55050a73284fc8b7ce8da071cd93923023bd7e4d4ec21ec71acf867c7afaa656

Analysis

max time kernel
132s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
23/05/2024, 13:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

changesource.sh
Size

143B
MD5

069abe8dec45e72c1032443a9ea3e171
SHA1

68b30a83d0913f6777ec210f60c06ac13e3b6a33
SHA256

55050a73284fc8b7ce8da071cd93923023bd7e4d4ec21ec71acf867c7afaa656
SHA512

f495e6734b3c2b27120eeeee870ae5095d4c728d95c61d890044bc0f6d8ed7ebb9605db47484e6498e64f3c8a70d0680f72ce7460ccc76f62ac2c74be9c6f4b3

Score

3^/10

Malware Config

Signatures

Reads runtime system information 14 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get

Writes file to tmp directory 21 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileutl.message.3UNGG9	apt-get
File opened for modification	/tmp/fileutl.message.lVA55D	apt-get
File opened for modification	/tmp/fileutl.message.UacLlR	apt-get
File opened for modification	/tmp/fileutl.message.771toB	apt-get
File opened for modification	/tmp/fileutl.message.TaypjF	apt-get
File opened for modification	/tmp/fileutl.message.OunZMn	apt-get
File opened for modification	/tmp/fileutl.message.rD0c2C	apt-get
File opened for modification	/tmp/fileutl.message.ekJNhS	apt-get
File opened for modification	/tmp/fileutl.message.ggoS8D	apt-get
File opened for modification	/tmp/fileutl.message.RwM7x8	apt-get
File opened for modification	/tmp/fileutl.message.wJCRuU	apt-get
File opened for modification	/tmp/fileutl.message.7AEJx7	apt-get
File opened for modification	/tmp/fileutl.message.aFO1Nm	apt-get
File opened for modification	/tmp/fileutl.message.WcO6BU	apt-get
File opened for modification	/tmp/fileutl.message.SBZX8p	apt-get
File opened for modification	/tmp/fileutl.message.qbeDjT	apt-get
File opened for modification	/tmp/fileutl.message.tkhI4B	apt-get
File opened for modification	/tmp/fileutl.message.JxEaD6	apt-get
File opened for modification	/tmp/fileutl.message.n5Cnlh	apt-get
File opened for modification	/tmp/fileutl.message.75kcz2	apt-get
File opened for modification	/tmp/fileutl.message.KtKUSo	apt-get

/tmp/changesource.sh
/tmp/changesource.sh
1⤵
PID:1507
- /bin/mv
  mv /etc/apt/apt.conf.d/90curtin-aptproxy /root
  2⤵
  - Reads runtime system information
  PID:1508
- /usr/bin/curl
  curl -O 8.130.84.69/sources.list
  2⤵
  PID:1509
- /bin/cp
  cp sources.list /etc/apt
  2⤵
  - Reads runtime system information
  PID:1516
- /usr/bin/apt-get
  apt-get update
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1517
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1518
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1519
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:1520
- - /bin/sh
    sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
    3⤵
    PID:1522
  - - /usr/bin/id
      id -u
      4⤵
      Reads runtime system information
      PID:1523
  - - /bin/systemctl
      systemctl start --no-block apt-news.service esm-cache.service
      4⤵
      Reads runtime system information
      PID:1524
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:1525
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1529
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1530
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1534
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1543

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/fileutl.message.SBZX8p

Filesize
235KB

MD5
373fe2f2ef99005d2550a482f09a3e51

SHA1
68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

SHA256
7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

SHA512
def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads