Analysis
-
max time kernel
149s -
max time network
129s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
-
submitted
25-05-2024 12:31
General
-
Target
sb.sh
-
Size
24KB
-
MD5
48229751d9027c71a2f5dbbd269c3ddc
-
SHA1
85822c0da2ac34c28e19ee9253a64f96b92d115f
-
SHA256
0f3249d23486ac93ae197b12f57a1707b88328ba22337423b0f1c30646716081
-
SHA512
c393eeb7ea8d53af0e03f284156cd0b0c1be4abb0c585df121049adc52768481465d3631673c1c91fa50286994bc06bd229e6583eb554d45f89643de01fd1f14
-
SSDEEP
384:WTL6DnMCFltFfHGBL59IgoJ61kLxqx8UKT0PqG0Vz7hqeA+Q4pkHXeCprkSI2:cLRCFltFfHGBLMLcxAVGsz7llC+SI2
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Checks hardware identifiers (DMI) 1 TTPs 2 IoCs
Checks DMI information which indicate if the system is a virtual machine.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Enumerates kernel/hardware configuration 1 TTPs 4 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Reads runtime system information 48 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 64 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/sb.sh/tmp/sb.sh1⤵
-
/usr/bin/idid -u -n2⤵
- Reads runtime system information
-
-
/usr/bin/cutcut -d: -f62⤵
-
-
/usr/bin/getentgetent passwd root2⤵
-
-
/bin/mktempmktemp -d /root/.cache/bztmpXXXXXXXXX2⤵
-
-
/usr/bin/basenamebasename /tmp/sb.sh2⤵
-
-
/usr/bin/tailtail -n +12⤵
-
-
/bin/bzip2bzip2 -cd2⤵
-
-
/usr/bin/tailtail -n +752⤵
-
-
/bin/chmodchmod 700 /root/.cache/bztmpNddd37UDv/sb.sh2⤵
-
-
/root/.cache/bztmpNddd37UDv/sb.sh/root/.cache/bztmpNddd37UDv/sb.sh2⤵
- Executes dropped EXE
-
/bin/grepgrep -q -E -i debian3⤵
-
-
/bin/catcat /etc/issue3⤵
-
-
/bin/grepgrep -q -E -i ubuntu3⤵
-
-
/bin/catcat /etc/issue3⤵
-
-
/usr/bin/cutcut -d . -f13⤵
-
-
/usr/bin/cutcut -d "\"" -f23⤵
-
-
/bin/grepgrep -i version_id /etc/os-release3⤵
-
-
/bin/catcat /etc/redhat-release3⤵
-
-
/usr/bin/cutcut -d "\"" -f23⤵
-
-
/bin/grepgrep -i pretty_name3⤵
-
-
/bin/catcat /etc/os-release3⤵
-
-
/bin/grepgrep -i -E "arch|alpine"3⤵
-
-
/usr/bin/cutcut -d - -f13⤵
-
-
/bin/unameuname -r3⤵
-
-
/usr/bin/systemd-detect-virtsystemd-detect-virt3⤵
- Checks hardware identifiers (DMI)
- Reads runtime system information
-
-
/bin/unameuname -m3⤵
-
-
/usr/bin/cutcut -d: -f23⤵
-
-
/usr/bin/headhead -n 13⤵
-
-
/bin/grepgrep flags3⤵
-
-
/bin/catcat /proc/cpuinfo3⤵
- Checks CPU configuration
-
-
/usr/bin/awkawk -F " " "{print \$3}"3⤵
- Reads runtime system information
-
-
/sbin/sysctlsysctl net.ipv4.tcp_congestion_control3⤵
- Reads runtime system information
-
-
/usr/bin/awkawk -F " " "{print \$3}"3⤵
- Reads runtime system information
-
-
/sbin/sysctlsysctl net.ipv4.tcp_congestion_control3⤵
- Reads runtime system information
-
-
/bin/hostnamehostname3⤵
-
-
/usr/bin/aptapt update -y3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https4⤵
-
-
/bin/shsh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"4⤵
-
/usr/bin/idid -u5⤵
- Reads runtime system information
-
-
/bin/systemctlsystemctl start --no-block apt-news.service esm-cache.service5⤵
- Reads runtime system information
-
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
-
/usr/bin/aptapt install jq iptables-persistent -y3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/bin/sh/bin/sh -c "[ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || true"4⤵
-
/usr/bin/snap/usr/bin/snap advise-snap --from-apt5⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
-
-
/usr/bin/touchtouch sbyg_update3⤵
- Writes file to tmp directory
-
-
/usr/bin/apt-getapt-get install -y expect3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
-
/usr/bin/apt-getapt-get install -y qrencode3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
-
/usr/bin/apt-getapt-get install -y git3⤵
- Reads runtime system information
- Writes file to tmp directory
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http4⤵
-
-
-
/usr/bin/clearclear3⤵
-
-
/bin/catcat /etc/s-box/v3⤵
-
-
/usr/bin/headhead -n 13⤵
-
-
/usr/bin/awkawk -F 更新内容 "{print \$1}"3⤵
- Reads runtime system information
-
-
/usr/bin/curlcurl -sL https://raw.githubusercontent.com/yonggekkk/sing-box_hysteria2_tuic_argo_reality/main/version3⤵
-
-
-
/bin/sleepsleep 52⤵
-
-
/bin/rmrm -fr /root/.cache/bztmpNddd37UDv2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD5f1973953ae5fec498235b9b8c9a147a8
SHA1379a71b20e20d95ea0a88d46d0e915e9dd6bbcff
SHA25692869467d779529f7f8daffd9213fdfa8c153ebdb42c261b349da5ec76c363b5
SHA512340aaa1ab1f1b6753dab411967806e5d1ceba71224e676d25e95a644c8ff086397a750640b8f8958f54926a0eb37d0fbe72246e8f8f58af18b73db17d39c7e62
-
Filesize
235KB
MD5373fe2f2ef99005d2550a482f09a3e51
SHA168e6572b55b1e77f7d171ebac7b2579b7a6bd51d
SHA2567552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5
SHA512def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b