aac8bdcbbf47b823f77889e27be77d52dfde041c4977ec375176a2a52063e0c9

Analysis

max time kernel
0s
max time network
70s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
16/06/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ftl_advanced_edition_1_6_12_2_35269.sh
Size

235.3MB
MD5

fc012e9ac7515f0b7b119a73ccfd7190
SHA1

bd37c410270267270866ae7ed275d999411a9546
SHA256

aac8bdcbbf47b823f77889e27be77d52dfde041c4977ec375176a2a52063e0c9
SHA512

d3e061605069e874ed3e55440e5aae24ab6690977ce477728a46f7e7f487595a09ab4a56ec22c784e454286b0bfe2a3a791d78645fd7dc0feab9649cf282afd2
SSDEEP

6291456:7/Ocl30GLSZrpQpp9bektNzHk/gH8yXnD/vIJhhUE/QN3KmsvFCUcHt:LLcQ1bec1cyXnDYp/QVVelcHt

Score

3^/10

Malware Config

Signatures

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/self/mountinfo	df
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	tar

/tmp/ftl_advanced_edition_1_6_12_2_35269.sh
/tmp/ftl_advanced_edition_1_6_12_2_35269.sh
1⤵
PID:1482
- /usr/bin/dirname
  dirname /tmp/ftl_advanced_edition_1_6_12_2_35269.sh
  2⤵
  PID:1484
- /usr/bin/basename
  basename /tmp/ftl_advanced_edition_1_6_12_2_35269.sh
  2⤵
  PID:1485
- /bin/mkdir
  mkdir /tmp/selfgz1482
  2⤵
  - Reads runtime system information
  PID:1486
- /usr/bin/which
  which md5sum
  2⤵
  PID:1489
- /usr/bin/tr
  tr -d " "
  2⤵
  PID:1493
- /usr/bin/wc
  wc -c
  2⤵
  PID:1492
- /usr/bin/head
  head -n 519 /tmp/ftl_advanced_edition_1_6_12_2_35269.sh
  2⤵
  PID:1491
- /usr/bin/cut
  cut "-d " -f1
  2⤵
  PID:1496
- /usr/bin/basename
  basename /usr/bin/md5sum
  2⤵
  PID:1497
- /usr/bin/cut
  cut "-d " -f1
  2⤵
  PID:1500
- /usr/bin/cut
  cut -b-32
  2⤵
  PID:1504
- /usr/bin/md5sum
  /usr/bin/md5sum
  2⤵
  PID:1505
- /usr/bin/expr
  expr 668028 / 1024
  2⤵
  PID:1506
- /usr/bin/expr
  expr 668028 "%" 1024
  2⤵
  PID:1507
- /bin/dd
  dd "if=/tmp/ftl_advanced_edition_1_6_12_2_35269.sh" "ibs=12472" "skip=1" "obs=1024" "conv=sync"
  2⤵
  PID:1508
- /bin/dd
  dd "ibs=1024" "obs=1024" "count=652"
  2⤵
  PID:1510
- /bin/dd
  dd "ibs=1" "obs=1024" "count=380"
  2⤵
  PID:1511
- /usr/bin/expr
  expr 1 + 1
  2⤵
  PID:1512
- /usr/bin/expr
  expr 12472 + 668028
  2⤵
  PID:1513
- /usr/bin/tr
  tr -d " "
  2⤵
  PID:1517
- /usr/bin/wc
  wc -c
  2⤵
  PID:1516
- /usr/bin/head
  head -n 519 /tmp/ftl_advanced_edition_1_6_12_2_35269.sh
  2⤵
  PID:1515
- /usr/bin/awk
  awk "{ if (\$4 ~ /%/) {print \$3} else {print \$4} }"
  2⤵
  - Reads runtime system information
  PID:1522
- /usr/bin/tail
  tail -1
  2⤵
  PID:1521
- /bin/df
  df -kP /tmp/selfgz1482
  2⤵
  - Reads runtime system information
  PID:1520
- /usr/bin/expr
  expr 4194304 / 4
  2⤵
  PID:1529
- /bin/tar
  tar xvf -
  2⤵
  - Reads runtime system information
  PID:1530
- /bin/gzip
  gzip -cd
  2⤵
  PID:1531
- /usr/bin/expr
  expr 1048576 / 4
  2⤵
  PID:1532
- /usr/bin/expr
  expr 668028 / 262144
  2⤵
  PID:1533
- /usr/bin/expr
  expr 668028 "%" 262144
  2⤵
  PID:1534
- /bin/dd
  dd "bs=12472" "count=0" "skip=1"
  2⤵
  PID:1536
- /usr/bin/expr
  expr 0 + 262144
  2⤵
  PID:1537
- /bin/dd
  dd "bs=262144" "count=1"
  2⤵
  PID:1538
- /usr/bin/expr
  expr 668028 / 100
  2⤵
  PID:1542
- /usr/bin/expr
  expr 262144 / 6680
  2⤵
  PID:1543
- /usr/bin/expr
  expr 262144 + 262144
  2⤵
  PID:1544
- /bin/dd
  dd "bs=262144" "count=1"
  2⤵
  PID:1545
- /usr/bin/expr
  expr 668028 / 100
  2⤵
  PID:1546
- /usr/bin/expr
  expr 524288 / 6680
  2⤵
  PID:1547
- /usr/bin/expr
  expr 524288 + 262144
  2⤵
  PID:1548
- /bin/dd
  dd "bs=143740" "count=1"
  2⤵
  PID:1549
- /bin/rm
  /bin/rm -rf /tmp/selfgz1482
  2⤵
  PID:1550

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads