Analysis
-
max time kernel
149s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
-
submitted
22-05-2024 11:47
General
-
Target
sb.sh
-
Size
25KB
-
MD5
d2b3a86dddf8cca8e96523cb1c72fdf9
-
SHA1
bdb88030cb5d94b8c53a7c3bf34c894ef23ea285
-
SHA256
eda059f25e212b264ced6dff8ffb29c91c340f946abeb06f5c435a863b2b033c
-
SHA512
19d25ec838dfc885cb2cb08170339373a9c2b7413fd06172dc7fa87289f1f7042c7e46a91e6b2c8aca70fad5e90bf8f2466f34ae3674da5dc4b9570173d0e3aa
-
SSDEEP
768:KLnoHx/WjXVqewjuDgyadveimN+oRMciVv:KMHl2qeiuDF6eimN3RMJt
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Checks hardware identifiers (DMI) 1 TTPs 2 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Enumerates kernel/hardware configuration 1 TTPs 4 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 48 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 64 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/sb.sh/tmp/sb.sh1⤵
-
/usr/bin/idid -u -n2⤵
- Reads runtime system information
-
-
/usr/bin/cutcut -d: -f62⤵
-
-
/usr/bin/getentgetent passwd root2⤵
-
-
/bin/mktempmktemp -d /root/.cache/bztmpXXXXXXXXX2⤵
-
-
/usr/bin/basenamebasename /tmp/sb.sh2⤵
-
-
/usr/bin/tailtail -n +12⤵
-
-
/bin/bzip2bzip2 -cd2⤵
-
-
/usr/bin/tailtail -n +752⤵
-
-
/bin/chmodchmod 700 /root/.cache/bztmpDYDUDPjfk/sb.sh2⤵
-
-
/root/.cache/bztmpDYDUDPjfk/sb.sh/root/.cache/bztmpDYDUDPjfk/sb.sh2⤵
- Executes dropped EXE
-
/bin/grepgrep -q -E -i debian3⤵
-
-
/bin/catcat /etc/issue3⤵
-
-
/bin/grepgrep -q -E -i ubuntu3⤵
-
-
/bin/catcat /etc/issue3⤵
-
-
/usr/bin/cutcut -d . -f13⤵
-
-
/usr/bin/cutcut -d "\"" -f23⤵
-
-
/bin/grepgrep -i version_id /etc/os-release3⤵
-
-
/bin/catcat /etc/redhat-release3⤵
-
-
/usr/bin/cutcut -d "\"" -f23⤵
-
-
/bin/grepgrep -i pretty_name3⤵
-
-
/bin/catcat /etc/os-release3⤵
-
-
/bin/grepgrep -i -E "arch|alpine"3⤵
-
-
/usr/bin/cutcut -d - -f13⤵
-
-
/bin/unameuname -r3⤵
-
-
/usr/bin/systemd-detect-virtsystemd-detect-virt3⤵
- Checks hardware identifiers (DMI)
- Reads runtime system information
-
-
/bin/unameuname -m3⤵
-
-
/usr/bin/cutcut -d: -f23⤵
-
-
/usr/bin/headhead -n 13⤵
-
-
/bin/grepgrep flags3⤵
-
-
/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk -F " " "{print \$3}"3⤵
- Reads runtime system information
-
-
/sbin/sysctlsysctl net.ipv4.tcp_congestion_control3⤵
- Reads runtime system information
-
-
/usr/bin/awkawk -F " " "{print \$3}"3⤵
- Reads runtime system information
-
-
/sbin/sysctlsysctl net.ipv4.tcp_congestion_control3⤵
- Reads runtime system information
-
-
/bin/hostnamehostname3⤵
-
-
/usr/bin/aptapt update -y3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https4⤵
-
-
/bin/shsh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"4⤵
-
/usr/bin/idid -u5⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl start --no-block apt-news.service esm-cache.service5⤵
- Reads runtime system information
-
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
-
/usr/bin/aptapt install jq iptables-persistent -y3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
-
/usr/bin/touchtouch sbyg_update3⤵
-
-
/usr/bin/apt-getapt-get install -y expect3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
-
/usr/bin/apt-getapt-get install -y qrencode3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
-
/usr/bin/apt-getapt-get install -y git3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
-
/usr/bin/clearclear3⤵
-
-
/bin/catcat /etc/s-box/v3⤵
-
-
/usr/bin/headhead -n 13⤵
-
-
/usr/bin/awkawk -F 更新内容 "{print \$1}"3⤵
- Reads runtime system information
-
-
/usr/bin/curlcurl -sL https://raw.githubusercontent.com/yonggekkk/sing-box_hysteria2_tuic_argo_reality/main/version3⤵
-
-
-
/bin/sleepsleep 52⤵
-
-
/bin/rmrm -fr /root/.cache/bztmpDYDUDPjfk2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD53a6cceb40eee5c9ca2761b524c1ad80a
SHA10975b3e367ec535443b3899c10140bdabf6380c9
SHA256b9dd2a4a8d7da7151359224874048a6dace0b3028d7b044a434a61aee02473ef
SHA512cee398036a510fd24e72cbd4e9ca9f78f4703250f92c67815f9921ca2fc6a841dd3a6a66daa06136e043a2c28210a069a3be785ca38f112a28bd72fbea265973
-
Filesize
235KB
MD5373fe2f2ef99005d2550a482f09a3e51
SHA168e6572b55b1e77f7d171ebac7b2579b7a6bd51d
SHA2567552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5
SHA512def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b