0bdb25ce1f05a63995b56751d485dd382039284d0ffee3a1cdf7854101ac8f9c

Analysis

max time kernel
0s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
22/05/2024, 12:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

monitorRestart20_3.sh
Size

309B
MD5

422dad791d909099e63584047cd4e0f1
SHA1

936850b3e64ff532e32c62278b1344b5e41bf85c
SHA256

0bdb25ce1f05a63995b56751d485dd382039284d0ffee3a1cdf7854101ac8f9c
SHA512

5615fc7fc53a9a2210616643d79b84cedad3915feed90309c40301adcf2aa0f0c154028d88d4b1fdcbad561e2c6a1ea2d9f6e0eee5801e4ed6473101f89a3d79

Score

4^/10

Malware Config

Signatures

Reads CPU attributes 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	free

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/meminfo	free
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	free
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl

/tmp/monitorRestart20_3.sh
/tmp/monitorRestart20_3.sh
1⤵
PID:1512
- /usr/bin/awk
  awk "{print \$4}"
  2⤵
  - Reads runtime system information
  PID:1516
- /usr/bin/awk
  awk "NR==2"
  2⤵
  PID:1515
- /usr/bin/free
  free -m
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1514
- /bin/date
  date
  2⤵
  PID:1519
- /bin/systemctl
  systemctl restart btfs1
  2⤵
  - Reads runtime system information
  PID:1520
- /bin/systemctl
  systemctl restart btfs2
  2⤵
  - Reads runtime system information
  PID:1524
- /bin/systemctl
  systemctl restart btfs3
  2⤵
  - Reads runtime system information
  PID:1525
- /bin/systemctl
  systemctl restart btfs4
  2⤵
  - Reads runtime system information
  PID:1532
- /bin/systemctl
  systemctl restart btfs5
  2⤵
  - Reads runtime system information
  PID:1533
- /bin/systemctl
  systemctl restart btfs6
  2⤵
  - Reads runtime system information
  PID:1537
- /bin/systemctl
  systemctl restart btfs7
  2⤵
  - Reads runtime system information
  PID:1541
- /bin/systemctl
  systemctl restart btfs8
  2⤵
  - Reads runtime system information
  PID:1545
- /bin/systemctl
  systemctl restart btfs9
  2⤵
  - Reads runtime system information
  PID:1549
- /bin/systemctl
  systemctl restart btfs10
  2⤵
  - Reads runtime system information
  PID:1556
- /bin/systemctl
  systemctl restart btfs11
  2⤵
  - Reads runtime system information
  PID:1557
- /bin/systemctl
  systemctl restart btfs12
  2⤵
  - Reads runtime system information
  PID:1561
- /bin/systemctl
  systemctl restart btfs13
  2⤵
  - Reads runtime system information
  PID:1568
- /bin/systemctl
  systemctl restart btfs14
  2⤵
  - Reads runtime system information
  PID:1569
- /bin/systemctl
  systemctl restart btfs15
  2⤵
  - Reads runtime system information
  PID:1574
- /bin/systemctl
  systemctl restart btfs16
  2⤵
  - Reads runtime system information
  PID:1578
- /bin/systemctl
  systemctl restart btfs17
  2⤵
  - Reads runtime system information
  PID:1585
- /bin/systemctl
  systemctl restart btfs18
  2⤵
  - Reads runtime system information
  PID:1586
- /bin/systemctl
  systemctl restart btfs19
  2⤵
  - Reads runtime system information
  PID:1593
- /bin/systemctl
  systemctl restart btfs20
  2⤵
  - Reads runtime system information
  PID:1597
- /bin/sleep
  sleep 3h
  2⤵
  PID:1601

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads