566d8080d00b0e7f878b510fa8862d4eff687f44e7214248ccf43cf8e173c68e

Analysis

max time kernel
0s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/05/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

io-net.sh
Size

13KB
MD5

62330a919271f9229faeb85e9fcbc686
SHA1

bbd56a275696f255afe2b137cdd39ce6922e9b12
SHA256

566d8080d00b0e7f878b510fa8862d4eff687f44e7214248ccf43cf8e173c68e
SHA512

69d77cbb2aafb617d675b9701c8aabbc39d2f4f4b0011d1f0868ed102d3063fbb911908ebfa4f16f6013607bdda7c5aa066ff8fdaf2f1fd4655b611397867ee0
SSDEEP

192:ySfPbgJ7iXz8iDekXz8idehfeML72cYctEq1fKy3:yXJ2XIiKkXIioUs72jRU

Score

3^/10

Malware Config

Signatures

Enumerates kernel/hardware configuration 1 TTPs 55 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/class	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/resource	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/config	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/device	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/class	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/class	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/irq	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/irq	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/device	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/irq	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/config	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/irq	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/device	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/resource	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/vendor	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/class	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/resource	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/vendor	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/config	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/device	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/device	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/vendor	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/device	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/resource	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/vendor	lspci
File opened for reading	/sys/bus/pci/devices	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/class	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/config	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/device	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/device	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/config	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/device	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/resource	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/irq	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/resource	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/class	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/irq	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/vendor	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/vendor	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/vendor	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/resource	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/class	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/resource	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/irq	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/irq	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/vendor	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/config	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/config	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/config	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/resource	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/class	lspci
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/config	lspci

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sh-thd.dcFsmO	io-net.sh

/tmp/io-net.sh
/tmp/io-net.sh
1⤵
- Writes file to tmp directory
PID:1519
- /usr/bin/sudo
  sudo dpkg --set-selections
  2⤵
  - Reads runtime system information
  PID:1520
- /bin/grep
  grep -i nvidia
  2⤵
  PID:1523
- /usr/bin/lspci
  lspci
  2⤵
  - Enumerates kernel/hardware configuration
  PID:1522
- /usr/bin/sudo
  sudo apt install docker.io -y
  2⤵
  - Reads runtime system information
  PID:1527

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/sh-thd.dcFsmO

Filesize
16B

MD5
6fcd746a1ed0988c03b7224b807471ab

SHA1
f53b38514cea4a98a1b380811ce4c9125baf9d74

SHA256
94b42f6b162cb8f1282cc450dd6315acf12c873c44a3e9c71311119beeaffaec

SHA512
767405713f7c5974d03cf903a9060e8471990d088d4a4f9255a33054417df219df1eb1d63ec8032c662832ff9bae0916bdcdcfe20c6dec045fc852523946141f

Download Submit