Analysis Overview
SHA256
3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae
Threat Level: Shows suspicious behavior
The file 3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Enumerates running processes
Reads hardware information
Reads network interface configuration
Reads CPU attributes
Enumerates kernel/hardware configuration
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 06:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 06:55
Reported
2024-06-14 06:57
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
4s
Max time network
128s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /.redtail | /.redtail | N/A |
Enumerates running processes
Reads hardware information
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/virtual/dmi/id/power | /usr/bin/find | N/A |
Reads network interface configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/net/lo/power | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/net/lo/queues/tx-0 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:03.0/net/ens3/power | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/net/lo/statistics | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/net/lo/queues | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/net/lo/queues/rx-0 | /usr/bin/find | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/hotplug | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/hotplug | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/topology | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index2/power | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0/power | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpuidle | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/smt | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpufreq | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/power | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/power | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/power | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index1/power | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/vulnerabilities | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index0 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/system/cpu/cpu0/cache/index3/power | /usr/bin/find | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/kernel/slab/:0000024 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/platform/serial8250/tty/ttyS26 | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/fs_dax/dax_pte_fault_done | /usr/bin/find | N/A |
| File opened for reading | /sys/bus/nd/drivers/nd_region | /usr/bin/find | N/A |
| File opened for reading | /sys/bus/i2c/drivers/twl | /usr/bin/find | N/A |
| File opened for reading | /sys/class/scsi_host | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0C0F:03/power | /usr/bin/find | N/A |
| File opened for reading | /sys/fs/cgroup/unified/system.slice/system-serial\x2dgetty.slice | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/mm | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/ext4/ext4_es_shrink_scan_exit | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_rr_get_interval | /usr/bin/find | N/A |
| File opened for reading | /sys/class/dmi | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:01.1/ata1/link1/ata_link | /usr/bin/find | N/A |
| File opened for reading | /sys/module/kgdboc | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/skb/kfree_skb | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/bdi/0:48/power | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/vmscan/mm_shrink_slab_start | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:01/PNP0F13:00/power | /usr/bin/find | N/A |
| File opened for reading | /sys/bus/i2c/devices | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/dma_fence/dma_fence_wait_start | /usr/bin/find | N/A |
| File opened for reading | /sys/fs/cgroup/unified/user.slice/user-0.slice/[email protected]/gvfs-daemon.service | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/syscalls/sys_exit_tee | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pnp0/00:04 | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/slab/:0000080 | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/fs_dax/dax_writeback_one | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/syscalls/sys_exit_getsid | /usr/bin/find | N/A |
| File opened for reading | /sys/class/vc | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/ep_81/power | /usr/bin/find | N/A |
| File opened for reading | /sys/module/usbhid/notes | /usr/bin/find | N/A |
| File opened for reading | /sys/module/fb_sys_fops/sections | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/platform/serial8250/tty/ttyS2/power | /usr/bin/find | N/A |
| File opened for reading | /sys/fs/cgroup/pids/system.slice/packagekit.service | /usr/bin/find | N/A |
| File opened for reading | /sys/module/joydev/holders | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/scsi/scsi_dispatch_cmd_error | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/platform/i8042/serio1/input/input3/capabilities | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/bdi/7:4 | /usr/bin/find | N/A |
| File opened for reading | /sys/module/nf_tables_ipv4/holders | /usr/bin/find | N/A |
| File opened for reading | /sys/module/i8042/parameters | /usr/bin/find | N/A |
| File opened for reading | /sys/fs/cgroup/devices/system.slice/systemd-logind.service | /usr/bin/find | N/A |
| File opened for reading | /sys/fs/cgroup/pids/user.slice/user-0.slice/[email protected]/evolution-addressbook-factory.service | /usr/bin/find | N/A |
| File opened for reading | /sys/bus/serio/drivers | /usr/bin/find | N/A |
| File opened for reading | /sys/bus/platform/drivers/e820_pmem | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/libata/ata_eh_link_autopsy | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:04.0/ata8/host7 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:04.0/ata3/link3/ata_link | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/regmap | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init1 | /usr/bin/find | N/A |
| File opened for reading | /sys/fs/cgroup/pids/system.slice/system-serial\x2dgetty.slice | /usr/bin/find | N/A |
| File opened for reading | /sys/module/lp/notes | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/platform/PNP0103:00 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:04.0/ata6/host5/scsi_host/host5 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/usb1-port1/power | /usr/bin/find | N/A |
| File opened for reading | /sys/module/virtio_mmio/parameters | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/platform/floppy.0 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/block/loop7/power | /usr/bin/find | N/A |
| File opened for reading | /sys/fs/cgroup/unified/system.slice/bolt.service | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/syscalls/sys_exit_inotify_init1 | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:17 | /usr/bin/find | N/A |
| File opened for reading | /sys/bus/pci_express/drivers/pcie_pme | /usr/bin/find | N/A |
| File opened for reading | /sys/module/xen_blkfront/parameters | /usr/bin/find | N/A |
| File opened for reading | /sys/module/xen_netfront/parameters | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/compaction/mm_compaction_kcompactd_sleep | /usr/bin/find | N/A |
| File opened for reading | /sys/kernel/debug/tracing/events/syscalls/sys_exit_umask | /usr/bin/find | N/A |
| File opened for reading | /sys/devices/virtual/block/loop2/mq/0/cpu0 | /usr/bin/find | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/1171/task/1219/ns | /usr/bin/find | N/A |
| File opened for reading | /proc/1058/task/1072/net/netfilter | /usr/bin/find | N/A |
| File opened for reading | /proc/1158/task/1160/ns | /usr/bin/find | N/A |
| File opened for reading | /proc/79/task/79/ns | /usr/bin/find | N/A |
| File opened for reading | /proc/1329/task/1338/ns | /usr/bin/find | N/A |
| File opened for reading | /proc/18/net/dev_snmp6 | /usr/bin/find | N/A |
| File opened for reading | /proc/1131/task/1132/net/dev_snmp6 | /usr/bin/find | N/A |
| File opened for reading | /proc/1275/task/1282/attr/smack | /usr/bin/find | N/A |
| File opened for reading | /proc/1095/net/stat | /usr/bin/find | N/A |
| File opened for reading | /proc/1159/net | /usr/bin/find | N/A |
| File opened for reading | /proc/522/task/633/attr/smack | /usr/bin/find | N/A |
| File opened for reading | /proc/599/task | /usr/bin/find | N/A |
| File opened for reading | /proc/647/attr/apparmor | /usr/bin/find | N/A |
| File opened for reading | /proc/1463/task/1468/attr/apparmor | /usr/bin/find | N/A |
| File opened for reading | /proc/10/task/10/ns | /usr/bin/find | N/A |
| File opened for reading | /proc/672/fdinfo | /usr/bin/find | N/A |
| File opened for reading | /proc/1106/task/1109/fdinfo | /usr/bin/find | N/A |
| File opened for reading | /proc/21/net/stat | /usr/bin/find | N/A |
| File opened for reading | /proc/166/attr/smack | /usr/bin/find | N/A |
| File opened for reading | /proc/204/task/204/net/stat | /usr/bin/find | N/A |
| File opened for reading | /proc/1064/net/stat | /usr/bin/find | N/A |
| File opened for reading | /proc/1135/attr/smack | /usr/bin/find | N/A |
| File opened for reading | /proc/8/task/8/attr/smack | /usr/bin/find | N/A |
| File opened for reading | /proc/35/task | /usr/bin/find | N/A |
| File opened for reading | /proc/598/net/stat | /usr/bin/find | N/A |
| File opened for reading | /proc/1480/task/1480/fd | /usr/bin/find | N/A |
| File opened for reading | /proc/1503/task/1504/fd | /usr/bin/find | N/A |
| File opened for reading | /proc/171/task/171/fd | /usr/bin/find | N/A |
| File opened for reading | /proc/205/ns | /usr/bin/find | N/A |
| File opened for reading | /proc/548/task/556/net/stat | /usr/bin/find | N/A |
| File opened for reading | /proc/4/task/4/attr/apparmor | /usr/bin/find | N/A |
| File opened for reading | /proc/472/task/472/net | /usr/bin/find | N/A |
| File opened for reading | /proc/78/attr/selinux | /usr/bin/find | N/A |
| File opened for reading | /proc/514/fd | /usr/bin/find | N/A |
| File opened for reading | /proc/866 | /usr/bin/find | N/A |
| File opened for reading | /proc/13/net/dev_snmp6 | /usr/bin/find | N/A |
| File opened for reading | /proc/1174/task/1202/attr/smack | /usr/bin/find | N/A |
| File opened for reading | /proc/1293/task/1309/net/stat | /usr/bin/find | N/A |
| File opened for reading | /proc/774/task/1464/fdinfo | /usr/bin/find | N/A |
| File opened for reading | /proc/988/attr/selinux | /usr/bin/find | N/A |
| File opened for reading | /proc/1131/task/1131/net/dev_snmp6 | /usr/bin/find | N/A |
| File opened for reading | /proc/29/net/netfilter | /usr/bin/find | N/A |
| File opened for reading | /proc/34/task/34/attr | /usr/bin/find | N/A |
| File opened for reading | /proc/446/task/452/net | /usr/bin/find | N/A |
| File opened for reading | /proc/474/net | /usr/bin/find | N/A |
| File opened for reading | /proc/522/task | /usr/bin/find | N/A |
| File opened for reading | /proc/1064/task/1067/net/dev_snmp6 | /usr/bin/find | N/A |
| File opened for reading | /proc/83/task/83/ns | /usr/bin/find | N/A |
| File opened for reading | /proc/1037/task/1039 | /usr/bin/find | N/A |
| File opened for reading | /proc/160/attr/selinux | /usr/bin/find | N/A |
| File opened for reading | /proc/1173/task/1216/attr | /usr/bin/find | N/A |
| File opened for reading | /proc/1163/task/1172/net/netfilter | /usr/bin/find | N/A |
| File opened for reading | /proc/1492/net/stat | /usr/bin/find | N/A |
| File opened for reading | /proc/162/net/netfilter | /usr/bin/find | N/A |
| File opened for reading | /proc/477/task/519/net | /usr/bin/find | N/A |
| File opened for reading | /proc/684/net/stat | /usr/bin/find | N/A |
| File opened for reading | /proc/1257 | /usr/bin/find | N/A |
| File opened for reading | /proc/1482/task | /usr/bin/find | N/A |
| File opened for reading | /proc/21/attr | /usr/bin/find | N/A |
| File opened for reading | /proc/176/attr/smack | /usr/bin/find | N/A |
| File opened for reading | /proc/1126/net/netfilter | /usr/bin/find | N/A |
| File opened for reading | /proc/1293/task/1298/attr/smack | /usr/bin/find | N/A |
| File opened for reading | /proc/9/task/9/net/dev_snmp6 | /usr/bin/find | N/A |
| File opened for reading | /proc/980/map_files | /usr/bin/find | N/A |
Processes
/tmp/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae.sh
[/tmp/3b15778595cef00d1a51035dd4fd65e6be97e73544cb1899f40aec4aaa0445ae.sh]
/bin/uname
[uname -mp]
/bin/grep
[grep -q x86_64]
/usr/bin/awk
[awk {print $2}]
/bin/grep
[grep noexec]
/bin/cat
[cat /proc/mounts]
/usr/bin/whoami
[whoami]
/usr/bin/find
[find / -type d -user root -perm -u=rwx -not -path /tmp/* -not -path /proc/* -not -path /sys -not -path /sys/* -not -path /proc -not -path /proc/* -not -path /dev/pts -not -path /dev/pts/* -not -path /run -not -path /run/* -not -path /sys/kernel/security -not -path /sys/kernel/security/* -not -path /run/lock -not -path /run/lock/* -not -path /sys/fs/cgroup -not -path /sys/fs/cgroup/* -not -path /sys/fs/cgroup/unified -not -path /sys/fs/cgroup/unified/* -not -path /sys/fs/cgroup/systemd -not -path /sys/fs/cgroup/systemd/* -not -path /sys/fs/pstore -not -path /sys/fs/pstore/* -not -path /sys/fs/cgroup/cpu,cpuacct -not -path /sys/fs/cgroup/cpu,cpuacct/* -not -path /sys/fs/cgroup/freezer -not -path /sys/fs/cgroup/freezer/* -not -path /sys/fs/cgroup/memory -not -path /sys/fs/cgroup/memory/* -not -path /sys/fs/cgroup/net_cls,net_prio -not -path /sys/fs/cgroup/net_cls,net_prio/* -not -path /sys/fs/cgroup/rdma -not -path /sys/fs/cgroup/rdma/* -not -path /sys/fs/cgroup/hugetlb -not -path /sys/fs/cgroup/hugetlb/* -not -path /sys/fs/cgroup/perf_event -not -path /sys/fs/cgroup/perf_event/* -not -path /sys/fs/cgroup/pids -not -path /sys/fs/cgroup/pids/* -not -path /sys/fs/cgroup/devices -not -path /sys/fs/cgroup/devices/* -not -path /sys/fs/cgroup/cpuset -not -path /sys/fs/cgroup/cpuset/* -not -path /sys/fs/cgroup/blkio -not -path /sys/fs/cgroup/blkio/*]
/usr/bin/touch
[touch .testfile]
/bin/dd
[dd if=/dev/zero of=.testfile2 bs=2M count=1]
/bin/rm
[rm -rf .testfile .testfile2]
/bin/cp
[cp -r /tmp/redtail.* /]
/bin/rm
[rm -rf .redtail]
/bin/cat
[cat redtail.x86_64]
/bin/chmod
[chmod +x .redtail]
/.redtail
[./.redtail ssh]
/bin/rm
[rm -rf redtail.*]
/bin/rm
[rm -rf /tmp/redtail.*]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.17:443 | tcp |
Files
/.testfile2
| MD5 | b2d1236c286a3c0704224fe4105eca49 |
| SHA1 | 7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6 |
| SHA256 | 5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee |
| SHA512 | 731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 06:55
Reported
2024-06-14 06:57
Platform
debian9-armhf-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 06:55
Reported
2024-06-14 06:55
Platform
debian9-mipsbe-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-14 06:55
Reported
2024-06-14 06:55
Platform
debian9-mipsel-20240611-en