fc71c2dd1abf849859de00108255f83144a50f94e4648c645aa0c5c9182be24e

Analysis

max time kernel
11s
max time network
9s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
03/07/2024, 05:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

install_printer.sh
Size

976B
MD5

13733f52f1d50bb6084531b3acf566ad
SHA1

1d478784284acbb512cd63014e59987828b2c17c
SHA256

fc71c2dd1abf849859de00108255f83144a50f94e4648c645aa0c5c9182be24e
SHA512

6d2959a7d33bf19d07544d54acfeb61e0840575c9f21b5d55961747e1d918096d34652ae10aa81e3a21f92e739e10f99078ce2fe0985ad87004c6c1c538851d2

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies environment variables 1 TTPs 1 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/root/.bashrc	install_printer.sh

Modifies Bash startup script 1 TTPs 1 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/root/.bashrc	install_printer.sh

Reads CPU attributes 1 TTPs 6 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	exim4

Reads runtime system information 30 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/self/stat	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sendmail
File opened for reading	/proc/self/fd	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/self/fd	sudo

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/install_printer_fail	touch

/tmp/install_printer.sh
/tmp/install_printer.sh
1⤵
- Creates/modifies environment variables
- Modifies Bash startup script
PID:712
- /usr/bin/sudo
  sudo rm -f /tmp/install_printer_success
  2⤵
  - Reads runtime system information
  PID:716
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:724
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1sOr5Q-0000Bg-SK
      4⤵
      Reads CPU attributes
      PID:749
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:731
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1sOr5Q-0000Bn-Ri
      4⤵
      Reads CPU attributes
      PID:750
- - /bin/rm
    rm -f /tmp/install_printer_success
    3⤵
    PID:733
- /usr/bin/sudo
  sudo rm -f /tmp/install_printer_fail
  2⤵
  - Reads runtime system information
  PID:736
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:743
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1sOr5R-0000Bz-WD
      4⤵
      Reads CPU attributes
      PID:756
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:746
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1sOr5S-0000C2-37
      4⤵
      Reads CPU attributes
      PID:759
- - /bin/rm
    rm -f /tmp/install_printer_fail
    3⤵
    PID:747
- /usr/bin/sudo
  sudo rm -rf /Applications/Brocadesoft
  2⤵
  - Reads runtime system information
  PID:748
- /usr/bin/sudo
  sudo rm -rf /Applications/BSPrintNotify
  2⤵
  - Reads runtime system information
  PID:752
- /usr/bin/sudo
  sudo cp /Volumes/漫游打印驱动/.contents/mac /Applications/BSutils
  2⤵
  - Reads runtime system information
  PID:755
- /usr/bin/sudo
  sudo xattr -rd com.apple.quarantine /Applications/BSutils
  2⤵
  - Reads runtime system information
  PID:757
- /bin/sleep
  sleep 1
  2⤵
  PID:761
- /usr/bin/basename
  basename /bin/bash
  2⤵
  PID:768
- /usr/bin/sudo
  sudo -S installer -pkg /Volumes/漫游打印驱动/.contents/Client-Printer_prints.sankuai.com_8110_20210527190734.pkg -target /
  2⤵
  - Reads runtime system information
  PID:770
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:774
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1sOr5V-0000CU-Fl
      4⤵
      Reads CPU attributes
      PID:782
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    - Reads runtime system information
    PID:777
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1sOr5V-0000CX-FX
      4⤵
      Reads CPU attributes
      PID:783
- /Applications/BSutils
  /Applications/BSutils
  2⤵
  PID:769
- /usr/bin/lpstat
  /usr/bin/lpstat -v
  2⤵
  PID:779
- /bin/grep
  grep -c bsprint://
  2⤵
  PID:780
- /usr/bin/touch
  /usr/bin/touch /tmp/install_printer_fail
  2⤵
  - Writes file to tmp directory
  PID:781

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/mail/user

Filesize
825B

MD5
c879f8ef9bd107feaf419c46132d21ca

SHA1
05a82a9d90f5ca8d044ce7194f7291a44d530f91

SHA256
8f7b19873e900b6d1c438d9950f21ad7a4b4670f337b7c9289aaf61fc7990e53

SHA512
45259e41f8106c6e0fd274d4b0d15a1058210a571d5bc11ba2c223e149d8cb37debd0a667b2337b5e95fa2b70ce4982c85114a0c5dcbb1104a1279ac945456d8

Download Submit
/var/mail/user

Filesize
1KB

MD5
d9948a4b0604fe03511c5eb8070cab4d

SHA1
35d3e11118874f331d6446b18cd328029d651cfd

SHA256
0f7afd62d123a889b4a95a315ecc063acc530d8781b58a2031178fa28d63f422

SHA512
78d5bf5b2381ebd622ffb733f1683d21c0417784677fba5d52d54e577989a75b0d4457109bc0457aaf299d7fc59f6085247e534553bb15d9e2bd0e749b32c4a5

Download Submit
/var/mail/user

Filesize
2KB

MD5
d29b09bb724d3de490e28431ab86fc9e

SHA1
7c8b4b7ad32586170e72b622cc0023889edabad0

SHA256
d20adc789e4149f4ed0800a2cb4ccd9138696e04d786d8d58b8bfa4d525bf0b0

SHA512
52efdb9116424b936af933ebdc32cbe2eabdb362b6df4e963fa9cc0060624ee42e9a04dbe55a868da319afd8795e3162e07fcbf0757e03f9a510ae4858f2f7ec

Download Submit
/var/mail/user

Filesize
3KB

MD5
66506b1fe8f75ab054a2b2ba15e8ddd9

SHA1
99cc9a8ccc5e3717b3a4e0ea78ca3c38c94be0af

SHA256
c159842c7286d9bf9f4f860b3d3f3eb8ef353ae562b27ca26d3da0de95ef977e

SHA512
e732b20474ad7dc01c2520ca5053b378954a35047397a49fee23368083a6d2a76793d1c9517e6f1af068037a9f0e857abe2deffa830b7093cfb6cae22d2eab9a

Download Submit
/var/mail/user

Filesize
4KB

MD5
661a25baccc4abaeac12aaa915d72fb6

SHA1
5fa2584fa7371515deff430bca5289a293820e18

SHA256
90cdae27da4e4f95fa4d6d58f1da19f396951a104b5abcd0e35019d3a01b4581

SHA512
720fe1a38fa09530d3093cdbb669331d893d9f04cd18aba3a7a0355cf36513b8df9e7df5292d67baf6e2e4f8d6eb505a9477c4811735f1650a4fb5afb9beb028

Download Submit
/var/mail/user

Filesize
4KB

MD5
aaea0253e4560fbbdfbd9ec1e5aaa924

SHA1
463c41d24b00ee4789fb6875979ad8979058b6c3

SHA256
cdbcf7e7c72fec794cfadd96a5bbb1f66b02b1002fdef8ce03867cbb1662eff6

SHA512
4fc120c56741f2eef6c735caf95a68e9bbcf7936388f895baba8e5837e3a55a0640f4c93c6e96d787033cbf6bb306c5721db0968860773f7ac309739acaa3c14

Download Submit
/var/spool/exim4/input/1sOr5Q-0000Bg-SK-D

Filesize
128B

MD5
7eeddc445601367048efb0680e3ed207

SHA1
1cbc146f2d9de098e5a901acf9145ffbeb1a5433

SHA256
d4ce04333c686c9bbaab90ca07abf58833b9a767a7e55c30742926d700421e60

SHA512
c923f6e3b46b151e16e754f6bb65005ba9680b3d555b5f68674950aaaa163def8c0e8054d7c822b85dacf0da35f5348d686d7d064c4b88af7dcc24e3bb112ce0

Download Submit
/var/spool/exim4/input/1sOr5Q-0000Bg-SK-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1sOr5Q-0000Bn-Ri-D

Filesize
146B

MD5
73c388f45435abe036f2718c65c939d6

SHA1
aa13da6d5278b118098ed6d7e22a6194777c3391

SHA256
4d8a416abd8f48214bc9f345390d40cbfa612bc12763c82d06cad98b9130b978

SHA512
549923c5aa1e161159f1b55c9af3d4d40c51b278545bbab1fa7b141a3a864031c5060a604e995fae499c13d16d3c258b1d3d519abe652ac2cf2e25d6cae7821f

Download Submit
/var/spool/exim4/input/1sOr5R-0000Bz-WD-D

Filesize
128B

MD5
add1e4f3c1011f24159ef079bedb0a0f

SHA1
1b478a625d795f6ba73ba725f5e6735eeccdafc7

SHA256
b1c2a390daa180ccf1fdbb1d1c024d6f0f2c604b4412c2fc7038495b97d62baa

SHA512
a3adb60d450f9cae85eea5abf4ab740104f50b9841846faf56b83ea38f812656355dc0b074ecc407279ece5d8ac10d482e465d5c0e89dafab1d8907bf9cde2d5

Download Submit
/var/spool/exim4/input/1sOr5S-0000C2-37-D

Filesize
146B

MD5
ed384182759d956016bedec92d00a405

SHA1
a976697545dbf7fb14554be545adc4d159d628f8

SHA256
e101ef68d9d0779d515567f21af2e3325bdc49b21dce897315240ade01a00861

SHA512
b1aa6249e21399233ac7f7de38db3f91194ecc030955220b36a7a6230492b9dfd856fd2a144dfe7ffa4e31ec36efac6929dafd933d6e15c2f23e0271b7a222ce

Download Submit
/var/spool/exim4/input/1sOr5V-0000CU-Fl-D

Filesize
128B

MD5
3fa92a39980cd45ba550a8c97bf0c77a

SHA1
0680ea14325823c59ce1c976696fb191c23d92b0

SHA256
e67f29854c28f168a65a61386eab017dbf13bdb5678a8d3a8fa0468fbb77f52d

SHA512
f3163e12d55b6d59f8fc9514601b89dab71dabff40cb7a57bae108b96545a658983635f99f9aa7035274bfb1575d1cf32a32a83c54076db8512fdf64efd447f0

Download Submit
/var/spool/exim4/input/1sOr5V-0000CX-FX-D

Filesize
146B

MD5
74b4c70e5270efaa45b944f1b18fe5b5

SHA1
3d04691fd22a82b2c491012f5d593eed0ebc0a82

SHA256
68e5e72b159b3cf601b081528b27bddd9d9355d1fdf67f0db8f537a6d2338563

SHA512
fb9e3fde212177cd62650460d54a87d84e400a662bf5532375983bb2c3dc83a10afd500ba211b4c0ed792eba6654ba392c093cf1b667157e9c0ef4698744f3f6

Download Submit
/var/spool/exim4/input/hdr.731

Filesize
915B

MD5
e64a6b5777b591e52c6ed555985af1d1

SHA1
7e3c53898de4000447e85d62c2fcd771cf88d17e

SHA256
a411a984a02f2dcbdf524f04d5e3b390f04988967c0dfb13214fe57ab2639950

SHA512
6020ffe438206f755fb4a47d59da89140d27f34d1e89847eba3ba02e5e0001042c062a0c9ef214969dd4213bce96c0e16613d146ba3663628013f522d4c76a9b

Download Submit
/var/spool/exim4/input/hdr.743

Filesize
915B

MD5
284bc04a5a9a808305a6ade740a3b213

SHA1
1dc11b586b2a575ccf3d80ff2d9a8650fcdce921

SHA256
28a149b18e3b3597977beaf271893b887c76258938f25539468c94185d74f2f0

SHA512
03180f7b6f172acc1edf4e04a0691e1f106dd7e070f183daec5bfa13db970fce339a07beb09c5df624420e48f011ab0ca32fc3750862b7a4e04dcad20685506d

Download Submit
/var/spool/exim4/input/hdr.746

Filesize
915B

MD5
3b33ff943376f365a7d779d4db63c89e

SHA1
4c422b43c2f9b064300be08bd183ddcd43b41935

SHA256
cad1b7b8c36dc2089b1a68731623790cd28fe0078506b1c18fe90e3e6f85f59a

SHA512
fb9f8a3a43a648a3aa3692e20b05ed7da943c1727d7620cabd0b963342568eb98afd7f48a815fdb5117a1f45eb2cf9f04f551476bd55d448b85af2581b0d7240

Download Submit
/var/spool/exim4/input/hdr.777

Filesize
915B

MD5
e80544eb1aa7160e2517b965824a20c8

SHA1
f5daeae3df1a95ebbbd23afe361eff5c14dbd03c

SHA256
a0f52e4ad4de3ac2d85eacf4fd16a42996392daadf27a3dd339e3da94a9ccd43

SHA512
43f667ac24ec29aa69110c9f8649f30a68d0997e91601f61b320c1e31857394119104e262b957b20fc76539d649993c397e5ff75483cab0bf9836cd519469113

Download Submit
/var/spool/exim4/msglog/1sOr5Q-0000Bg-SK

Filesize
288B

MD5
d954625486b2827ced2888e3736b809a

SHA1
5cd76be8230ee286dfe09e9382d39f14959ee0ed

SHA256
99fd15380e1d25066dc75b677f7d64765abcb323aa64e9a743e99cbae905610a

SHA512
2c00851b1387f25c2ea69a942b63c36e40879b1b199bfac2e7d9591c0625b85f21c7c2751abeff1512aa84de74de367400439a68b0bd7124d9402f4064231787

Download Submit
/var/spool/exim4/msglog/1sOr5Q-0000Bg-SK

Filesize
89B

MD5
8d3849a9a867a8d683e7338448556399

SHA1
f8e47e1d8939c857d500faf3305c8afc49c80bac

SHA256
dd440724e6c4194f0171781efda78f5df3492b2307b213d5c08469b5526cd6e0

SHA512
e458e2af39455cae8abc36c7324a05579979061965c80d6787a69273ec9794a3e6fd8869bdf56dd1321a57ebe10a3fd42463ef20f487ca92381c175272fa2124

Download Submit
/var/spool/exim4/msglog/1sOr5Q-0000Bn-Ri

Filesize
288B

MD5
d8851da601215a83e04810842ba928a1

SHA1
8cc8897803b694fd956583421f97f1d12f452995

SHA256
1daa50e78f36043e5c4b325618c024bfb8f9b89d9e3ab51e11eaa4a91a72a4a6

SHA512
85d399979f8a5a3d70fa61cf0415be4d38ca7fa14754766802e6053ae2afabbd1322ead32348d48709b590537594ee49a5f6537c6a40e30bd1e800618bf02671

Download Submit
/var/spool/exim4/msglog/1sOr5Q-0000Bn-Ri

Filesize
89B

MD5
18130061a7b078b6e425e646ed8b79e4

SHA1
87fb94c8a05d52a24c582334feadfb0900c9ad96

SHA256
daf54c1e30a3f061aea8933bceeb958bcb1fe759ed27bb72aab764308a898ad1

SHA512
d27e585e225f0e510cf300098044197e91c1e5277161079b7ae72a8cdda3533c467ac18b37cf02743861998aee55599f2a5c26fc9325d73fa27bf62ccb14e151

Download Submit
/var/spool/exim4/msglog/1sOr5R-0000Bz-WD

Filesize
89B

MD5
65a35a0b17e853cd0abc4ff0da32b446

SHA1
23b5a505c9b5ae2aeb8f52cba171ed062b3336ef

SHA256
ba0947682934cd65843e2c12331529fdbc1df7247b55bb3ff84056805566d8cc

SHA512
edf9fbcd832405f94fc0e28e8faec8c05bade6e2871b4e093eb031f28af2a784293895dc5e875a1e8490d11ec1bbb33355490e84f018f1aa0e2b909e9e3d33ab

Download Submit
/var/spool/exim4/msglog/1sOr5R-0000Bz-WD

Filesize
288B

MD5
9906dacb6dc0fb33928f1400a2f36567

SHA1
2db72f3a9fea6361b372a9707ce07d8682700667

SHA256
35222c63f015d06b36c112aa5bdbea4eebfb1924634fa353d082c2fdf85171c6

SHA512
bbe87e95e4a0ec3be76528e865cdbdb1e9c041db47126c1aa1cfbc56e03cc8e86fc64ae8ae2f4fb500f579d6ccd0e5337c6e899eaee6888a1703955b45d2517c

Download Submit
/var/spool/exim4/msglog/1sOr5S-0000C2-37

Filesize
89B

MD5
9f3b0a07622422bce4968227ca4abb22

SHA1
a8e287fc4fabd02c4456c94bbacf4d51687a0ca5

SHA256
ab8800bfcb2158ec341b2f51d1880650482f86c6c89ca09a74d5dd20ce39870c

SHA512
335b01d5cc23e2f2c5fc8e99d962e777039532a5aca651e8122bc059b80c666666a24becdcb0441ca32db053c11fc4b4bc9dcdbfeeaa3d16c8cfba3cf09f09e2

Download Submit
/var/spool/exim4/msglog/1sOr5S-0000C2-37

Filesize
288B

MD5
41fa6f8bbc0730cc9c3ffca736619a2e

SHA1
e01b5e035c6f4860eb9fbacb3de8380c0406b4ee

SHA256
2b367bbaef5bdb8d3de3e3877f922f430665f18e65af84dee91060fdfe6ecbbc

SHA512
eea8b2deb8d65c529f9deee240ab0abf236446343319b3b20841d50c9ec0aefed88c276c90b2201e17df8f486aa380b1d3039f8618476e7fdb8acb61e4820dc1

Download Submit
/var/spool/exim4/msglog/1sOr5V-0000CU-Fl

Filesize
89B

MD5
cef1eea1fa2fa9252e4e0214d815cc0b

SHA1
beeb0d42b3f4fa866fab24b193806154c6da186e

SHA256
a834d7fef844da1d101644a2ca0b18358ec4df1c24c424c534bc3eb5783db653

SHA512
75c3a0a5de6f00c7c7499703957cdfd4d2d05e643f27e911eeb5761539a65a214a1d5a3f8274e65d5455d7189ad74a602c15ba2783d55e2ec46e33a00801ac2e

Download Submit
/var/spool/exim4/msglog/1sOr5V-0000CU-Fl

Filesize
288B

MD5
92ae70037b6678f2c5b5a08ccd6e63c6

SHA1
4e63c38bcc7d739589465c698e0f193e1504ff9e

SHA256
6dcb9fc24ee866fb756a6a70121595d5c20c591700c094c1eabf7d82effcc120

SHA512
d8d2da328c95f255126b3ac00dc81e10700483204b313fe0cd8f714d7204b55f5af57887e4943cf4e2cde905ad9e628698be563d2968c594a475f8fdc537944c

Download Submit
/var/spool/exim4/msglog/1sOr5V-0000CX-FX

Filesize
89B

MD5
dc8fac60dad642194270c5f093d90bed

SHA1
d3311b299ff3f6696c73a631816e53bb02cf2fe1

SHA256
73c777b839eca432d59c89657e78793b8d0a7c0aa9760c9529a3f61f230527ef

SHA512
1d25fcb560f06dfc16d5b52ca8cde91f25e5c5000f3858854dba1dff861dfa2ff34a8961bf22a91fec1861c7b32ac27ea433d5d3c17d129e370203df210eab37

Download Submit
/var/spool/exim4/msglog/1sOr5V-0000CX-FX

Filesize
288B

MD5
73e9f8f39037fe0f331506ee72faa7a2

SHA1
091657f2763b16a9c7df61b2bf1dc65c915b2e04

SHA256
8b7916b0ca909f3fae66d8da559ec0e0fffe3cd5f1870f20ec462a3853631385

SHA512
62de23fb5cdf03980c3360084016b46c5a9109bbff2531f075fde87f81ccd9b7d168fb6a35cdd05073e98bb71ca05a677600a6ca9260958fe4f1f80b1252f0b9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads