e4dcb9c7675f326114006b718a91e26abc18b8aa5cc0a7edcd117845d6bd0f07

Analysis

max time kernel
35s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/05/2024, 12:15

Target

appfare_new.sh
Size

1KB
MD5

eecefbdb31a7b42e29e349bfd9d79247
SHA1

f5bb9a4589e438fa69099f82084018d317ff77f3
SHA256

e4dcb9c7675f326114006b718a91e26abc18b8aa5cc0a7edcd117845d6bd0f07
SHA512

c20212aaf072be61ab407bbbe7c9ef7e57ba94e7f23c0b27947fd8497f24280bbdfc6f682ea75e2f32fe10336e2bc151c5c088433c463f5a6b153344edc74de2

Score

3^/10

Reads runtime system information 13 IoCs

Reads data from /proc virtual filesystem.

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/appfare.md5	wget
File opened for modification	/tmp/appfare.tgz	wget

/tmp/appfare_new.sh
/tmp/appfare_new.sh
1⤵
PID:1481
- /usr/bin/basename
  basename appfare.md5 .md5
  2⤵
  PID:1482
- /usr/bin/wget
  wget http://34.121.75.235:80/md5dir/appfare.md5 -O /tmp/appfare.md5
  2⤵
  - Writes file to tmp directory
  PID:1483
- /usr/bin/wget
  wget http://34.121.75.235:80/tardir/appfare.tgz -O /tmp/appfare.tgz
  2⤵
  - Writes file to tmp directory
  PID:1487
- /bin/systemctl
  systemctl stop appfare
  2⤵
  - Reads runtime system information
  PID:1498
- /bin/tar
  tar -xpf /tmp/appfare.tgz -C /
  2⤵
  - Reads runtime system information
  PID:1502
- - /usr/local/sbin/xz
    xz -d
    3⤵
    PID:1503
- - /usr/local/bin/xz
    xz -d
    3⤵
    PID:1503
- - /usr/sbin/xz
    xz -d
    3⤵
    PID:1503
- - /usr/bin/xz
    xz -d
    3⤵
    PID:1503
- /bin/systemctl
  systemctl start appfare
  2⤵
  - Reads runtime system information
  PID:1507