Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    16s
  • max time network
    132s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240508-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    26/05/2024, 11:41

General

  • Target

    upgrade.ispmgr5.sh

  • Size

    9KB

  • MD5

    fe8ee0de49e72ccb5da410e3f5df4492

  • SHA1

    31e154314d95c9b83ea0bf037482cfaf5465dc9d

  • SHA256

    b2d14c4cc7e7d28838f1b6ce763b0a037fd0699062844042847bfe79ba64135c

  • SHA512

    883aae687c13feb4b06e4293fa07f7974d7f86ec34549b6658e89568871ac762d54658f5c55ca5e5590dfb8d52d115bf3aa53c1e844b622aff98223c1bf9cca0

  • SSDEEP

    192:ojwlshNalYCLNq47i1zYHSM28BluXdYSIqmYCfvKzgqbhcOAmYEZvWMqouMoG1qu:ojwleELtbyMXkYxqvIGgqbhcfmYEZvWE

Score
3/10

Malware Config

Signatures

  • Reads runtime system information 35 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 64 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/upgrade.ispmgr5.sh
    /tmp/upgrade.ispmgr5.sh
    1⤵
      PID:1474
      • /bin/uname
        uname -s
        2⤵
          PID:1475
        • /usr/bin/apt-get
          /usr/bin/apt-get -qy update
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:1476
          • /usr/bin/dpkg
            /usr/bin/dpkg --print-foreign-architectures
            3⤵
            • Reads runtime system information
            PID:1477
          • /usr/lib/apt/methods/http
            /usr/lib/apt/methods/http
            3⤵
              PID:1478
            • /usr/lib/apt/methods/https
              /usr/lib/apt/methods/https
              3⤵
                PID:1479
              • /bin/sh
                sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
                3⤵
                  PID:1481
                  • /usr/bin/id
                    id -u
                    4⤵
                    • Reads runtime system information
                    PID:1482
                  • /bin/systemctl
                    systemctl start --no-block apt-news.service esm-cache.service
                    4⤵
                    • Reads runtime system information
                    PID:1483
                • /usr/lib/apt/methods/https
                  /usr/lib/apt/methods/https
                  3⤵
                    PID:1492
                  • /usr/lib/apt/methods/http
                    /usr/lib/apt/methods/http
                    3⤵
                      PID:1494
                    • /usr/lib/apt/methods/http
                      /usr/lib/apt/methods/http
                      3⤵
                        PID:1495
                      • /usr/bin/dpkg
                        /usr/bin/dpkg --print-foreign-architectures
                        3⤵
                        • Reads runtime system information
                        PID:1505
                      • /usr/bin/dpkg
                        /usr/bin/dpkg --print-foreign-architectures
                        3⤵
                        • Reads runtime system information
                        PID:1514
                    • /usr/bin/apt-get
                      apt-get -qy --allow-unauthenticated -u install ca-certificates
                      2⤵
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:1515
                      • /usr/bin/dpkg
                        /usr/bin/dpkg --print-foreign-architectures
                        3⤵
                        • Reads runtime system information
                        PID:1516
                      • /usr/bin/dpkg
                        /usr/bin/dpkg --print-foreign-architectures
                        3⤵
                        • Reads runtime system information
                        PID:1517
                    • /usr/bin/which
                      which which
                      2⤵
                        PID:1522
                      • /usr/bin/which
                        which lsb_release
                        2⤵
                          PID:1523
                        • /usr/bin/which
                          which hexdump
                          2⤵
                            PID:1524
                          • /usr/bin/which
                            which logger
                            2⤵
                              PID:1525
                            • /usr/bin/which
                              which free
                              2⤵
                                PID:1526
                              • /usr/bin/which
                                which python
                                2⤵
                                  PID:1527
                                • /usr/bin/which
                                  which gpg
                                  2⤵
                                    PID:1528
                                  • /usr/bin/which
                                    which wget curl
                                    2⤵
                                      PID:1529
                                    • /usr/bin/lsb_release
                                      lsb_release -s -c
                                      2⤵
                                        PID:1530
                                      • /bin/grep
                                        grep -q -w bionic
                                        2⤵
                                          PID:1532
                                        • /usr/bin/lsb_release
                                          lsb_release -s -i
                                          2⤵
                                            PID:1533
                                          • /bin/grep
                                            grep -q install.sh
                                            2⤵
                                              PID:1535
                                            • /usr/bin/wget
                                              /usr/bin/wget -T 30 -t 10 "--waitretry=5" -q -O - http://download.ispmanager.com/
                                              2⤵
                                                PID:1534
                                              • /bin/grep
                                                grep -q install.sh
                                                2⤵
                                                  PID:1540
                                                • /usr/bin/wget
                                                  /usr/bin/wget -T 30 -t 10 "--waitretry=5" -q -O - http://download.ispmanager.com/
                                                  2⤵
                                                    PID:1539
                                                  • /bin/grep
                                                    grep beta /usr/local/mgr5/etc/repo.version
                                                    2⤵
                                                      PID:1544
                                                    • /bin/rm
                                                      rm -f /etc/apt/sources.list.d/ispsystem-base.list
                                                      2⤵
                                                        PID:1545
                                                      • /bin/rm
                                                        rm -f /etc/apt/sources.list.d/ispsystem.list
                                                        2⤵
                                                          PID:1546
                                                        • /bin/grep
                                                          grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
                                                          2⤵
                                                            PID:1548
                                                          • /bin/rm
                                                            rm -f /etc/apt/sources.list.d/exosoft.list
                                                            2⤵
                                                              PID:1549
                                                            • /bin/grep
                                                              grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
                                                              2⤵
                                                                PID:1551
                                                              • /usr/bin/awk
                                                                awk "{print \$2}"
                                                                2⤵
                                                                • Reads runtime system information
                                                                PID:1556
                                                              • /usr/bin/dpkg
                                                                dpkg -s coremanager
                                                                2⤵
                                                                • Reads runtime system information
                                                                PID:1554
                                                              • /bin/grep
                                                                grep Version
                                                                2⤵
                                                                  PID:1555
                                                                • /usr/local/sbin/dpkg-query
                                                                  dpkg-query --status -- coremanager
                                                                  2⤵
                                                                    PID:1554
                                                                  • /usr/local/bin/dpkg-query
                                                                    dpkg-query --status -- coremanager
                                                                    2⤵
                                                                      PID:1554
                                                                    • /usr/sbin/dpkg-query
                                                                      dpkg-query --status -- coremanager
                                                                      2⤵
                                                                        PID:1554
                                                                      • /usr/bin/dpkg-query
                                                                        dpkg-query --status -- coremanager
                                                                        2⤵
                                                                          PID:1554
                                                                        • /usr/bin/cut
                                                                          cut -d. "-f1,2"
                                                                          2⤵
                                                                            PID:1559
                                                                          • /usr/bin/awk
                                                                            awk -F- "{print \$1}"
                                                                            2⤵
                                                                            • Reads runtime system information
                                                                            PID:1558
                                                                          • /usr/bin/apt-get
                                                                            apt-get -y update
                                                                            2⤵
                                                                            • Reads runtime system information
                                                                            • Writes file to tmp directory
                                                                            PID:1562
                                                                            • /usr/bin/dpkg
                                                                              /usr/bin/dpkg --print-foreign-architectures
                                                                              3⤵
                                                                              • Reads runtime system information
                                                                              PID:1563
                                                                            • /usr/lib/apt/methods/http
                                                                              /usr/lib/apt/methods/http
                                                                              3⤵
                                                                                PID:1564
                                                                              • /usr/lib/apt/methods/https
                                                                                /usr/lib/apt/methods/https
                                                                                3⤵
                                                                                  PID:1565
                                                                                • /bin/sh
                                                                                  sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
                                                                                  3⤵
                                                                                    PID:1567
                                                                                    • /usr/bin/id
                                                                                      id -u
                                                                                      4⤵
                                                                                      • Reads runtime system information
                                                                                      PID:1568
                                                                                    • /bin/systemctl
                                                                                      systemctl start --no-block apt-news.service esm-cache.service
                                                                                      4⤵
                                                                                      • Reads runtime system information
                                                                                      PID:1569
                                                                                  • /usr/lib/apt/methods/https
                                                                                    /usr/lib/apt/methods/https
                                                                                    3⤵
                                                                                      PID:1573
                                                                                    • /usr/lib/apt/methods/http
                                                                                      /usr/lib/apt/methods/http
                                                                                      3⤵
                                                                                        PID:1576
                                                                                      • /usr/lib/apt/methods/http
                                                                                        /usr/lib/apt/methods/http
                                                                                        3⤵
                                                                                          PID:1577
                                                                                        • /usr/lib/apt/methods/http
                                                                                          /usr/lib/apt/methods/http
                                                                                          3⤵
                                                                                            PID:1578
                                                                                          • /usr/bin/dpkg
                                                                                            /usr/bin/dpkg --print-foreign-architectures
                                                                                            3⤵
                                                                                            • Reads runtime system information
                                                                                            PID:1583
                                                                                          • /usr/bin/dpkg
                                                                                            /usr/bin/dpkg --print-foreign-architectures
                                                                                            3⤵
                                                                                            • Reads runtime system information
                                                                                            PID:1587
                                                                                        • /usr/bin/sort
                                                                                          sort -V
                                                                                          2⤵
                                                                                            PID:1590
                                                                                          • /usr/bin/tail
                                                                                            tail -1
                                                                                            2⤵
                                                                                              PID:1591
                                                                                            • /usr/bin/lsb_release
                                                                                              lsb_release -c -s
                                                                                              2⤵
                                                                                                PID:1592
                                                                                              • /usr/bin/apt-cache
                                                                                                apt-cache madison coremanager
                                                                                                2⤵
                                                                                                • Reads runtime system information
                                                                                                • Writes file to tmp directory
                                                                                                PID:1588
                                                                                                • /usr/bin/dpkg
                                                                                                  /usr/bin/dpkg --print-foreign-architectures
                                                                                                  3⤵
                                                                                                  • Reads runtime system information
                                                                                                  PID:1593
                                                                                                • /usr/bin/dpkg
                                                                                                  /usr/bin/dpkg --print-foreign-architectures
                                                                                                  3⤵
                                                                                                  • Reads runtime system information
                                                                                                  PID:1594
                                                                                              • /usr/bin/awk
                                                                                                awk -v "rel=stable6" -v "dist=bionic" "\$6 == rel\"-\"dist\"/main\" {print \$3}"
                                                                                                2⤵
                                                                                                • Reads runtime system information
                                                                                                PID:1589
                                                                                              • /usr/bin/cut
                                                                                                cut -d. "-f1,2"
                                                                                                2⤵
                                                                                                  PID:1597
                                                                                                • /usr/bin/awk
                                                                                                  awk -F- "{print \$1}"
                                                                                                  2⤵
                                                                                                  • Reads runtime system information
                                                                                                  PID:1596
                                                                                                • /usr/bin/head
                                                                                                  head -n1
                                                                                                  2⤵
                                                                                                    PID:1601
                                                                                                  • /usr/bin/sort
                                                                                                    sort -V
                                                                                                    2⤵
                                                                                                      PID:1600
                                                                                                    • /bin/rm
                                                                                                      rm -f /etc/apt/sources.list.d/ispsystem.list
                                                                                                      2⤵
                                                                                                        PID:1602
                                                                                                      • /bin/grep
                                                                                                        grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
                                                                                                        2⤵
                                                                                                          PID:1604
                                                                                                        • /bin/rm
                                                                                                          rm -f /etc/apt/sources.list.d/exosoft.list
                                                                                                          2⤵
                                                                                                            PID:1605
                                                                                                          • /bin/grep
                                                                                                            grep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"
                                                                                                            2⤵
                                                                                                              PID:1607
                                                                                                            • /usr/local/mgr5/sbin/pkgupgrade.sh
                                                                                                              /usr/local/mgr5/sbin/pkgupgrade.sh coremanager
                                                                                                              2⤵
                                                                                                                PID:1608

                                                                                                            Network

                                                                                                            MITRE ATT&CK Matrix

                                                                                                            Replay Monitor

                                                                                                            Loading Replay Monitor...

                                                                                                            Downloads

                                                                                                            • /etc/apt/sources.list.d/exosoft.list

                                                                                                              Filesize

                                                                                                              77B

                                                                                                              MD5

                                                                                                              70bd3c41507c24819365035295afe587

                                                                                                              SHA1

                                                                                                              320ebc5cb88c94d93fa714b518fa26898bb29967

                                                                                                              SHA256

                                                                                                              37a892055fcbe0bbba23d2a4200332661410b4eb16764fb150c28893b92b5f97

                                                                                                              SHA512

                                                                                                              22c3e8bab4aa2fa7f3966decca58fb6595c886235a59e4205d09ec031dc562dd0c653c16bfe4b01344cbd9eeec6ba71a2a5fa12d0e54e002a541eb11c5ff3f4b

                                                                                                            • /etc/apt/sources.list.d/exosoft.list

                                                                                                              Filesize

                                                                                                              70B

                                                                                                              MD5

                                                                                                              7b943251971fd81b5e24d8730e17cc69

                                                                                                              SHA1

                                                                                                              f65d08c04f884ce9c87311140dd77549f5b0865a

                                                                                                              SHA256

                                                                                                              ca8afb49172d2b16af9d8f8d4ca4e27fcaa45df43c5f7b62d590261e2a0b80b0

                                                                                                              SHA512

                                                                                                              7e3ae7786a88fe359117a993ea49e3a8433e4ca7c98fd86b8f919529604654f67d264845c69b161184bf98b0dc4d0bfc23f8cfb2919103b4a97bf08341d83259

                                                                                                            • /etc/apt/sources.list.d/ispsystem-base.list

                                                                                                              Filesize

                                                                                                              72B

                                                                                                              MD5

                                                                                                              15a7e70a2f98716f0e31fd02ca7cc76e

                                                                                                              SHA1

                                                                                                              e8a874305bad9b6a5287841227b29b0716da7de0

                                                                                                              SHA256

                                                                                                              88d632b889275a46c08f949f391871675138897a3f80e60713c5e88e741adcf1

                                                                                                              SHA512

                                                                                                              b4ccb4bd62fa44d288eb2aeacb93c2ac981accfd8d34e9b9b9f13bf5b054cc084f7ce81df5e7a0503fac9529d4d378e21dbcb00412e149464b0a1853e6ff64fd

                                                                                                            • /tmp/fileutl.message.Rz8lAy

                                                                                                              Filesize

                                                                                                              235KB

                                                                                                              MD5

                                                                                                              373fe2f2ef99005d2550a482f09a3e51

                                                                                                              SHA1

                                                                                                              68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

                                                                                                              SHA256

                                                                                                              7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

                                                                                                              SHA512

                                                                                                              def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b