Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
132s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
26/05/2024, 11:41
Static task
static1
Behavioral task
behavioral1
Sample
upgrade.ispmgr5.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
upgrade.ispmgr5.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
upgrade.ispmgr5.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
upgrade.ispmgr5.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
upgrade.ispmgr5.sh
-
Size
9KB
-
MD5
fe8ee0de49e72ccb5da410e3f5df4492
-
SHA1
31e154314d95c9b83ea0bf037482cfaf5465dc9d
-
SHA256
b2d14c4cc7e7d28838f1b6ce763b0a037fd0699062844042847bfe79ba64135c
-
SHA512
883aae687c13feb4b06e4293fa07f7974d7f86ec34549b6658e89568871ac762d54658f5c55ca5e5590dfb8d52d115bf3aa53c1e844b622aff98223c1bf9cca0
-
SSDEEP
192:ojwlshNalYCLNq47i1zYHSM28BluXdYSIqmYCfvKzgqbhcOAmYEZvWMqouMoG1qu:ojwleELtbyMXkYxqvIGgqbhcfmYEZvWE
Malware Config
Signatures
-
Reads runtime system information 35 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems dpkg File opened for reading /proc/sys/kernel/ngroups_max apt-get File opened for reading /proc/filesystems dpkg File opened for reading /proc/1/sched systemctl File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/stat systemctl File opened for reading /proc/filesystems id File opened for reading /proc/filesystems systemctl File opened for reading /proc/sys/kernel/ngroups_max apt-get File opened for reading /proc/filesystems dpkg File opened for reading /proc/self/fd apt-get File opened for reading /proc/self/fd apt-get File opened for reading /proc/self/fd apt-get File opened for reading /proc/filesystems id File opened for reading /proc/filesystems dpkg File opened for reading /proc/1/environ systemctl File opened for reading /proc/self/maps awk File opened for reading /proc/self/fd apt-cache File opened for reading /proc/filesystems dpkg File opened for reading /proc/cmdline systemctl File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/1/environ systemctl File opened for reading /proc/1/sched systemctl File opened for reading /proc/sys/kernel/osrelease systemctl File opened for reading /proc/self/maps awk File opened for reading /proc/cmdline systemctl File opened for reading /proc/self/maps awk File opened for reading /proc/filesystems dpkg -
Writes file to tmp directory 64 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/fileutl.message.MXqEi2 apt-get File opened for modification /tmp/fileutl.message.XhyMpd apt-get File opened for modification /tmp/fileutl.message.hvqYlA apt-get File opened for modification /tmp/fileutl.message.dG7sJ0 apt-get File opened for modification /tmp/fileutl.message.Pcs6kr apt-get File opened for modification /tmp/fileutl.message.dbaUrF apt-get File opened for modification /tmp/fileutl.message.LHLtSU apt-get File opened for modification /tmp/fileutl.message.DUbmvh apt-get File opened for modification /tmp/fileutl.message.nOjFwG apt-get File opened for modification /tmp/fileutl.message.HFVGRL apt-get File opened for modification /tmp/fileutl.message.VYxZxN apt-cache File opened for modification /tmp/fileutl.message.lXUDeo apt-get File opened for modification /tmp/fileutl.message.dtRHy6 apt-get File opened for modification /tmp/fileutl.message.dgFcYE apt-get File opened for modification /tmp/fileutl.message.JL48Ja apt-cache File opened for modification /tmp/fileutl.message.Phitb1 apt-cache File opened for modification /tmp/fileutl.message.Vdu5NG apt-get File opened for modification /tmp/fileutl.message.hO2sw6 apt-get File opened for modification /tmp/fileutl.message.cOIGCy apt-get File opened for modification /tmp/fileutl.message.de4ibp apt-cache File opened for modification /tmp/fileutl.message.xt0Pj6 apt-cache File opened for modification /tmp/fileutl.message.YbCegQ apt-get File opened for modification /tmp/fileutl.message.3uDy9x apt-get File opened for modification /tmp/fileutl.message.dtgmER apt-cache File opened for modification /tmp/fileutl.message.hSXx8H apt-cache File opened for modification /tmp/fileutl.message.Vy73n3 apt-get File opened for modification /tmp/fileutl.message.FSt9yr apt-get File opened for modification /tmp/fileutl.message.RSBc2P apt-get File opened for modification /tmp/fileutl.message.L2unID apt-cache File opened for modification /tmp/fileutl.message.fex2Js apt-get File opened for modification /tmp/fileutl.message.zq37SX apt-get File opened for modification /tmp/fileutl.message.gsy5rE apt-get File opened for modification /tmp/fileutl.message.PQ3WT6 apt-get File opened for modification /tmp/fileutl.message.jczJTj apt-get File opened for modification /tmp/fileutl.message.FRhMQZ apt-get File opened for modification /tmp/fileutl.message.XO64my apt-get File opened for modification /tmp/fileutl.message.zMgl7T apt-get File opened for modification /tmp/fileutl.message.9F6RdX apt-cache File opened for modification /tmp/fileutl.message.vXA0Dy apt-cache File opened for modification /tmp/fileutl.message.Rz8lAy apt-get File opened for modification /tmp/fileutl.message.9Lm7or apt-get File opened for modification /tmp/fileutl.message.h3W0PS apt-get File opened for modification /tmp/fileutl.message.DiPa46 apt-cache File opened for modification /tmp/fileutl.message.N8AcsN apt-cache File opened for modification /tmp/fileutl.message.ZN5VGe apt-get File opened for modification /tmp/fileutl.message.hNOSKJ apt-get File opened for modification /tmp/fileutl.message.sk0WkK apt-get File opened for modification /tmp/fileutl.message.n1rw0d apt-get File opened for modification /tmp/fileutl.message.9ulbE0 apt-get File opened for modification /tmp/fileutl.message.RsV3ym apt-get File opened for modification /tmp/fileutl.message.VJ9Flk apt-get File opened for modification /tmp/fileutl.message.2sR3Qs apt-get File opened for modification /tmp/fileutl.message.vw3lLZ apt-get File opened for modification /tmp/fileutl.message.bTCy3F apt-get File opened for modification /tmp/fileutl.message.PEDWL3 apt-get File opened for modification /tmp/fileutl.message.XZJ9hi apt-get File opened for modification /tmp/fileutl.message.VCRpaB apt-get File opened for modification /tmp/fileutl.message.ZgH3nc apt-get File opened for modification /tmp/fileutl.message.LNgN0t apt-cache File opened for modification /tmp/fileutl.message.ERN7eW apt-get File opened for modification /tmp/fileutl.message.N3lLzM apt-get File opened for modification /tmp/fileutl.message.dBeVl6 apt-get File opened for modification /tmp/fileutl.message.XFdNmk apt-cache File opened for modification /tmp/fileutl.message.l7wJJf apt-cache
Processes
-
/tmp/upgrade.ispmgr5.sh/tmp/upgrade.ispmgr5.sh1⤵PID:1474
-
/bin/unameuname -s2⤵PID:1475
-
-
/usr/bin/apt-get/usr/bin/apt-get -qy update2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1476 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1477
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵PID:1478
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵PID:1479
-
-
/bin/shsh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"3⤵PID:1481
-
/usr/bin/idid -u4⤵
- Reads runtime system information
PID:1482
-
-
/bin/systemctlsystemctl start --no-block apt-news.service esm-cache.service4⤵
- Reads runtime system information
PID:1483
-
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵PID:1492
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵PID:1494
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵PID:1495
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1505
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1514
-
-
-
/usr/bin/apt-getapt-get -qy --allow-unauthenticated -u install ca-certificates2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1515 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1516
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1517
-
-
-
/usr/bin/whichwhich which2⤵PID:1522
-
-
/usr/bin/whichwhich lsb_release2⤵PID:1523
-
-
/usr/bin/whichwhich hexdump2⤵PID:1524
-
-
/usr/bin/whichwhich logger2⤵PID:1525
-
-
/usr/bin/whichwhich free2⤵PID:1526
-
-
/usr/bin/whichwhich python2⤵PID:1527
-
-
/usr/bin/whichwhich gpg2⤵PID:1528
-
-
/usr/bin/whichwhich wget curl2⤵PID:1529
-
-
/usr/bin/lsb_releaselsb_release -s -c2⤵PID:1530
-
-
/bin/grepgrep -q -w bionic2⤵PID:1532
-
-
/usr/bin/lsb_releaselsb_release -s -i2⤵PID:1533
-
-
/bin/grepgrep -q install.sh2⤵PID:1535
-
-
/usr/bin/wget/usr/bin/wget -T 30 -t 10 "--waitretry=5" -q -O - http://download.ispmanager.com/2⤵PID:1534
-
-
/bin/grepgrep -q install.sh2⤵PID:1540
-
-
/usr/bin/wget/usr/bin/wget -T 30 -t 10 "--waitretry=5" -q -O - http://download.ispmanager.com/2⤵PID:1539
-
-
/bin/grepgrep beta /usr/local/mgr5/etc/repo.version2⤵PID:1544
-
-
/bin/rmrm -f /etc/apt/sources.list.d/ispsystem-base.list2⤵PID:1545
-
-
/bin/rmrm -f /etc/apt/sources.list.d/ispsystem.list2⤵PID:1546
-
-
/bin/grepgrep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"2⤵PID:1548
-
-
/bin/rmrm -f /etc/apt/sources.list.d/exosoft.list2⤵PID:1549
-
-
/bin/grepgrep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"2⤵PID:1551
-
-
/usr/bin/awkawk "{print \$2}"2⤵
- Reads runtime system information
PID:1556
-
-
/usr/bin/dpkgdpkg -s coremanager2⤵
- Reads runtime system information
PID:1554
-
-
/bin/grepgrep Version2⤵PID:1555
-
-
/usr/local/sbin/dpkg-querydpkg-query --status -- coremanager2⤵PID:1554
-
-
/usr/local/bin/dpkg-querydpkg-query --status -- coremanager2⤵PID:1554
-
-
/usr/sbin/dpkg-querydpkg-query --status -- coremanager2⤵PID:1554
-
-
/usr/bin/dpkg-querydpkg-query --status -- coremanager2⤵PID:1554
-
-
/usr/bin/cutcut -d. "-f1,2"2⤵PID:1559
-
-
/usr/bin/awkawk -F- "{print \$1}"2⤵
- Reads runtime system information
PID:1558
-
-
/usr/bin/apt-getapt-get -y update2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1562 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1563
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵PID:1564
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵PID:1565
-
-
/bin/shsh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"3⤵PID:1567
-
/usr/bin/idid -u4⤵
- Reads runtime system information
PID:1568
-
-
/bin/systemctlsystemctl start --no-block apt-news.service esm-cache.service4⤵
- Reads runtime system information
PID:1569
-
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵PID:1573
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵PID:1576
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵PID:1577
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵PID:1578
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1583
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1587
-
-
-
/usr/bin/sortsort -V2⤵PID:1590
-
-
/usr/bin/tailtail -12⤵PID:1591
-
-
/usr/bin/lsb_releaselsb_release -c -s2⤵PID:1592
-
-
/usr/bin/apt-cacheapt-cache madison coremanager2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:1588 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1593
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:1594
-
-
-
/usr/bin/awkawk -v "rel=stable6" -v "dist=bionic" "\$6 == rel\"-\"dist\"/main\" {print \$3}"2⤵
- Reads runtime system information
PID:1589
-
-
/usr/bin/cutcut -d. "-f1,2"2⤵PID:1597
-
-
/usr/bin/awkawk -F- "{print \$1}"2⤵
- Reads runtime system information
PID:1596
-
-
/usr/bin/headhead -n12⤵PID:1601
-
-
/usr/bin/sortsort -V2⤵PID:1600
-
-
/bin/rmrm -f /etc/apt/sources.list.d/ispsystem.list2⤵PID:1602
-
-
/bin/grepgrep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"2⤵PID:1604
-
-
/bin/rmrm -f /etc/apt/sources.list.d/exosoft.list2⤵PID:1605
-
-
/bin/grepgrep -qE "^(6-)?(stable|beta|intbeta|intstable|5\\.[0-9]+)\$"2⤵PID:1607
-
-
/usr/local/mgr5/sbin/pkgupgrade.sh/usr/local/mgr5/sbin/pkgupgrade.sh coremanager2⤵PID:1608
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77B
MD570bd3c41507c24819365035295afe587
SHA1320ebc5cb88c94d93fa714b518fa26898bb29967
SHA25637a892055fcbe0bbba23d2a4200332661410b4eb16764fb150c28893b92b5f97
SHA51222c3e8bab4aa2fa7f3966decca58fb6595c886235a59e4205d09ec031dc562dd0c653c16bfe4b01344cbd9eeec6ba71a2a5fa12d0e54e002a541eb11c5ff3f4b
-
Filesize
70B
MD57b943251971fd81b5e24d8730e17cc69
SHA1f65d08c04f884ce9c87311140dd77549f5b0865a
SHA256ca8afb49172d2b16af9d8f8d4ca4e27fcaa45df43c5f7b62d590261e2a0b80b0
SHA5127e3ae7786a88fe359117a993ea49e3a8433e4ca7c98fd86b8f919529604654f67d264845c69b161184bf98b0dc4d0bfc23f8cfb2919103b4a97bf08341d83259
-
Filesize
72B
MD515a7e70a2f98716f0e31fd02ca7cc76e
SHA1e8a874305bad9b6a5287841227b29b0716da7de0
SHA25688d632b889275a46c08f949f391871675138897a3f80e60713c5e88e741adcf1
SHA512b4ccb4bd62fa44d288eb2aeacb93c2ac981accfd8d34e9b9b9f13bf5b054cc084f7ce81df5e7a0503fac9529d4d378e21dbcb00412e149464b0a1853e6ff64fd
-
Filesize
235KB
MD5373fe2f2ef99005d2550a482f09a3e51
SHA168e6572b55b1e77f7d171ebac7b2579b7a6bd51d
SHA2567552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5
SHA512def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b