Analysis Overview
SHA256
eda059f25e212b264ced6dff8ffb29c91c340f946abeb06f5c435a863b2b033c
Threat Level: Shows suspicious behavior
The file sb.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks hardware identifiers (DMI)
Legitimate hosting services abused for malware hosting/C2
Checks CPU configuration
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 11:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 11:47
Reported
2024-05-22 11:55
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /root/.cache/bztmpDYDUDPjfk/sb.sh | /root/.cache/bztmpDYDUDPjfk/sb.sh | N/A |
Checks hardware identifiers (DMI)
| Description | Indicator | Process | Target |
| File opened for reading | /sys/class/dmi/id/product_name | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /sys/class/dmi/id/sys_vendor | /usr/bin/systemd-detect-virt | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /bin/cat | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /usr/bin/snap | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /usr/bin/snap | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /usr/bin/snap | N/A |
| File opened for reading | /sys/kernel/mm/transparent_hugepage/hpage_pmd_size | /usr/bin/snap | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cgroups | /usr/bin/snap | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/apt | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/1/sched | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/sys/net/ipv4/tcp_congestion_control | /sbin/sysctl | N/A |
| File opened for reading | /proc/cgroups | /usr/bin/snap | N/A |
| File opened for reading | /proc/cmdline | /usr/bin/snap | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/1/environ | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/cmdline | /usr/bin/snap | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/sys/net/ipv4/tcp_congestion_control | /sbin/sysctl | N/A |
| File opened for reading | /proc/1/sched | /bin/systemctl | N/A |
| File opened for reading | /proc/cmdline | /bin/systemctl | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/id | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/cmdline | /usr/bin/snap | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/self/stat | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/cmdline | /usr/bin/snap | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/filesystems | /bin/systemctl | N/A |
| File opened for reading | /proc/self/stat | /bin/systemctl | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/apt | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/cgroups | /usr/bin/snap | N/A |
| File opened for reading | /proc/cgroups | /usr/bin/snap | N/A |
| File opened for reading | /proc/sys/kernel/ngroups_max | /usr/bin/apt-get | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/1/environ | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/self/maps | /usr/bin/awk | N/A |
| File opened for reading | /proc/filesystems | /usr/bin/dpkg | N/A |
| File opened for reading | /proc/cmdline | /usr/bin/systemd-detect-virt | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/apt | N/A |
| File opened for reading | /proc/sys/kernel/osrelease | /bin/systemctl | N/A |
| File opened for reading | /proc/self/fd | /usr/bin/apt | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/fileutl.message.ySIiiK | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.2Stzz1 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.wfxOq9 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.Bnzp4Q | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.rhe24c | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.Dx0Q9L | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.yV8cbO | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.z8M09E | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.T8UohY | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.woahpB | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.SX6iQF | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.I9dH72 | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.e8GSro | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.9A54KM | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.5DCFwh | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.XvxTBc | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.tJV0J7 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.HR42Zg | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.nyyZ8C | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.hgmSiZ | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.xONyMZ | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.Bit7b4 | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.E0Z4qf | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.qicQJS | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.oaVo4W | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.PSVKtl | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.4X0VAs | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.b0RFC8 | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.jBERxD | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.24zTdV | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.e6THIr | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.BxeNY2 | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.anwPxr | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.EXQIUh | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.nVmBCv | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.HE21zV | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.S4IQ0J | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.mdpReo | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.PAXx6D | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.Djs1Au | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.0wHTQv | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.OXOa9Q | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.E8EP2Q | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.Qs6ziM | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.5nLTlR | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.cvX1Qo | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.Gmxgxd | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.RDlh5J | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.N5UUlA | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.CQqWVA | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.2ovdUj | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.1GUypV | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.8VmiLO | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.DmC1Em | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.tgsTHc | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.VJI2Ly | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.gDaWOe | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.E3BwcH | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.kvMeFj | /usr/bin/apt-get | N/A |
| File opened for modification | /tmp/fileutl.message.o3TcZw | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.If0gRt | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.kDlpkz | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.DoLKJ3 | /usr/bin/apt | N/A |
| File opened for modification | /tmp/fileutl.message.4CEfj2 | /usr/bin/apt-get | N/A |
Processes
/tmp/sb.sh
[/tmp/sb.sh]
/usr/bin/id
[id -u -n]
/usr/bin/cut
[cut -d: -f6]
/usr/bin/getent
[getent passwd root]
/bin/mktemp
[mktemp -d /root/.cache/bztmpXXXXXXXXX]
/usr/bin/basename
[basename /tmp/sb.sh]
/usr/bin/tail
[tail -n +1]
/bin/bzip2
[bzip2 -cd]
/usr/bin/tail
[tail -n +75]
/bin/chmod
[chmod 700 /root/.cache/bztmpDYDUDPjfk/sb.sh]
/root/.cache/bztmpDYDUDPjfk/sb.sh
[/root/.cache/bztmpDYDUDPjfk/sb.sh]
/bin/grep
[grep -q -E -i debian]
/bin/sleep
[sleep 5]
/bin/cat
[cat /etc/issue]
/bin/grep
[grep -q -E -i ubuntu]
/bin/cat
[cat /etc/issue]
/usr/bin/cut
[cut -d . -f1]
/usr/bin/cut
[cut -d " -f2]
/bin/grep
[grep -i version_id /etc/os-release]
/bin/cat
[cat /etc/redhat-release]
/usr/bin/cut
[cut -d " -f2]
/bin/grep
[grep -i pretty_name]
/bin/cat
[cat /etc/os-release]
/bin/grep
[grep -i -E arch|alpine]
/usr/bin/cut
[cut -d - -f1]
/bin/uname
[uname -r]
/usr/bin/systemd-detect-virt
[systemd-detect-virt]
/bin/uname
[uname -m]
/usr/bin/cut
[cut -d: -f2]
/usr/bin/head
[head -n 1]
/bin/grep
[grep flags]
/bin/cat
[cat /proc/cpuinfo]
/usr/bin/awk
[awk -F {print $3}]
/sbin/sysctl
[sysctl net.ipv4.tcp_congestion_control]
/usr/bin/awk
[awk -F {print $3}]
/sbin/sysctl
[sysctl net.ipv4.tcp_congestion_control]
/bin/hostname
[hostname]
/usr/bin/apt
[apt update -y]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/lib/apt/methods/https
[/usr/lib/apt/methods/https]
/bin/sh
[sh -c [ ! -e /run/systemd/system ] || [ $(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true]
/usr/bin/id
[id -u]
/bin/systemctl
[systemctl start --no-block apt-news.service esm-cache.service]
/usr/lib/apt/methods/https
[/usr/lib/apt/methods/https]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/apt
[apt install jq iptables-persistent -y]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/bin/sh
[/bin/sh -c [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true]
/usr/bin/snap
[/usr/bin/snap advise-snap --from-apt]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/bin/sh
[/bin/sh -c [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true]
/usr/bin/snap
[/usr/bin/snap advise-snap --from-apt]
/bin/sh
[/bin/sh -c [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true]
/usr/bin/snap
[/usr/bin/snap advise-snap --from-apt]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/bin/sh
[/bin/sh -c [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true]
/usr/bin/snap
[/usr/bin/snap advise-snap --from-apt]
/usr/bin/touch
[touch sbyg_update]
/usr/bin/apt-get
[apt-get install -y expect]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/bin/apt-get
[apt-get install -y qrencode]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/bin/apt-get
[apt-get install -y git]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/bin/dpkg
[/usr/bin/dpkg --print-foreign-architectures]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/lib/apt/methods/http
[/usr/lib/apt/methods/http]
/usr/bin/clear
[clear]
/bin/cat
[cat /etc/s-box/v]
/usr/bin/head
[head -n 1]
/usr/bin/awk
[awk -F 更新内容 {print $1}]
/usr/bin/curl
[curl -sL https://raw.githubusercontent.com/yonggekkk/sing-box_hysteria2_tuic_argo_reality/main/version]
/bin/rm
[rm -fr /root/.cache/bztmpDYDUDPjfk]
Network
| Country | Destination | Domain | Proto |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| US | 151.101.65.91:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | _http._tcp.security.ubuntu.com | udp |
| US | 1.1.1.1:53 | _https._tcp.deb.nodesource.com | udp |
| US | 1.1.1.1:53 | _http._tcp.nl.archive.ubuntu.com | udp |
| GB | 195.181.164.14:443 | tcp | |
| US | 1.1.1.1:53 | raw.githubusercontent.com | udp |
| US | 1.1.1.1:53 | raw.githubusercontent.com | udp |
Files
/root/.cache/bztmpDYDUDPjfk/sb.sh
| MD5 | 3a6cceb40eee5c9ca2761b524c1ad80a |
| SHA1 | 0975b3e367ec535443b3899c10140bdabf6380c9 |
| SHA256 | b9dd2a4a8d7da7151359224874048a6dace0b3028d7b044a434a61aee02473ef |
| SHA512 | cee398036a510fd24e72cbd4e9ca9f78f4703250f92c67815f9921ca2fc6a841dd3a6a66daa06136e043a2c28210a069a3be785ca38f112a28bd72fbea265973 |
/tmp/fileutl.message.9A54KM
| MD5 | 373fe2f2ef99005d2550a482f09a3e51 |
| SHA1 | 68e6572b55b1e77f7d171ebac7b2579b7a6bd51d |
| SHA256 | 7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5 |
| SHA512 | def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 11:47
Reported
2024-05-22 11:55
Platform
debian9-armhf-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 11:47
Reported
2024-05-22 11:53
Platform
debian9-mipsbe-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 11:47
Reported
2024-05-22 11:53
Platform
debian9-mipsel-20240418-en