads runtime system information
  PID:1582
- /usr/bin/sudo
  sudo adduser ubuntu www-data
  2⤵
  PID:1592
- /usr/bin/sudo
  sudo chown -R www-data:www-data /var/www
  2⤵
  - Reads runtime system information
  PID:1593
- /usr/bin/sudo
  sudo chmod -R g+rw /var/www
  2⤵
  - Reads runtime system information
  PID:1597
- /usr/bin/sudo
  sudo a2dissite default
  2⤵
  PID:1598
- /usr/bin/sudo
  sudo a2dissite default-000
  2⤵
  - Reads runtime system information
  PID:1608
- /usr/bin/sudo
  sudo cp virtual_hosts/ports.conf /etc/apache2/ports.conf
  2⤵
  - Reads runtime system information
  PID:1609
- /usr/bin/sudo
  sudo chmod 777 -R /etc/apache2/logs
  2⤵
  - Reads runtime system information
  PID:1613
- /usr/bin/sudo
  sudo cp virtual_hosts/control.fonmedia.mx /etc/apache2/sites-available/control.fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1614
- /usr/bin/sudo
  sudo cp virtual_hosts/control.fonmedia.mx /etc/apache2/sites-available/control.fonmedia.mx.conf
  2⤵
  - Reads runtime system information
  PID:1615
- /usr/bin/sudo
  sudo a2ensite control.fonmedia.mx
  2⤵
  PID:1625
- /usr/bin/sudo
  sudo cp virtual_hosts/callcenter.fonmedia.mx /etc/apache2/sites-available/callcenter.fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1626
- /usr/bin/sudo
  sudo cp virtual_hosts/callcenter.fonmedia.mx /etc/apache2/sites-available/callcenter.fonmedia.mx.conf
  2⤵
  PID:1627
- /usr/bin/sudo
  sudo a2ensite callcenter.fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1637
- /usr/bin/sudo
  sudo cp virtual_hosts/fonmedia.mx /etc/apache2/sites-available/fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1638
- /usr/bin/sudo
  sudo cp virtual_hosts/fonmedia.mx /etc/apache2/sites-available/fonmedia.mx.conf
  2⤵
  - Reads runtime system information
  PID:1645
- /usr/bin/sudo
  sudo a2ensite fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1646
- /usr/bin/sudo
  sudo cp virtual_hosts/static.fonmedia.mx /etc/apache2/sites-available/static.fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1653
- /usr/bin/sudo
  sudo cp virtual_hosts/static.fonmedia.mx /etc/apache2/sites-available/static.fonmedia.mx.conf
  2⤵
  PID:1654
- /usr/bin/sudo
  sudo a2ensite static.fonmedia.mx
  2⤵
  PID:1661
- /usr/bin/sudo
  sudo cp virtual_hosts/www.toditomovilclub.com /etc/apache2/sites-available/www.toditomovilclub.com
  2⤵
  - Reads runtime system information
  PID:1662
- /usr/bin/sudo
  sudo cp virtual_hosts/www.toditomovilclub.com /etc/apache2/sites-available/www.toditomovilclub.com.conf
  2⤵
  PID:1669
- /usr/bin/sudo
  sudo a2ensite www.toditomovilclub.com
  2⤵
  - Reads runtime system information
  PID:1670
- /usr/bin/sudo
  sudo cp virtual_hosts/static.toditomovilclub.com /etc/apache2/sites-available/static.toditomovilclub.com
  2⤵
  PID:1677
- /usr/bin/sudo
  sudo cp virtual_hosts/static.toditomovilclub.com /etc/apache2/sites-available/static.toditomovilclub.com.conf
  2⤵
  - Reads runtime system information
  PID:1678
- /usr/bin/sudo
  sudo a2ensite static.toditomovilclub.com
  2⤵
  - Reads runtime system information
  PID:1685
- /usr/bin/sudo
  sudo cp virtual_hosts/atencion.fonmedia.mx /etc/apache2/sites-available/atencion.fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1686
- /usr/bin/sudo
  sudo cp virtual_hosts/atencion.fonmedia.mx /etc/apache2/sites-available/atencion.fonmedia.mx.conf
  2⤵
  - Reads runtime system information
  PID:1693
- /usr/bin/sudo
  sudo a2ensite atencion.fonmedia.mx
  2⤵
  PID:1694
- /usr/bin/sudo
  sudo cp virtual_hosts/bt.fonmedia.mx /etc/apache2/sites-available/bt.fonmedia.mx
  2⤵
  PID:1701
- /usr/bin/sudo
  sudo cp virtual_hosts/bt.fonmedia.mx /etc/apache2/sites-available/bt.fonmedia.mx.conf
  2⤵
  - Reads runtime system information
  PID:1702
- /usr/bin/sudo
  sudo a2ensite bt.fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1709
- /usr/bin/sudo
  sudo service apache2 restart
  2⤵
  PID:1710
- /usr/bin/sudo
  sudo chmod 777 -R control.fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1717
- /usr/bin/sudo
  sudo chmod 777 -R callcenter.fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1724
- /usr/bin/sudo
  sudo chmod 777 -R static.fonmedia.mx
  2⤵
  PID:1725
- /usr/bin/sudo
  sudo chmod 777 -R www.toditomovilclub.com
  2⤵
  - Reads runtime system information
  PID:1732
- /usr/bin/sudo
  sudo chmod 777 -R static.toditomovilclub.com
  2⤵
  - Reads runtime system information
  PID:1733
- /usr/bin/sudo
  sudo chmod 777 -R download.toditomovilclub.com
  2⤵
  PID:1737
- /usr/bin/sudo
  sudo chmod 777 -R atencion.fonmedia.mx
  2⤵
  - Reads runtime system information
  PID:1741
- /usr/bin/sudo
  sudo chmod 777 -R www
  2⤵
  - Reads runtime system information
  PID:1742
- /usr/bin/curl
  curl -sS https://getcomposer.org/installer
  2⤵
  PID:1749

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads