Analysis
-
max time kernel
148s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
-
submitted
22-05-2024 12:10
General
-
Target
check_umailsystem.sh
-
Size
26KB
-
MD5
3ea10d71b89263cab6a0d5b9e74b53fd
-
SHA1
5a04274bc2044df3c469a43856fe0cc42875897f
-
SHA256
41a7cf0ca54429ebb581b4049cf7cb2e98e59a6836420105f015cd122cde4a78
-
SHA512
e112cebc9ca70042046b01a485a7faa497e0ca34214a52e47fa1fc5ed5309a26cd027daa0627ac2b219158f326edd1762407421b15a3808ded0e639e3b0cd494
-
SSDEEP
384:+JIv74xu2gPeLOxZhB4nyLdbfLyIlYO6zTOIqizeY:+JI0xu2qeLOxUTeiz3
Score
4/10
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 5 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 7 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 3 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 51 IoCs
Reads data from /proc virtual filesystem.
Processes
-
/tmp/check_umailsystem.sh/tmp/check_umailsystem.sh1⤵
-
/bin/datedate "+%Y-%m-%d %H:%M:%S"2⤵
-
/usr/bin/awkawk "{print\$NF}"2⤵
- Reads runtime system information
-
/usr/bin/uniquniq2⤵
-
/bin/grepgrep "cpu cores"2⤵
-
/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
-
/usr/bin/wcwc -l2⤵
-
/bin/grepgrep processor2⤵
-
/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
-
/usr/bin/sortsort -u2⤵
-
/usr/bin/cutcut -f2 -d:2⤵
-
/bin/grepgrep name2⤵
-
/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
-
/usr/bin/cutcut -f2 -d:2⤵
-
/bin/grepgrep name2⤵
-
/usr/bin/uniquniq -c2⤵
-
/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{print \$1}"2⤵
- Reads runtime system information
-
/usr/bin/uniquniq -c2⤵
-
/usr/bin/cutcut -f2 -d:2⤵
-
/bin/grepgrep name2⤵
-
/bin/catcat /proc/cpuinfo2⤵
- Checks CPU configuration
-
/usr/bin/awkawk "{for(i=6;i<=NF;i++) printf \$i\"\"FS;print \"\"}"2⤵
- Reads runtime system information
-
/usr/bin/uptimeuptime2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/sedsed "s/^[ \\t]*//g"2⤵
- Reads runtime system information
-
/usr/bin/awkawk -F. "{print \$1}"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "-F," "{print \$1}"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "-Fload average:" "{print \$2}"2⤵
- Reads runtime system information
-
/usr/bin/uptimeuptime2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/grepgrep "Cpu(s)"2⤵
-
/usr/bin/toptop -n 12⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
/usr/bin/awkawk "-F " "{print \$2}"2⤵
- Reads runtime system information
-
/bin/grepgrep Mem:2⤵
-
/usr/bin/freefree -m2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "-F " "{print \$2\"M\"}"2⤵
- Reads runtime system information
-
/bin/grepgrep Mem:2⤵
-
/usr/bin/freefree -m2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "-F " "{print \$4\"M\"}"2⤵
- Reads runtime system information
-
/bin/grepgrep Mem:2⤵
-
/usr/bin/freefree -m2⤵
- Reads CPU attributes
- Reads runtime system information
-
/usr/bin/awkawk "-F " "{print \$3}"2⤵
- Reads runtime system information
-
/bin/grepgrep Mem:2⤵
-
/usr/bin/freefree -m2⤵
- Reads CPU attributes
- Reads runtime system information
-
/bin/sedsed "s/%//g"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "{print \$(NF-1)\"\\t\"\$NF\"\\t\"\$(NF-2)}"2⤵
- Reads runtime system information
-
/bin/sedsed 1d2⤵
- Reads runtime system information
-
/bin/grepgrep -v /run/media2⤵
-
/bin/grepgrep -v /boot2⤵
-
/bin/grepgrep -v /var/lib/docker2⤵
-
/bin/grepgrep -v tmpfs2⤵
-
/bin/dfdf -hP2⤵
- Reads runtime system information
-
/usr/bin/awkawk "{print \$1}"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "{print \$3}"2⤵
- Reads runtime system information
-
/bin/sedsed "s/%//g"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "{print \$1}"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "{print \$2}"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "{print \$3}"2⤵
- Reads runtime system information
-
/bin/sedsed "s/%//g"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "{print \$NF\"分区 \" \"剩余空间\"\$(NF-2), \" 使用率\"\$(NF-1)}"2⤵
- Reads runtime system information
-
/bin/sedsed 1d2⤵
- Reads runtime system information
-
/bin/grepgrep -v /boot2⤵
-
/bin/grepgrep -v /var/lib/docker2⤵
-
/bin/grepgrep -v tmpfs2⤵
-
/bin/dfdf -hP2⤵
- Reads runtime system information
-
/bin/sedsed "s/^[ \\t]*//g"2⤵
- Reads runtime system information
-
/usr/bin/awkawk "-F=" "{print \$2}"2⤵
- Reads runtime system information
-
/bin/grepgrep mailroot2⤵
-
/bin/catcat /usr/local/u-mail/config/custom.conf2⤵
-
/usr/bin/awkawk "{print\$1}"2⤵
- Reads runtime system information
-
/usr/bin/dudu -sm /var/log2⤵
-
/usr/bin/awkawk "{print\$1}"2⤵
- Reads runtime system information
-
/usr/bin/dudu -sm /usr/local/u-mail/log2⤵
-
/usr/bin/awkawk "{print \$NF}"2⤵
- Reads runtime system information
-
/bin/grepgrep "^default"2⤵
-
/usr/bin/headhead -n 12⤵
-
/usr/bin/awkawk "{print \$2}"2⤵
- Reads runtime system information
-
/bin/grepgrep inet2⤵
-
/usr/bin/awkawk "{print \$NF}"2⤵
- Reads runtime system information
-
/bin/grepgrep "^default"2⤵
-
/bin/grepgrep -Eo "([0-9]{1,3}\\.){3}[0-9]{1,3}"2⤵
-
/bin/grepgrep default2⤵
-
/sbin/ipip route2⤵
-
/bin/grepgrep -Eo "([0-9]{1,3}\\.){3}[0-9]{1,3}"2⤵
-
/bin/catcat /etc/resolv.conf2⤵
-
/usr/bin/awkawk "{print\$NF}"2⤵
- Reads runtime system information
-
/bin/grepgrep IP2⤵
-
/usr/bin/curlcurl -s cip.cc2⤵