Analysis
-
max time kernel
301s -
max time network
1679s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18-07-2024 15:18
Static task
static1
Behavioral task
behavioral1
Sample
start.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
start.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
start.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
start.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
start.sh
-
Size
556B
-
MD5
a832de50849461f39011c4aa4d5a41d4
-
SHA1
9cab7ded4ccc5add10b8a93a69deb037cda59a75
-
SHA256
a1d5bc1444f2e66c241687096914cd9ce3ce1b1ab92127abca226bb74c5b4618
-
SHA512
af017d9236fb03bb554b0a489d0ebc8186cbdaec7fd7ddf049bba99f0594974e58e677cd19d681c9161919ee64582cf67fdf5c55e14653bd1b1fe35b8d99fbc5
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curldescription ioc process File opened for reading /proc/cpuinfo curl -
Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.
Processes:
curldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
mktempdescription ioc process File opened for modification /tmp/tmp.8Kgir5Xxij mktemp
Processes
-
/tmp/start.sh/tmp/start.sh1⤵PID:647
-
/bin/mktempmktemp2⤵
- Writes file to tmp directory
PID:648 -
/usr/bin/curlcurl -fsL https://github.com/ChrisTitusTech/linutil/releases/latest/download/linutil -o /tmp/tmp.8Kgir5Xxij2⤵
- Checks CPU configuration
- Reads runtime system information
PID:650