b2d14c4cc7e7d28838f1b6ce763b0a037fd0699062844042847bfe79ba64135c

Analysis

max time kernel
16s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
26/05/2024, 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

upgrade.ispmgr5.sh
Size

9KB
MD5

fe8ee0de49e72ccb5da410e3f5df4492
SHA1

31e154314d95c9b83ea0bf037482cfaf5465dc9d
SHA256

b2d14c4cc7e7d28838f1b6ce763b0a037fd0699062844042847bfe79ba64135c
SHA512

883aae687c13feb4b06e4293fa07f7974d7f86ec34549b6658e89568871ac762d54658f5c55ca5e5590dfb8d52d115bf3aa53c1e844b622aff98223c1bf9cca0
SSDEEP

192:ojwlshNalYCLNq47i1zYHSM28BluXdYSIqmYCfvKzgqbhcOAmYEZvWMqouMoG1qu:ojwleELtbyMXkYxqvIGgqbhcfmYEZvWE

Score

3^/10

Malware Config

Signatures

Reads runtime system information 35 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/fd	apt-cache
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/1/sched	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	dpkg

Writes file to tmp directory 64 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileutl.message.MXqEi2	apt-get
File opened for modification	/tmp/fileutl.message.XhyMpd	apt-get
File opened for modification	/tmp/fileutl.message.hvqYlA	apt-get
File opened for modification	/tmp/fileutl.message.dG7sJ0	apt-get
File opened for modification	/tmp/fileutl.message.Pcs6kr	apt-get
File opened for modification	/tmp/fileutl.message.dbaUrF	apt-get
File opened for modification	/tmp/fileutl.message.LHLtSU	apt-get
File opened for modification	/tmp/fileutl.message.DUbmvh	apt-get
File opened for modification	/tmp/fileutl.message.nOjFwG	apt-get
File opened for modification	/tmp/fileutl.message.HFVGRL	apt-get
File opened for modification	/tmp/fileutl.message.VYxZxN	apt-cache
File opened for modification	/tmp/fileutl.message.lXUDeo	apt-get
File opened for modification	/tmp/fileutl.message.dtRHy6	apt-get
File opened for modification	/tmp/fileutl.message.dgFcYE	apt-get
File opened for modification	/tmp/fileutl.message.JL48Ja	apt-cache
File opened for modification	/tmp/fileutl.message.Phitb1	apt-cache
File opened for modification	/tmp/fileutl.message.Vdu5NG	apt-get
File opened for modification	/tmp/fileutl.message.hO2sw6	apt-get
File opened for modification	/tmp/fileutl.message.cOIGCy	apt-get
File opened for modification	/tmp/fileutl.message.de4ibp	apt-cache
File opened for modification	/tmp/fileutl.message.xt0Pj6	apt-cache
File opened for modification	/tmp/fileutl.message.YbCegQ	apt-get
File opened for modification	/tmp/fileutl.message.3uDy9x	apt-get
File opened for modification	/tmp/fileutl.message.dtgmER	apt-cache
File opened for modification	/tmp/fileutl.message.hSXx8H	apt-cache
File opened for modification	/tmp/fileutl.message.Vy73n3	apt-get
File opened for modification	/tmp/fileutl.message.FSt9yr	apt-get
File opened for modification	/tmp/fileutl.message.RSBc2P	apt-get
File opened for modification	/tmp/fileutl.message.L2unID	apt-cache
File opened for modification	/tmp/fileutl.message.fex2Js	apt-get
File opened for modification	/tmp/fileutl.message.zq37SX	apt-get
File opened for modification	/tmp/fileutl.message.gsy5rE	apt-get
File opened for modification	/tmp/fileutl.message.PQ3WT6	apt-get
File opened for modification	/tmp/fileutl.message.jczJTj	apt-get
File opened for modification	/tmp/fileutl.message.FRhMQZ	apt-get
File opened for modification	/tmp/fileutl.message.XO64my	apt-get
File opened for modification	/tmp/fileutl.message.zMgl7T	apt-get
File opened for modification	/tmp/fileutl.message.9F6RdX	apt-cache
File opened for modification	/tmp/fileutl.message.vXA0Dy	apt-cache
File opened for modification	/tmp/fileutl.message.Rz8lAy	apt-get
File opened for modification	/tmp/fileutl.message.9Lm7or	apt-get
File opened for modification	/tmp/fileutl.message.h3W0PS	apt-get
File opened for modification	/tmp/fileutl.message.DiPa46	apt-cache
File opened for modification	/tmp/fileutl.message.N8AcsN	apt-cache
File opened for modification	/tmp/fileutl.message.ZN5VGe	apt-get
File opened for modification	/tmp/fileutl.message.hNOSKJ	apt-get
File opened for modification	/tmp/fileutl.message.sk0WkK	apt-get
File opened for modification	/tmp/fileutl.message.n1rw0d	apt-get
File opened for modification	/tmp/fileutl.message.9ulbE0	apt-get
File opened for modification	/tmp/fileutl.message.RsV3ym	apt-get
File opened for modification	/tmp/fileutl.message.VJ9Flk	apt-get
File opened for modification	/tmp/fileutl.message.2sR3Qs	apt-get
File opened for modification	/tmp/fileutl.message.vw3lLZ	apt-get
File opened for modification	/tmp/fileutl.message.bTCy3F	apt-get
File opened for modification	/tmp/fileutl.message.PEDWL3	apt-get
File opened for modification	/tmp/fileutl.message.XZJ9hi	apt-get
File opened for modification	/tmp/fileutl.message.VCRpaB	apt-get
File opened for modification	/tmp/fileutl.message.ZgH3nc	apt-get
File opened for modification	/tmp/fileutl.message.LNgN0t	apt-cache
File opened for modification	/tmp/fileutl.message.ERN7eW	apt-get
File opened for modification	/tmp/fileutl.message.N3lLzM	apt-get
File opened for modification	/tmp/fileutl.message.dBeVl6	apt-get
File opened for modification	/tmp/fileutl.message.XFdNmk	apt-cache
File opened for modification	/tmp/fileutl.message.l7wJJf	apt-cache

/tmp/upgrade.ispmgr5.sh
/tmp/upgrade.ispmgr5.sh
1⤵
PID:1474
- /bin/uname
  uname -s
  2⤵
  PID:1475
- /usr/bin/apt-get
  /usr/bin/apt-get -qy update
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1476
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1477
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1478
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:1479
- - /bin/sh
    sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
    3⤵
    PID:1481
  - - /usr/bin/id
      id -u
      4⤵
      Reads runtime system information
      PID:1482
  - - /bin/systemctl
      systemctl start --no-block apt-news.service esm-cache.service
      4⤵
      Reads runtime system information
      PID:1483
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:1492
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1494
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1495
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1505
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1514
- /usr/bin/apt-get
  apt-get -qy --allow-unauthenticated -u install ca-certificates
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1515
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1516
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1517
- /usr/bin/which
  which which
  2⤵
  PID:1522
- /usr/bin/which
  which lsb_release
  2⤵
  PID:1523
- /usr/bin/which
  which hexdump
  2⤵
  PID:1524
- /usr/bin/which
  which logger
  2⤵
  PID:1525
- /usr/bin/which
  which free
  2⤵
  PID:1526
- /usr/bin/which
  which python
  2⤵
  PID:1527
- /usr/bin/which
  which gpg
  2⤵
  PID:1528
- /usr/bin/which
  which wget curl
  2⤵
  PID:1529
- /usr/bin/lsb_release
  lsb_release -s -c
  2⤵
  PID:1530
- /bin/grep
  grep -q -w bionic
  2⤵
  PID:1532
- /usr/bin/lsb_release
  lsb_release -s -i
  2⤵
  PID:1533
- /bin/grep
  grep -q install.sh
  2⤵
  PID:1535
- /usr/bin/wget
  /usr/bin/wget -T 30 -t 10 "--waitretry=5" -q -O - http://download.ispmanager.com/
  2⤵
  PID:1534
- /bin/grep
  grep -q install.sh
  2⤵
  PID:1540
- /usr/bin/wget
  /usr/bin/wget -T 30 -t 10 "--waitretry=5" -q -O - http://download.ispmanager.com/
  2⤵
  PID:1539
- /bin/grep
  grep beta /usr/local/mgr5/etc/repo.version
  2⤵
  PID:1544
- /bin/rm
  rm -f /etc/apt/sources.list.d/ispsystem-base.list
  2⤵
  PID:1545
- /bin/rm
  rm -f /etc/apt/sources.list.d/ispsystem.list
  2⤵
  PID:1546
- /bin/grep
  grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
  2⤵
  PID:1548
- /bin/rm
  rm -f /etc/apt/sources.list.d/exosoft.list
  2⤵
  PID:1549
- /bin/grep
  grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
  2⤵
  PID:1551
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  - Reads runtime system information
  PID:1556
- /usr/bin/dpkg
  dpkg -s coremanager
  2⤵
  - Reads runtime system information
  PID:1554
- /bin/grep
  grep Version
  2⤵
  PID:1555
- /usr/local/sbin/dpkg-query
  dpkg-query --status -- coremanager
  2⤵
  PID:1554
- /usr/local/bin/dpkg-query
  dpkg-query --status -- coremanager
  2⤵
  PID:1554
- /usr/sbin/dpkg-query
  dpkg-query --status -- coremanager
  2⤵
  PID:1554
- /usr/bin/dpkg-query
  dpkg-query --status -- coremanager
  2⤵
  PID:1554
- /usr/bin/cut
  cut -d. "-f1,2"
  2⤵
  PID:1559
- /usr/bin/awk
  awk -F- "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:1558
- /usr/bin/apt-get
  apt-get -y update
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1562
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1563
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1564
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:1565
- - /bin/sh
    sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
    3⤵
    PID:1567
  - - /usr/bin/id
      id -u
      4⤵
      Reads runtime system information
      PID:1568
  - - /bin/systemctl
      systemctl start --no-block apt-news.service esm-cache.service
      4⤵
      Reads runtime system information
      PID:1569
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:1573
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1576
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1577
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1578
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1583
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1587
- /usr/bin/sort
  sort -V
  2⤵
  PID:1590
- /usr/bin/tail
  tail -1
  2⤵
  PID:1591
- /usr/bin/lsb_release
  lsb_release -c -s
  2⤵
  PID:1592
- /usr/bin/apt-cache
  apt-cache madison coremanager
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1588
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1593
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1594
- /usr/bin/awk
  awk -v "rel=stable6" -v "dist=bionic" "\$6 == rel\"-\"dist\"/main\" {print \$3}"
  2⤵
  - Reads runtime system information
  PID:1589
- /usr/bin/cut
  cut -d. "-f1,2"
  2⤵
  PID:1597
- /usr/bin/awk
  awk -F- "{print \$1}"
  2⤵
  - Reads runtime system information
  PID:1596
- /usr/bin/head
  head -n1
  2⤵
  PID:1601
- /usr/bin/sort
  sort -V
  2⤵
  PID:1600
- /bin/rm
  rm -f /etc/apt/sources.list.d/ispsystem.list
  2⤵
  PID:1602
- /bin/grep
  grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
  2⤵
  PID:1604
- /bin/rm
  rm -f /etc/apt/sources.list.d/exosoft.list
  2⤵
  PID:1605
- /bin/grep
  grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
  2⤵
  PID:1607
- /usr/local/mgr5/sbin/pkgupgrade.sh
  /usr/local/mgr5/sbin/pkgupgrade.sh coremanager
  2⤵
  PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/apt/sources.list.d/exosoft.list

Filesize
77B

MD5
70bd3c41507c24819365035295afe587

SHA1
320ebc5cb88c94d93fa714b518fa26898bb29967

SHA256
37a892055fcbe0bbba23d2a4200332661410b4eb16764fb150c28893b92b5f97

SHA512
22c3e8bab4aa2fa7f3966decca58fb6595c886235a59e4205d09ec031dc562dd0c653c16bfe4b01344cbd9eeec6ba71a2a5fa12d0e54e002a541eb11c5ff3f4b

Download Submit
/etc/apt/sources.list.d/exosoft.list

Filesize
70B

MD5
7b943251971fd81b5e24d8730e17cc69

SHA1
f65d08c04f884ce9c87311140dd77549f5b0865a

SHA256
ca8afb49172d2b16af9d8f8d4ca4e27fcaa45df43c5f7b62d590261e2a0b80b0

SHA512
7e3ae7786a88fe359117a993ea49e3a8433e4ca7c98fd86b8f919529604654f67d264845c69b161184bf98b0dc4d0bfc23f8cfb2919103b4a97bf08341d83259

Download Submit
/etc/apt/sources.list.d/ispsystem-base.list

Filesize
72B

MD5
15a7e70a2f98716f0e31fd02ca7cc76e

SHA1
e8a874305bad9b6a5287841227b29b0716da7de0

SHA256
88d632b889275a46c08f949f391871675138897a3f80e60713c5e88e741adcf1

SHA512
b4ccb4bd62fa44d288eb2aeacb93c2ac981accfd8d34e9b9b9f13bf5b054cc084f7ce81df5e7a0503fac9529d4d378e21dbcb00412e149464b0a1853e6ff64fd

Download Submit
/tmp/fileutl.message.Rz8lAy

Filesize
235KB

MD5
373fe2f2ef99005d2550a482f09a3e51

SHA1
68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

SHA256
7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

SHA512
def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads