Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
24/05/2024, 12:43
Static task
static1
Behavioral task
behavioral1
Sample
onezone-2102.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
onezone-2102.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
onezone-2102.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
onezone-2102.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
onezone-2102.sh
-
Size
4KB
-
MD5
c43b84f16188b729a2694f7dbc2cbe98
-
SHA1
3d9197ed725ba1c944485739e52b361f6b402b3e
-
SHA256
cfaaf1b55554ac0a2f16368297ca900e7edbb674c071ee4a08730e78ba8c21b5
-
SHA512
1444694a9daefa1a9e8d26e8b16b9065968a9d60b66416ba528e7c6504adbbcfe3b89332fd2603198d83d5c9288f4580e4fc14764e0002dc9c632c8cfd6d6123
-
SSDEEP
96:36dVk0cxktixpbroD/NrfLiL6JZE3T5woPRG3XETD:+1IktixdoD/NrjiL6FkD
Malware Config
Signatures
-
Reads runtime system information 24 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems id File opened for reading /proc/self/fd apt-config File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt-config File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt-config File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems sed File opened for reading /proc/self/fd apt-config File opened for reading /proc/self/fd apt-config File opened for reading /proc/self/fd apt-config File opened for reading /proc/filesystems id File opened for reading /proc/filesystems cp File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems find File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt-config File opened for reading /proc/self/fd apt-config File opened for reading /proc/filesystems dpkg -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/empty.gpg touch File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/trustdb.gpg gpg File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/.#lk0x0000559458ce5090.ubuntu1804-amd64-20240508-en-12.1568 gpg File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg apt-key File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.orig.gpg cp File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.1.sh apt-key File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh apt-key File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/gpgoutput.log apt-key File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/.#lk0x0000559458ce4600.ubuntu1804-amd64-20240508-en-12.1568 gpg File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/.#lk0x00005615a7669500.ubuntu1804-amd64-20240508-en-12.1571 gpg File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.kbx gpg File opened for modification /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg touch
Processes
-
/tmp/onezone-2102.sh/tmp/onezone-2102.sh1⤵PID:1523
-
/bin/unameuname -m2⤵PID:1524
-
-
/usr/bin/idid -un2⤵
- Reads runtime system information
PID:1526
-
-
/usr/bin/revrev2⤵PID:1532
-
-
/usr/bin/cutcut -c 2-2⤵PID:1531
-
-
/usr/bin/revrev2⤵PID:1530
-
-
/usr/bin/trtr "\\n" -2⤵PID:1529
-
-
/usr/bin/lsb_releaselsb_release -sic2⤵PID:1528
-
-
/usr/bin/trtr "[:upper:]" "[:lower:]"2⤵PID:1535
-
-
/bin/shsh -c "curl -sSL http://packages.devel.onedata.org/onedata.gpg.key | apt-key add -"2⤵PID:1536
-
/usr/bin/apt-keyapt-key add -3⤵
- Writes file to tmp directory
PID:1538 -
/usr/bin/apt-configapt-config shell MASTER_KEYRING APT::Key::MasterKeyring4⤵
- Reads runtime system information
PID:1540 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures5⤵
- Reads runtime system information
PID:1542
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring4⤵
- Reads runtime system information
PID:1543 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures5⤵
- Reads runtime system information
PID:1547
-
-
-
/usr/bin/apt-configapt-config shell REMOVED_KEYS APT::Key::RemovedKeys4⤵
- Reads runtime system information
PID:1548 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures5⤵
- Reads runtime system information
PID:1549
-
-
-
/usr/bin/apt-configapt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI4⤵
- Reads runtime system information
PID:1550 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures5⤵
- Reads runtime system information
PID:1551
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring4⤵
- Reads runtime system information
PID:1552 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures5⤵
- Reads runtime system information
PID:1553
-
-
-
/usr/bin/apt-configapt-config shell TRUSTEDFILE Dir::Etc::Trusted/f4⤵
- Reads runtime system information
PID:1554 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures5⤵
- Reads runtime system information
PID:1555
-
-
-
/usr/bin/apt-configapt-config shell GPG_EXE Apt::Key::gpgcommand4⤵
- Reads runtime system information
PID:1557 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures5⤵
- Reads runtime system information
PID:1558
-
-
-
/bin/mktempmktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX4⤵PID:1559
-
-
/bin/chmodchmod 700 /tmp/apt-key-gpghome.XFnf6ix2zA4⤵PID:1560
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"4⤵
- Reads runtime system information
PID:1563
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"4⤵
- Reads runtime system information
PID:1566
-
-
/usr/bin/touchtouch /tmp/apt-key-gpghome.XFnf6ix2zA/empty.gpg4⤵
- Writes file to tmp directory
PID:1567
-
-
/usr/bin/gpggpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --quiet --check-trustdb --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/empty.gpg4⤵
- Writes file to tmp directory
PID:1568
-
-
/bin/shsh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --batch --import4⤵PID:1571
-
-
/usr/local/sbin/gpggpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --batch --import4⤵PID:1571
-
-
/usr/local/bin/gpggpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --batch --import4⤵PID:1571
-
-
/usr/sbin/gpggpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --batch --import4⤵PID:1571
-
-
/usr/bin/gpggpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --batch --import4⤵
- Writes file to tmp directory
PID:1571
-
-
/usr/bin/idid -u4⤵
- Reads runtime system information
PID:1572
-
-
/bin/readlinkreadlink -f /tmp/apt-key-gpghome.XFnf6ix2zA4⤵PID:1573
-
-
/bin/rmrm -f /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg4⤵PID:1574
-
-
/usr/bin/touchtouch /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg4⤵
- Writes file to tmp directory
PID:1575
-
-
/usr/bin/apt-configapt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d4⤵
- Reads runtime system information
PID:1576 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures5⤵
- Reads runtime system information
PID:1577
-
-
-
/bin/readlinkreadlink -f /etc/apt/trusted.gpg.d/4⤵PID:1578
-
-
/usr/bin/findfind /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"4⤵
- Reads runtime system information
PID:1579
-
-
/usr/bin/sortsort4⤵PID:1582
-
-
/usr/bin/cmpcmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg4⤵PID:1584
-
-
/bin/catcat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg4⤵PID:1586
-
-
/usr/bin/cmpcmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg4⤵PID:1588
-
-
/bin/catcat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg4⤵PID:1590
-
-
/usr/bin/cmpcmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg4⤵PID:1592
-
-
/bin/catcat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg4⤵PID:1594
-
-
/bin/cpcp -a /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.orig.gpg4⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1595
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"4⤵
- Reads runtime system information
PID:1598
-
-
/bin/sedsed -e "s#'#'\"'\"'#g"4⤵
- Reads runtime system information
PID:1601
-
-
/bin/shsh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.1.sh --quiet --batch --import -4⤵PID:1602
-
-
/usr/local/sbin/shsh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
/usr/local/bin/shsh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
/usr/sbin/shsh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
/usr/bin/shsh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
/sbin/shsh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
/bin/shsh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
/usr/local/sbin/gpggpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
/usr/local/bin/gpggpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
/usr/sbin/gpggpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
/usr/bin/gpggpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -4⤵PID:1602
-
-
-
/usr/bin/curlcurl -sSL http://packages.devel.onedata.org/onedata.gpg.key3⤵PID:1537
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43B
MD5e05cf2f515ad19d54871fbe0f26c0261
SHA13cce6e65ee1e6b27cc5cfd7743046c25497e0594
SHA2562bd7f9d70e0a7e530f7d9da2f8de08dabe6aa3f11880293c8f4a8bc724905351
SHA512d72265a6d7f08c4e757d2205c7e89d3c8e25873fe33513dad53caa120fb3d2367067fdb005f56a6292d2d582c251e1ec11c8593a4894cd28bc8520f93a78122b
-
Filesize
43B
MD550989b20d5308e92a473487caf66b518
SHA12ee174dcad00b5fcaa12a75b8cd4748dc7a7ae09
SHA25688830b59b47aa37ec1c200c9195c281f5f722f4d464546fdb4b3e0f61c27c5a0
SHA512d7b9abc20af02619506920393238bdfae19e1388312eec7cf1bf7e49f9f426e54f69e3722b154c5611ec68f1a6e24d1b9bf719b60a6910177098ae1e7645cabe
-
Filesize
174B
MD5a0cdc2afc0ad547703f39c1cece155b3
SHA1554c67c08621283c6bd9997f4785dc1d2122b49b
SHA25682273121ab6066656a10b47710d80bfc1c3e17bdadd0b570c4063080994ff7ba
SHA5122477f596bb6b9ed37e6966de630639f5050d79f15a286717adc35de1dc29e69a0fa432fd24dcc43d8354eae6c85a511741a7ded56a78d49c644224a5929a5a8e
-
Filesize
122B
MD5b534ab1eddbed8d33b971e6eeee9a195
SHA1f2b562622073ba78ffea1bbca8ae7ae7bd81e545
SHA256418e08a8d1b2f6696ce75f47775bc66472913b64d7e4f304d691668627a39bd9
SHA512a3548c43e3321b220ca0c48e3ae73c6eca5eecc3e2ce5e02a631734f772695f9c2b1786b9d452fa8e94ded20aaa49d3b36a382f6b2f629b0ef1f3af6108e23f6
-
Filesize
7KB
MD5b3bf35c5e796db394a50f96b908b690f
SHA1b1e90de4d9d88bac6c67926c0ff6263e3ef7c2d2
SHA256cf419d6c58bea5f2586043ecbad4c44f27d6f6060e5be19993b857105a5be094
SHA512a97f8881c83ddc681623e4f503f8f758afe85ae6c34e2339a635e9521ae1303aebb90a6bef7c1136b6bd2b7418facacf98643f24e8bb40f1f93fb8a8ef714a96