0f3249d23486ac93ae197b12f57a1707b88328ba22337423b0f1c30646716081

General

Target

sb.sh
Size

24KB
MD5

48229751d9027c71a2f5dbbd269c3ddc
SHA1

85822c0da2ac34c28e19ee9253a64f96b92d115f
SHA256

0f3249d23486ac93ae197b12f57a1707b88328ba22337423b0f1c30646716081
SHA512

c393eeb7ea8d53af0e03f284156cd0b0c1be4abb0c585df121049adc52768481465d3631673c1c91fa50286994bc06bd229e6583eb554d45f89643de01fd1f14
SSDEEP

384:WTL6DnMCFltFfHGBL59IgoJ61kLxqx8UKT0PqG0Vz7hqeA+Q4pkHXeCprkSI2:cLRCFltFfHGBLMLcxAVGsz7llC+SI2

Score

7^/10

antivm

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sb.sh

ioc pid process

/root/.cache/bztmpNddd37UDv/sb.sh 1526 sb.sh

ioc	pid	process
/root/.cache/bztmpNddd37UDv/sb.sh	1526	sb.sh

Checks hardware identifiers (DMI) 1 TTPs 2 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

systemd-detect-virt

description	ioc	process
File opened for reading	/sys/class/dmi/id/product_name	systemd-detect-virt
File opened for reading	/sys/class/dmi/id/sys_vendor	systemd-detect-virt

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 raw.githubusercontent.com
14 raw.githubusercontent.com
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

cat

description ioc process

File opened for reading /proc/cpuinfo cat

flow	ioc
15	raw.githubusercontent.com
14	raw.githubusercontent.com

description	ioc	process
File opened for reading	/proc/cpuinfo	cat

Enumerates kernel/hardware configuration 1 TTPs 4 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

snapsnapsnapsnap

description	ioc	process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	snap

Reads runtime system information 48 IoCs

Reads data from /proc virtual filesystem.

Processes:

systemctldpkgapt-getapt-getidsystemd-detect-virtawkapt-getawkdpkgsysctldpkgsnapsnapaptsnapaptidsnapdpkgdpkgdpkgdpkgdpkgdpkgawksysctldpkgdpkg

description	ioc	process
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	systemd-detect-virt
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/sys/kernel/osrelease	systemd-detect-virt
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/sys/net/ipv4/tcp_congestion_control	sysctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/ngroups_max	apt
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/sys/kernel/ngroups_max	apt
File opened for reading	/proc/self/stat	systemd-detect-virt
File opened for reading	/proc/cmdline	systemd-detect-virt
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/cgroups	snap
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	snap
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/1/environ	systemd-detect-virt
File opened for reading	/proc/1/sched	systemd-detect-virt
File opened for reading	/proc/sys/net/ipv4/tcp_congestion_control	sysctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/cgroups	snap

Writes file to tmp directory 64 IoCs

Malware often drops required files in the /tmp directory.

Processes:

aptapt-getaptapt-getapt-gettouch

description	ioc	process
File opened for modification	/tmp/fileutl.message.JTX6lS	apt
File opened for modification	/tmp/fileutl.message.p6Vq3L	apt-get
File opened for modification	/tmp/fileutl.message.6iWkJE	apt-get
File opened for modification	/tmp/fileutl.message.tFCaqx	apt-get
File opened for modification	/tmp/fileutl.message.7GpZ9T	apt
File opened for modification	/tmp/fileutl.message.n65zFQ	apt
File opened for modification	/tmp/fileutl.message.TXlryV	apt
File opened for modification	/tmp/fileutl.message.H08e4V	apt
File opened for modification	/tmp/fileutl.message.UL4i7p	apt-get
File opened for modification	/tmp/fileutl.message.vXdpHx	apt
File opened for modification	/tmp/fileutl.message.OyshE8	apt
File opened for modification	/tmp/fileutl.message.EGO1kC	apt
File opened for modification	/tmp/fileutl.message.cNQlc6	apt-get
File opened for modification	/tmp/fileutl.message.MIgIKk	apt-get
File opened for modification	/tmp/fileutl.message.zTbMaB	apt-get
File opened for modification	/tmp/fileutl.message.mmkZyk	apt
File opened for modification	/tmp/fileutl.message.CrTeJU	apt
File opened for modification	/tmp/fileutl.message.eXaUix	apt-get
File opened for modification	/tmp/fileutl.message.ggg9lS	apt-get
File opened for modification	/tmp/fileutl.message.2diIUt	apt-get
File opened for modification	/tmp/fileutl.message.Z13mSk	apt
File opened for modification	/tmp/fileutl.message.ptFZz6	apt-get
File opened for modification	/tmp/fileutl.message.ay25GW	apt-get
File opened for modification	/tmp/fileutl.message.Cin8du	apt-get
File opened for modification	/tmp/fileutl.message.sgZg0p	apt-get
File opened for modification	/tmp/fileutl.message.FZKVK0	apt-get
File opened for modification	/tmp/fileutl.message.vo9dPi	apt-get
File opened for modification	/tmp/fileutl.message.zSNn5a	apt
File opened for modification	/tmp/fileutl.message.kyUDE1	apt-get
File opened for modification	/tmp/fileutl.message.hlUNYP	apt-get
File opened for modification	/tmp/fileutl.message.Wwy3Yg	apt-get
File opened for modification	/tmp/fileutl.message.CGjZHD	apt-get
File opened for modification	/tmp/fileutl.message.xuVRiU	apt
File opened for modification	/tmp/fileutl.message.Bs3E8E	apt
File opened for modification	/tmp/fileutl.message.RKtUIl	apt
File opened for modification	/tmp/fileutl.message.JrMHum	apt
File opened for modification	/tmp/fileutl.message.Jn2s3I	apt-get
File opened for modification	/tmp/fileutl.message.JAbOHA	apt-get
File opened for modification	/tmp/fileutl.message.MBHoLy	apt-get
File opened for modification	/tmp/fileutl.message.oHGoIf	apt-get
File opened for modification	/tmp/fileutl.message.4TbZBI	apt
File opened for modification	/tmp/fileutl.message.NCOrXH	apt
File opened for modification	/tmp/fileutl.message.axPIO1	apt-get
File opened for modification	/tmp/fileutl.message.FQNWf4	apt-get
File opened for modification	/tmp/fileutl.message.2eTDR6	apt
File opened for modification	/tmp/fileutl.message.aUUzhb	apt-get
File opened for modification	/tmp/fileutl.message.6MNrxb	apt-get
File opened for modification	/tmp/fileutl.message.RhWsFj	apt
File opened for modification	/tmp/fileutl.message.aDLVrz	apt-get
File opened for modification	/tmp/fileutl.message.z9N8c9	apt
File opened for modification	/tmp/fileutl.message.NU8q3G	apt
File opened for modification	/tmp/fileutl.message.sWGkOU	apt-get
File opened for modification	/tmp/fileutl.message.lv6Kkd	apt-get
File opened for modification	/tmp/fileutl.message.vnE0Ds	apt-get
File opened for modification	/tmp/fileutl.message.uI2Jep	apt-get
File opened for modification	/tmp/fileutl.message.Eh5Sjc	apt
File opened for modification	/tmp/fileutl.message.LwdZzB	apt
File opened for modification	/tmp/sbyg_update	touch
File opened for modification	/tmp/fileutl.message.G0DaP9	apt-get
File opened for modification	/tmp/fileutl.message.e9KJYW	apt-get
File opened for modification	/tmp/fileutl.message.udSdyw	apt
File opened for modification	/tmp/fileutl.message.JbYKaU	apt
File opened for modification	/tmp/fileutl.message.RkEvL5	apt
File opened for modification	/tmp/fileutl.message.1ujfq7	apt

/tmp/sb.sh
/tmp/sb.sh
1⤵
PID:1511

/usr/bin/id
id -u -n
2⤵
- Reads runtime system information
PID:1512

/usr/bin/cut
cut -d: -f6
2⤵
PID:1515

/usr/bin/getent
getent passwd root
2⤵
PID:1514

/bin/mktemp
mktemp -d /root/.cache/bztmpXXXXXXXXX
2⤵
PID:1517

/usr/bin/basename
basename /tmp/sb.sh
2⤵
PID:1518

/usr/bin/tail
tail -n +1
2⤵
PID:1521

/bin/bzip2
bzip2 -cd
2⤵
PID:1523

/usr/bin/tail
tail -n +75
2⤵
PID:1522

/bin/chmod
chmod 700 /root/.cache/bztmpNddd37UDv/sb.sh
2⤵
PID:1524

/root/.cache/bztmpNddd37UDv/sb.sh
/root/.cache/bztmpNddd37UDv/sb.sh
2⤵
- Executes dropped EXE
PID:1526

/bin/grep
grep -q -E -i debian
3⤵
PID:1529

/bin/cat
cat /etc/issue
3⤵
PID:1528

/bin/grep
grep -q -E -i ubuntu
3⤵
PID:1531

/bin/cat
cat /etc/issue
3⤵
PID:1530

/usr/bin/cut
cut -d . -f1
3⤵
PID:1535

/usr/bin/cut
cut -d "\"" -f2
3⤵
PID:1534

/bin/grep
grep -i version_id /etc/os-release
3⤵
PID:1533

/bin/cat
cat /etc/redhat-release
3⤵
PID:1537

/usr/bin/cut
cut -d "\"" -f2
3⤵
PID:1540

/bin/grep
grep -i pretty_name
3⤵
PID:1539

/bin/cat
cat /etc/os-release
3⤵
PID:1538

/bin/grep
grep -i -E "arch|alpine"
3⤵
PID:1543

/usr/bin/cut
cut -d - -f1
3⤵
PID:1546

/bin/uname
uname -r
3⤵
PID:1545

/usr/bin/systemd-detect-virt
systemd-detect-virt
3⤵
- Checks hardware identifiers (DMI)
- Reads runtime system information
PID:1548

/bin/uname
uname -m
3⤵
PID:1549

/usr/bin/cut
cut -d: -f2
3⤵
PID:1554

/usr/bin/head
head -n 1
3⤵
PID:1553

/bin/grep
grep flags
3⤵
PID:1552

/bin/cat
cat /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:1551

/usr/bin/awk
awk -F " " "{print \$3}"
3⤵
- Reads runtime system information
PID:1557

/sbin/sysctl
sysctl net.ipv4.tcp_congestion_control
3⤵
- Reads runtime system information
PID:1556

/usr/bin/awk
awk -F " " "{print \$3}"
3⤵
- Reads runtime system information
PID:1560

/sbin/sysctl
sysctl net.ipv4.tcp_congestion_control
3⤵
- Reads runtime system information
PID:1559

/bin/hostname
hostname
3⤵
PID:1561

/usr/bin/apt
apt update -y
3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1563

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1564

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1565

/usr/lib/apt/methods/https
/usr/lib/apt/methods/https
4⤵
PID:1566

/bin/sh
sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
4⤵
PID:1568

/usr/bin/id
id -u
5⤵
- Reads runtime system information
PID:1569

/bin/systemctl
systemctl start --no-block apt-news.service esm-cache.service
5⤵
- Reads runtime system information
PID:1570

/usr/lib/apt/methods/https
/usr/lib/apt/methods/https
4⤵
PID:1574

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1578

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1579

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1586

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1587

/usr/bin/apt
apt install jq iptables-persistent -y
3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1588

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1589

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1590

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
4⤵
PID:1591

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1592

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1601

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
4⤵
PID:1602

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1603

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
4⤵
PID:1611

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1612

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1621

/bin/sh
/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"
4⤵
PID:1622

/usr/bin/snap
/usr/bin/snap advise-snap --from-apt
5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1623

/usr/bin/touch
touch sbyg_update
3⤵
- Writes file to tmp directory
PID:1637

/usr/bin/apt-get
apt-get install -y expect
3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1639

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1640

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1641

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1642

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1643

/usr/bin/apt-get
apt-get install -y qrencode
3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1648

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1649

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1650

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1651

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1652

/usr/bin/apt-get
apt-get install -y git
3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1657

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1658

/usr/bin/dpkg
/usr/bin/dpkg --print-foreign-architectures
4⤵
- Reads runtime system information
PID:1659

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1660

/usr/lib/apt/methods/http
/usr/lib/apt/methods/http
4⤵
PID:1661

/usr/bin/clear
clear
3⤵
PID:1665

/bin/cat
cat /etc/s-box/v
3⤵
PID:1667

/usr/bin/head
head -n 1
3⤵
PID:1671

/usr/bin/awk
awk -F 更新内容 "{print \$1}"
3⤵
- Reads runtime system information
PID:1670

/usr/bin/curl
curl -sL https://raw.githubusercontent.com/yonggekkk/sing-box_hysteria2_tuic_argo_reality/main/version
3⤵
PID:1669

/bin/sleep
sleep 5
2⤵
PID:1527

/bin/rm
rm -fr /root/.cache/bztmpNddd37UDv
2⤵
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.cache/bztmpNddd37UDv/sb.sh
Filesize
143KB

MD5
f1973953ae5fec498235b9b8c9a147a8

SHA1
379a71b20e20d95ea0a88d46d0e915e9dd6bbcff

SHA256
92869467d779529f7f8daffd9213fdfa8c153ebdb42c261b349da5ec76c363b5

SHA512
340aaa1ab1f1b6753dab411967806e5d1ceba71224e676d25e95a644c8ff086397a750640b8f8958f54926a0eb37d0fbe72246e8f8f58af18b73db17d39c7e62

Download Submit
/tmp/fileutl.message.QfpyNW
Filesize
235KB

MD5
373fe2f2ef99005d2550a482f09a3e51

SHA1
68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

SHA256
7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

SHA512
def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads