Malware Analysis Report

2024-10-24 21:46

Sample ID 240522-nx3f8sec42
Target sb.sh
SHA256 eda059f25e212b264ced6dff8ffb29c91c340f946abeb06f5c435a863b2b033c
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

eda059f25e212b264ced6dff8ffb29c91c340f946abeb06f5c435a863b2b033c

Threat Level: Shows suspicious behavior

The file sb.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks hardware identifiers (DMI)

Legitimate hosting services abused for malware hosting/C2

Checks CPU configuration

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 11:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 11:47

Reported

2024-05-22 11:55

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

149s

Max time network

128s

Command Line

[/tmp/sb.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /root/.cache/bztmpDYDUDPjfk/sb.sh /root/.cache/bztmpDYDUDPjfk/sb.sh N/A

Checks hardware identifiers (DMI)

antivm
Description Indicator Process Target
File opened for reading /sys/class/dmi/id/product_name /usr/bin/systemd-detect-virt N/A
File opened for reading /sys/class/dmi/id/sys_vendor /usr/bin/systemd-detect-virt N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /bin/cat N/A

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /usr/bin/snap N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /usr/bin/snap N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /usr/bin/snap N/A
File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size /usr/bin/snap N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/cgroups /usr/bin/snap N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/apt N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/1/sched /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/sys/net/ipv4/tcp_congestion_control /sbin/sysctl N/A
File opened for reading /proc/cgroups /usr/bin/snap N/A
File opened for reading /proc/cmdline /usr/bin/snap N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/1/environ /bin/systemctl N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/cmdline /usr/bin/snap N/A
File opened for reading /proc/self/fd /usr/bin/apt-get N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/sys/kernel/osrelease /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/sys/net/ipv4/tcp_congestion_control /sbin/sysctl N/A
File opened for reading /proc/1/sched /bin/systemctl N/A
File opened for reading /proc/cmdline /bin/systemctl N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/filesystems /usr/bin/id N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/cmdline /usr/bin/snap N/A
File opened for reading /proc/self/fd /usr/bin/apt-get N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/self/stat /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/self/fd /usr/bin/apt-get N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/cmdline /usr/bin/snap N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/apt-get N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /bin/systemctl N/A
File opened for reading /proc/self/stat /bin/systemctl N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/apt N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/apt-get N/A
File opened for reading /proc/cgroups /usr/bin/snap N/A
File opened for reading /proc/cgroups /usr/bin/snap N/A
File opened for reading /proc/sys/kernel/ngroups_max /usr/bin/apt-get N/A
File opened for reading /proc/filesystems /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/1/environ /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/self/maps /usr/bin/awk N/A
File opened for reading /proc/filesystems /usr/bin/dpkg N/A
File opened for reading /proc/cmdline /usr/bin/systemd-detect-virt N/A
File opened for reading /proc/self/fd /usr/bin/apt N/A
File opened for reading /proc/sys/kernel/osrelease /bin/systemctl N/A
File opened for reading /proc/self/fd /usr/bin/apt N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/fileutl.message.ySIiiK /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.2Stzz1 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.wfxOq9 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.Bnzp4Q /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.rhe24c /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.Dx0Q9L /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.yV8cbO /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.z8M09E /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.T8UohY /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.woahpB /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.SX6iQF /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.I9dH72 /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.e8GSro /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.9A54KM /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.5DCFwh /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.XvxTBc /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.tJV0J7 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.HR42Zg /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.nyyZ8C /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.hgmSiZ /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.xONyMZ /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.Bit7b4 /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.E0Z4qf /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.qicQJS /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.oaVo4W /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.PSVKtl /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.4X0VAs /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.b0RFC8 /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.jBERxD /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.24zTdV /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.e6THIr /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.BxeNY2 /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.anwPxr /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.EXQIUh /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.nVmBCv /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.HE21zV /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.S4IQ0J /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.mdpReo /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.PAXx6D /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.Djs1Au /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.0wHTQv /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.OXOa9Q /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.E8EP2Q /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.Qs6ziM /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.5nLTlR /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.cvX1Qo /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.Gmxgxd /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.RDlh5J /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.N5UUlA /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.CQqWVA /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.2ovdUj /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.1GUypV /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.8VmiLO /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.DmC1Em /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.tgsTHc /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.VJI2Ly /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.gDaWOe /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.E3BwcH /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.kvMeFj /usr/bin/apt-get N/A
File opened for modification /tmp/fileutl.message.o3TcZw /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.If0gRt /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.kDlpkz /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.DoLKJ3 /usr/bin/apt N/A
File opened for modification /tmp/fileutl.message.4CEfj2 /usr/bin/apt-get N/A

Processes

/tmp/sb.sh

[/tmp/sb.sh]

/usr/bin/id

[id -u -n]

/usr/bin/cut

[cut -d: -f6]

/usr/bin/getent

[getent passwd root]

/bin/mktemp

[mktemp -d /root/.cache/bztmpXXXXXXXXX]

/usr/bin/basename

[basename /tmp/sb.sh]

/usr/bin/tail

[tail -n +1]

/bin/bzip2

[bzip2 -cd]

/usr/bin/tail

[tail -n +75]

/bin/chmod

[chmod 700 /root/.cache/bztmpDYDUDPjfk/sb.sh]

/root/.cache/bztmpDYDUDPjfk/sb.sh

[/root/.cache/bztmpDYDUDPjfk/sb.sh]

/bin/grep

[grep -q -E -i debian]

/bin/sleep

[sleep 5]

/bin/cat

[cat /etc/issue]

/bin/grep

[grep -q -E -i ubuntu]

/bin/cat

[cat /etc/issue]

/usr/bin/cut

[cut -d . -f1]

/usr/bin/cut

[cut -d " -f2]

/bin/grep

[grep -i version_id /etc/os-release]

/bin/cat

[cat /etc/redhat-release]

/usr/bin/cut

[cut -d " -f2]

/bin/grep

[grep -i pretty_name]

/bin/cat

[cat /etc/os-release]

/bin/grep

[grep -i -E arch|alpine]

/usr/bin/cut

[cut -d - -f1]

/bin/uname

[uname -r]

/usr/bin/systemd-detect-virt

[systemd-detect-virt]

/bin/uname

[uname -m]

/usr/bin/cut

[cut -d: -f2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep flags]

/bin/cat

[cat /proc/cpuinfo]

/usr/bin/awk

[awk -F {print $3}]

/sbin/sysctl

[sysctl net.ipv4.tcp_congestion_control]

/usr/bin/awk

[awk -F {print $3}]

/sbin/sysctl

[sysctl net.ipv4.tcp_congestion_control]

/bin/hostname

[hostname]

/usr/bin/apt

[apt update -y]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/lib/apt/methods/https

[/usr/lib/apt/methods/https]

/bin/sh

[sh -c [ ! -e /run/systemd/system ] || [ $(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true]

/usr/bin/id

[id -u]

/bin/systemctl

[systemctl start --no-block apt-news.service esm-cache.service]

/usr/lib/apt/methods/https

[/usr/lib/apt/methods/https]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/apt

[apt install jq iptables-persistent -y]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/bin/sh

[/bin/sh -c [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true]

/usr/bin/snap

[/usr/bin/snap advise-snap --from-apt]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/bin/sh

[/bin/sh -c [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true]

/usr/bin/snap

[/usr/bin/snap advise-snap --from-apt]

/bin/sh

[/bin/sh -c [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true]

/usr/bin/snap

[/usr/bin/snap advise-snap --from-apt]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/bin/sh

[/bin/sh -c [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true]

/usr/bin/snap

[/usr/bin/snap advise-snap --from-apt]

/usr/bin/touch

[touch sbyg_update]

/usr/bin/apt-get

[apt-get install -y expect]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/apt-get

[apt-get install -y qrencode]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/apt-get

[apt-get install -y git]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/bin/dpkg

[/usr/bin/dpkg --print-foreign-architectures]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/lib/apt/methods/http

[/usr/lib/apt/methods/http]

/usr/bin/clear

[clear]

/bin/cat

[cat /etc/s-box/v]

/usr/bin/head

[head -n 1]

/usr/bin/awk

[awk -F 更新内容 {print $1}]

/usr/bin/curl

[curl -sL https://raw.githubusercontent.com/yonggekkk/sing-box_hysteria2_tuic_argo_reality/main/version]

/bin/rm

[rm -fr /root/.cache/bztmpDYDUDPjfk]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 151.101.65.91:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 _http._tcp.security.ubuntu.com udp
US 1.1.1.1:53 _https._tcp.deb.nodesource.com udp
US 1.1.1.1:53 _http._tcp.nl.archive.ubuntu.com udp
GB 195.181.164.14:443 tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 1.1.1.1:53 raw.githubusercontent.com udp

Files

/root/.cache/bztmpDYDUDPjfk/sb.sh

MD5 3a6cceb40eee5c9ca2761b524c1ad80a
SHA1 0975b3e367ec535443b3899c10140bdabf6380c9
SHA256 b9dd2a4a8d7da7151359224874048a6dace0b3028d7b044a434a61aee02473ef
SHA512 cee398036a510fd24e72cbd4e9ca9f78f4703250f92c67815f9921ca2fc6a841dd3a6a66daa06136e043a2c28210a069a3be785ca38f112a28bd72fbea265973

/tmp/fileutl.message.9A54KM

MD5 373fe2f2ef99005d2550a482f09a3e51
SHA1 68e6572b55b1e77f7d171ebac7b2579b7a6bd51d
SHA256 7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5
SHA512 def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 11:47

Reported

2024-05-22 11:55

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 11:47

Reported

2024-05-22 11:53

Platform

debian9-mipsbe-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 11:47

Reported

2024-05-22 11:53

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A