Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    128s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    24/05/2024, 12:43

General

  • Target

    onezone-2102.sh

  • Size

    4KB

  • MD5

    c43b84f16188b729a2694f7dbc2cbe98

  • SHA1

    3d9197ed725ba1c944485739e52b361f6b402b3e

  • SHA256

    cfaaf1b55554ac0a2f16368297ca900e7edbb674c071ee4a08730e78ba8c21b5

  • SHA512

    1444694a9daefa1a9e8d26e8b16b9065968a9d60b66416ba528e7c6504adbbcfe3b89332fd2603198d83d5c9288f4580e4fc14764e0002dc9c632c8cfd6d6123

  • SSDEEP

    96:36dVk0cxktixpbroD/NrfLiL6JZE3T5woPRG3XETD:+1IktixdoD/NrjiL6FkD

Score
3/10

Malware Config

Signatures

  • Reads runtime system information 24 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 12 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/onezone-2102.sh
    /tmp/onezone-2102.sh
    1⤵
      PID:1523
      • /bin/uname
        uname -m
        2⤵
          PID:1524
        • /usr/bin/id
          id -un
          2⤵
          • Reads runtime system information
          PID:1526
        • /usr/bin/rev
          rev
          2⤵
            PID:1532
          • /usr/bin/cut
            cut -c 2-
            2⤵
              PID:1531
            • /usr/bin/rev
              rev
              2⤵
                PID:1530
              • /usr/bin/tr
                tr "\\n" -
                2⤵
                  PID:1529
                • /usr/bin/lsb_release
                  lsb_release -sic
                  2⤵
                    PID:1528
                  • /usr/bin/tr
                    tr "[:upper:]" "[:lower:]"
                    2⤵
                      PID:1535
                    • /bin/sh
                      sh -c "curl -sSL http://packages.devel.onedata.org/onedata.gpg.key | apt-key add -"
                      2⤵
                        PID:1536
                        • /usr/bin/apt-key
                          apt-key add -
                          3⤵
                          • Writes file to tmp directory
                          PID:1538
                          • /usr/bin/apt-config
                            apt-config shell MASTER_KEYRING APT::Key::MasterKeyring
                            4⤵
                            • Reads runtime system information
                            PID:1540
                            • /usr/bin/dpkg
                              /usr/bin/dpkg --print-foreign-architectures
                              5⤵
                              • Reads runtime system information
                              PID:1542
                          • /usr/bin/apt-config
                            apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring
                            4⤵
                            • Reads runtime system information
                            PID:1543
                            • /usr/bin/dpkg
                              /usr/bin/dpkg --print-foreign-architectures
                              5⤵
                              • Reads runtime system information
                              PID:1547
                          • /usr/bin/apt-config
                            apt-config shell REMOVED_KEYS APT::Key::RemovedKeys
                            4⤵
                            • Reads runtime system information
                            PID:1548
                            • /usr/bin/dpkg
                              /usr/bin/dpkg --print-foreign-architectures
                              5⤵
                              • Reads runtime system information
                              PID:1549
                          • /usr/bin/apt-config
                            apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI
                            4⤵
                            • Reads runtime system information
                            PID:1550
                            • /usr/bin/dpkg
                              /usr/bin/dpkg --print-foreign-architectures
                              5⤵
                              • Reads runtime system information
                              PID:1551
                          • /usr/bin/apt-config
                            apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring
                            4⤵
                            • Reads runtime system information
                            PID:1552
                            • /usr/bin/dpkg
                              /usr/bin/dpkg --print-foreign-architectures
                              5⤵
                              • Reads runtime system information
                              PID:1553
                          • /usr/bin/apt-config
                            apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f
                            4⤵
                            • Reads runtime system information
                            PID:1554
                            • /usr/bin/dpkg
                              /usr/bin/dpkg --print-foreign-architectures
                              5⤵
                              • Reads runtime system information
                              PID:1555
                          • /usr/bin/apt-config
                            apt-config shell GPG_EXE Apt::Key::gpgcommand
                            4⤵
                            • Reads runtime system information
                            PID:1557
                            • /usr/bin/dpkg
                              /usr/bin/dpkg --print-foreign-architectures
                              5⤵
                              • Reads runtime system information
                              PID:1558
                          • /bin/mktemp
                            mktemp --directory --tmpdir apt-key-gpghome.XXXXXXXXXX
                            4⤵
                              PID:1559
                            • /bin/chmod
                              chmod 700 /tmp/apt-key-gpghome.XFnf6ix2zA
                              4⤵
                                PID:1560
                              • /bin/sed
                                sed -e "s#'#'\"'\"'#g"
                                4⤵
                                • Reads runtime system information
                                PID:1563
                              • /bin/sed
                                sed -e "s#'#'\"'\"'#g"
                                4⤵
                                • Reads runtime system information
                                PID:1566
                              • /usr/bin/touch
                                touch /tmp/apt-key-gpghome.XFnf6ix2zA/empty.gpg
                                4⤵
                                • Writes file to tmp directory
                                PID:1567
                              • /usr/bin/gpg
                                gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --quiet --check-trustdb --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/empty.gpg
                                4⤵
                                • Writes file to tmp directory
                                PID:1568
                              • /bin/sh
                                sh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --batch --import
                                4⤵
                                  PID:1571
                                • /usr/local/sbin/gpg
                                  gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --batch --import
                                  4⤵
                                    PID:1571
                                  • /usr/local/bin/gpg
                                    gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --batch --import
                                    4⤵
                                      PID:1571
                                    • /usr/sbin/gpg
                                      gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --batch --import
                                      4⤵
                                        PID:1571
                                      • /usr/bin/gpg
                                        gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --batch --import
                                        4⤵
                                        • Writes file to tmp directory
                                        PID:1571
                                      • /usr/bin/id
                                        id -u
                                        4⤵
                                        • Reads runtime system information
                                        PID:1572
                                      • /bin/readlink
                                        readlink -f /tmp/apt-key-gpghome.XFnf6ix2zA
                                        4⤵
                                          PID:1573
                                        • /bin/rm
                                          rm -f /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg
                                          4⤵
                                            PID:1574
                                          • /usr/bin/touch
                                            touch /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg
                                            4⤵
                                            • Writes file to tmp directory
                                            PID:1575
                                          • /usr/bin/apt-config
                                            apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d
                                            4⤵
                                            • Reads runtime system information
                                            PID:1576
                                            • /usr/bin/dpkg
                                              /usr/bin/dpkg --print-foreign-architectures
                                              5⤵
                                              • Reads runtime system information
                                              PID:1577
                                          • /bin/readlink
                                            readlink -f /etc/apt/trusted.gpg.d/
                                            4⤵
                                              PID:1578
                                            • /usr/bin/find
                                              find /etc/apt/trusted.gpg.d -mindepth 1 -maxdepth 1 "(" -name "*.gpg" -o -name "*.asc" ")"
                                              4⤵
                                              • Reads runtime system information
                                              PID:1579
                                            • /usr/bin/sort
                                              sort
                                              4⤵
                                                PID:1582
                                              • /usr/bin/cmp
                                                cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
                                                4⤵
                                                  PID:1584
                                                • /bin/cat
                                                  cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
                                                  4⤵
                                                    PID:1586
                                                  • /usr/bin/cmp
                                                    cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
                                                    4⤵
                                                      PID:1588
                                                    • /bin/cat
                                                      cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
                                                      4⤵
                                                        PID:1590
                                                      • /usr/bin/cmp
                                                        cmp --silent "--bytes=1" - /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
                                                        4⤵
                                                          PID:1592
                                                        • /bin/cat
                                                          cat /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
                                                          4⤵
                                                            PID:1594
                                                          • /bin/cp
                                                            cp -a /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.orig.gpg
                                                            4⤵
                                                            • Reads runtime system information
                                                            • Writes file to tmp directory
                                                            PID:1595
                                                          • /bin/sed
                                                            sed -e "s#'#'\"'\"'#g"
                                                            4⤵
                                                            • Reads runtime system information
                                                            PID:1598
                                                          • /bin/sed
                                                            sed -e "s#'#'\"'\"'#g"
                                                            4⤵
                                                            • Reads runtime system information
                                                            PID:1601
                                                          • /bin/sh
                                                            sh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.1.sh --quiet --batch --import -
                                                            4⤵
                                                              PID:1602
                                                            • /usr/local/sbin/sh
                                                              sh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                              4⤵
                                                                PID:1602
                                                              • /usr/local/bin/sh
                                                                sh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                                4⤵
                                                                  PID:1602
                                                                • /usr/sbin/sh
                                                                  sh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                                  4⤵
                                                                    PID:1602
                                                                  • /usr/bin/sh
                                                                    sh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                                    4⤵
                                                                      PID:1602
                                                                    • /sbin/sh
                                                                      sh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                                      4⤵
                                                                        PID:1602
                                                                      • /bin/sh
                                                                        sh /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                                        4⤵
                                                                          PID:1602
                                                                        • /usr/local/sbin/gpg
                                                                          gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                                          4⤵
                                                                            PID:1602
                                                                          • /usr/local/bin/gpg
                                                                            gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                                            4⤵
                                                                              PID:1602
                                                                            • /usr/sbin/gpg
                                                                              gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                                              4⤵
                                                                                PID:1602
                                                                              • /usr/bin/gpg
                                                                                gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/apt-key-gpghome.XFnf6ix2zA --no-auto-check-trustdb --trust-model always --keyring /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.gpg --quiet --batch --import -
                                                                                4⤵
                                                                                  PID:1602
                                                                              • /usr/bin/curl
                                                                                curl -sSL http://packages.devel.onedata.org/onedata.gpg.key
                                                                                3⤵
                                                                                  PID:1537

                                                                            Network

                                                                            MITRE ATT&CK Matrix

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • /tmp/apt-key-gpghome.XFnf6ix2zA/.#lk0x0000559458ce4600.ubuntu1804-amd64-20240508-en-12.1568

                                                                              Filesize

                                                                              43B

                                                                              MD5

                                                                              e05cf2f515ad19d54871fbe0f26c0261

                                                                              SHA1

                                                                              3cce6e65ee1e6b27cc5cfd7743046c25497e0594

                                                                              SHA256

                                                                              2bd7f9d70e0a7e530f7d9da2f8de08dabe6aa3f11880293c8f4a8bc724905351

                                                                              SHA512

                                                                              d72265a6d7f08c4e757d2205c7e89d3c8e25873fe33513dad53caa120fb3d2367067fdb005f56a6292d2d582c251e1ec11c8593a4894cd28bc8520f93a78122b

                                                                            • /tmp/apt-key-gpghome.XFnf6ix2zA/.#lk0x00005615a7669500.ubuntu1804-amd64-20240508-en-12.1571

                                                                              Filesize

                                                                              43B

                                                                              MD5

                                                                              50989b20d5308e92a473487caf66b518

                                                                              SHA1

                                                                              2ee174dcad00b5fcaa12a75b8cd4748dc7a7ae09

                                                                              SHA256

                                                                              88830b59b47aa37ec1c200c9195c281f5f722f4d464546fdb4b3e0f61c27c5a0

                                                                              SHA512

                                                                              d7b9abc20af02619506920393238bdfae19e1388312eec7cf1bf7e49f9f426e54f69e3722b154c5611ec68f1a6e24d1b9bf719b60a6910177098ae1e7645cabe

                                                                            • /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.0.sh

                                                                              Filesize

                                                                              174B

                                                                              MD5

                                                                              a0cdc2afc0ad547703f39c1cece155b3

                                                                              SHA1

                                                                              554c67c08621283c6bd9997f4785dc1d2122b49b

                                                                              SHA256

                                                                              82273121ab6066656a10b47710d80bfc1c3e17bdadd0b570c4063080994ff7ba

                                                                              SHA512

                                                                              2477f596bb6b9ed37e6966de630639f5050d79f15a286717adc35de1dc29e69a0fa432fd24dcc43d8354eae6c85a511741a7ded56a78d49c644224a5929a5a8e

                                                                            • /tmp/apt-key-gpghome.XFnf6ix2zA/gpg.1.sh

                                                                              Filesize

                                                                              122B

                                                                              MD5

                                                                              b534ab1eddbed8d33b971e6eeee9a195

                                                                              SHA1

                                                                              f2b562622073ba78ffea1bbca8ae7ae7bd81e545

                                                                              SHA256

                                                                              418e08a8d1b2f6696ce75f47775bc66472913b64d7e4f304d691668627a39bd9

                                                                              SHA512

                                                                              a3548c43e3321b220ca0c48e3ae73c6eca5eecc3e2ce5e02a631734f772695f9c2b1786b9d452fa8e94ded20aaa49d3b36a382f6b2f629b0ef1f3af6108e23f6

                                                                            • /tmp/apt-key-gpghome.XFnf6ix2zA/pubring.orig.gpg

                                                                              Filesize

                                                                              7KB

                                                                              MD5

                                                                              b3bf35c5e796db394a50f96b908b690f

                                                                              SHA1

                                                                              b1e90de4d9d88bac6c67926c0ff6263e3ef7c2d2

                                                                              SHA256

                                                                              cf419d6c58bea5f2586043ecbad4c44f27d6f6060e5be19993b857105a5be094

                                                                              SHA512

                                                                              a97f8881c83ddc681623e4f503f8f758afe85ae6c34e2339a635e9521ae1303aebb90a6bef7c1136b6bd2b7418facacf98643f24e8bb40f1f93fb8a8ef714a96