Malware Analysis Report

2024-10-16 06:10

Sample ID 240718-sppbvsthqr
Target start.sh
SHA256 a1d5bc1444f2e66c241687096914cd9ce3ce1b1ab92127abca226bb74c5b4618
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a1d5bc1444f2e66c241687096914cd9ce3ce1b1ab92127abca226bb74c5b4618

Threat Level: Shows suspicious behavior

The file start.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 15:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 15:18

Reported

2024-07-18 15:48

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

300s

Max time network

1679s

Command Line

[/tmp/start.sh]

Signatures

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tmp.Ksm1wnlxKR /bin/mktemp N/A

Processes

/tmp/start.sh

[/tmp/start.sh]

/bin/mktemp

[mktemp]

/usr/bin/curl

[curl -fsL https://github.com/ChrisTitusTech/linutil/releases/latest/download/linutil -o /tmp/tmp.Ksm1wnlxKR]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 github.com udp
US 1.1.1.1:53 github.com udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.129.91:443 tcp
US 151.101.129.91:443 tcp
GB 195.181.164.19:443 tcp
US 1.1.1.1:53 contile.services.mozilla.com udp
US 1.1.1.1:53 contile.services.mozilla.com udp
US 1.1.1.1:53 spocs.getpocket.com udp
US 1.1.1.1:53 spocs.getpocket.com udp
US 1.1.1.1:53 getpocket.cdn.mozilla.net udp
US 1.1.1.1:53 getpocket.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 1.1.1.1:53 prod.ads.prod.webservices.mozgcp.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 1.1.1.1:53 firefox.settings.services.mozilla.com udp
US 1.1.1.1:53 firefox.settings.services.mozilla.com udp
US 1.1.1.1:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.117.188.166:443 spocs.getpocket.com udp
US 1.1.1.1:53 shavar.services.mozilla.com udp
US 1.1.1.1:53 shavar.services.mozilla.com udp
US 34.117.188.166:443 spocs.getpocket.com udp
US 1.1.1.1:53 shavar.prod.mozaws.net udp
US 44.238.192.228:443 shavar.services.mozilla.com tcp
US 1.1.1.1:53 content-signature-2.cdn.mozilla.net udp
US 1.1.1.1:53 content-signature-2.cdn.mozilla.net udp
US 1.1.1.1:53 push.services.mozilla.com udp
US 1.1.1.1:53 push.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 1.1.1.1:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.107.243.93:443 push.services.mozilla.com udp
US 1.1.1.1:53 tracking-protection.cdn.mozilla.net udp
US 1.1.1.1:53 tracking-protection.cdn.mozilla.net udp
US 1.1.1.1:53 tracking-protection.prod.mozaws.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 1.1.1.1:53 aus5.mozilla.org udp
US 1.1.1.1:53 aus5.mozilla.org udp
US 1.1.1.1:53 location.services.mozilla.com udp
US 1.1.1.1:53 location.services.mozilla.com udp
US 1.1.1.1:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 1.1.1.1:53 archive.mozilla.org udp
US 1.1.1.1:53 archive.mozilla.org udp
US 1.1.1.1:53 ciscobinary.openh264.org udp
US 1.1.1.1:53 ciscobinary.openh264.org udp
US 34.117.35.28:443 archive.mozilla.org tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 34.117.35.28:443 archive.mozilla.org udp
US 1.1.1.1:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 35.190.72.216:443 location.services.mozilla.com udp
US 1.1.1.1:53 bing.com udp
US 1.1.1.1:53 bing.com udp
US 13.107.21.200:80 bing.com tcp
US 13.107.21.200:80 bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
US 1.1.1.1:53 r.bing.com udp
US 1.1.1.1:53 r.bing.com udp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 104.86.110.112:443 r.bing.com tcp
GB 104.86.110.112:443 r.bing.com tcp
GB 104.86.110.112:443 r.bing.com tcp
GB 104.86.110.112:443 r.bing.com tcp
GB 104.86.110.112:443 r.bing.com udp
US 1.1.1.1:53 www.msn.com udp
US 1.1.1.1:53 www.msn.com udp
US 1.1.1.1:53 www.start.gg udp
US 1.1.1.1:53 www.takelessons.com udp
US 1.1.1.1:53 www.takelessons.com udp
US 1.1.1.1:53 a-0003.a-msedge.net udp
US 1.1.1.1:53 a-0016.a-msedge.net udp
US 1.1.1.1:53 outlook.com udp
US 1.1.1.1:53 microsoft365.com udp
US 1.1.1.1:53 microsoft365.com udp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
US 1.1.1.1:53 assets.msn.com udp
US 1.1.1.1:53 assets.msn.com udp
US 1.1.1.1:53 a4.bing.com udp
US 1.1.1.1:53 a4.bing.com udp
US 1.1.1.1:53 e28578.d.akamaiedge.net udp
US 1.1.1.1:53 www.onenote.com udp
US 1.1.1.1:53 www.onenote.com udp
GB 104.86.111.16:443 assets.msn.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
US 1.1.1.1:53 sway.office.com udp
US 1.1.1.1:53 sway.office.com udp
US 1.1.1.1:53 onedrive.live.com udp
US 1.1.1.1:53 onedrive.live.com udp
US 1.1.1.1:53 calendar.live.com udp
US 1.1.1.1:53 calendar.live.com udp
US 1.1.1.1:53 outlook.live.com udp
US 1.1.1.1:53 outlook.live.com udp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
US 1.1.1.1:53 platform.bing.com udp
US 1.1.1.1:53 platform.bing.com udp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.18.66.81:80 www.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
GB 2.21.67.8:80 a4.bing.com tcp
US 1.1.1.1:53 dual-spov-0006.spov-msedge.net udp
US 13.107.21.237:80 platform.bing.com tcp
US 1.1.1.1:53 support.microsoft.com udp
US 1.1.1.1:53 support.microsoft.com udp
US 1.1.1.1:53 help.bing.microsoft.com udp
US 1.1.1.1:53 help.bing.microsoft.com udp
US 1.1.1.1:53 th.bing.com udp
US 1.1.1.1:53 th.bing.com udp
US 1.1.1.1:53 services.bingapis.com udp
US 1.1.1.1:53 services.bingapis.com udp
US 1.1.1.1:53 e-0001.e-msedge.net udp
US 13.107.5.80:443 services.bingapis.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 1.1.1.1:53 login.microsoftonline.com udp
US 1.1.1.1:53 login.microsoftonline.com udp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
IE 20.190.159.71:443 login.microsoftonline.com tcp
US 1.1.1.1:53 waws-prod-blu-447-b731.eastus.cloudapp.azure.com udp
GB 2.18.66.168:443 th.bing.com tcp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
GB 2.18.66.168:443 th.bing.com udp
US 1.1.1.1:53 www.tm.v4.a.prd.aadg.akadns.net udp
GB 2.18.66.81:80 th.bing.com tcp
GB 2.18.66.81:80 th.bing.com tcp
GB 2.18.66.81:80 th.bing.com tcp
GB 2.18.66.81:80 th.bing.com tcp
GB 2.18.66.81:80 th.bing.com tcp
GB 2.18.66.81:80 th.bing.com tcp
US 104.18.33.89:80 www2.bing.com tcp
US 1.1.1.1:53 www.suno.ai udp
US 1.1.1.1:53 www.suno.ai udp
US 1.1.1.1:53 support.mozilla.org udp
US 1.1.1.1:53 support.mozilla.org udp
US 1.1.1.1:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
US 1.1.1.1:53 aus5.mozilla.org udp
US 1.1.1.1:53 aus5.mozilla.org udp
US 1.1.1.1:53 firefox-settings-attachments.cdn.mozilla.net udp
US 1.1.1.1:53 firefox-settings-attachments.cdn.mozilla.net udp
US 1.1.1.1:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 1.1.1.1:53 e86303.dsca.akamaiedge.net udp
US 1.1.1.1:53 e86303.dsca.akamaiedge.net udp
US 1.1.1.1:53 www-www.bing.com.trafficmanager.net udp
US 1.1.1.1:53 www-www.bing.com.trafficmanager.net udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.49:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 p-static.bing.trafficmanager.net udp
US 1.1.1.1:53 p-static.bing.trafficmanager.net udp
GB 2.18.66.168:443 th.bing.com udp
GB 2.18.66.168:443 th.bing.com udp
US 1.1.1.1:53 www-www.bing.com.trafficmanager.net udp
US 1.1.1.1:53 www-www.bing.com.trafficmanager.net udp
US 1.1.1.1:53 www.tm.ak.prd.aadg.trafficmanager.net udp
US 1.1.1.1:53 e86303.dsca.akamaiedge.net udp
US 1.1.1.1:53 e86303.dsca.akamaiedge.net udp
US 1.1.1.1:53 p-th.bing.com.trafficmanager.net udp
US 1.1.1.1:53 p-th.bing.com.trafficmanager.net udp
GB 2.18.66.168:80 p-th.bing.com.trafficmanager.net tcp
GB 2.18.66.168:80 p-th.bing.com.trafficmanager.net tcp
GB 2.18.66.168:80 p-th.bing.com.trafficmanager.net tcp
GB 2.18.66.168:80 p-th.bing.com.trafficmanager.net tcp
GB 2.18.66.168:80 p-th.bing.com.trafficmanager.net tcp
GB 2.18.66.168:80 p-th.bing.com.trafficmanager.net tcp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
US 1.1.1.1:53 www.forbes.com udp
US 1.1.1.1:53 www.forbes.com udp
US 1.1.1.1:53 winbuzzer.com udp
US 1.1.1.1:53 winbuzzer.com udp
US 1.1.1.1:53 www-msn-com.a-0003.a-msedge.net udp
US 1.1.1.1:53 www-msn-com.a-0003.a-msedge.net udp
US 1.1.1.1:53 www.computerworld.com udp
US 1.1.1.1:53 www.computerworld.com udp
US 1.1.1.1:53 m.sni.global.fastly.net udp
GB 95.100.104.23:80 e86303.dsca.akamaiedge.net tcp
GB 95.100.104.23:80 e86303.dsca.akamaiedge.net tcp
GB 95.100.104.23:80 e86303.dsca.akamaiedge.net tcp
US 1.1.1.1:53 7249961d44562f52a6f430f83ff68eba.clo.footprintdns.com udp
US 1.1.1.1:53 7249961d44562f52a6f430f83ff68eba.clo.footprintdns.com udp
US 1.1.1.1:53 b-0008.b-msedge.net udp
US 13.107.6.163:80 7249961d44562f52a6f430f83ff68eba.clo.footprintdns.com tcp
US 1.1.1.1:53 d0709dcbe70ce93eea6ae61ecd111e6a.clo.footprintdns.com udp
US 1.1.1.1:53 d0709dcbe70ce93eea6ae61ecd111e6a.clo.footprintdns.com udp
US 1.1.1.1:53 se1prdapp01-canary.cloudapp.net udp
US 1.1.1.1:53 se1prdapp01-canary.cloudapp.net udp
US 1.1.1.1:53 f481445915253211e7a1c4431dd9caa4.clo.footprintdns.com udp
US 1.1.1.1:53 f481445915253211e7a1c4431dd9caa4.clo.footprintdns.com udp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
US 1.1.1.1:53 e11290.dspg.akamaiedge.net udp
US 1.1.1.1:53 e11290.dspg.akamaiedge.net udp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
GB 95.100.104.23:80 e86303.dsca.akamaiedge.net tcp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
GB 95.100.104.23:80 e86303.dsca.akamaiedge.net tcp
US 1.1.1.1:53 d0156ec4609dbee6a6882262be561cc5.clo.footprintdns.com udp
US 1.1.1.1:53 d0156ec4609dbee6a6882262be561cc5.clo.footprintdns.com udp
AE 40.126.212.197:80 d0156ec4609dbee6a6882262be561cc5.clo.footprintdns.com tcp
AE 40.126.212.197:80 d0156ec4609dbee6a6882262be561cc5.clo.footprintdns.com tcp
US 104.18.33.89:80 www2.bing.com tcp
US 1.1.1.1:53 227f493878441593bcefb7f53b3ae1a2.clo.footprintdns.com udp
US 1.1.1.1:53 227f493878441593bcefb7f53b3ae1a2.clo.footprintdns.com udp
CA 52.242.31.149:80 227f493878441593bcefb7f53b3ae1a2.clo.footprintdns.com tcp
CA 52.242.31.149:80 227f493878441593bcefb7f53b3ae1a2.clo.footprintdns.com tcp
US 1.1.1.1:53 m.sni.global.fastly.net udp
US 1.1.1.1:53 b6ca8797abd8efd47c972d8eab570eef.clo.footprintdns.com udp
US 1.1.1.1:53 b6ca8797abd8efd47c972d8eab570eef.clo.footprintdns.com udp
US 1.1.1.1:53 gvx01prdapp02-canary-opaph.swedencentral.cloudapp.azure.com udp
SE 20.91.200.215:80 b6ca8797abd8efd47c972d8eab570eef.clo.footprintdns.com tcp
SE 20.91.200.215:80 b6ca8797abd8efd47c972d8eab570eef.clo.footprintdns.com tcp
AE 40.126.212.197:80 d0156ec4609dbee6a6882262be561cc5.clo.footprintdns.com tcp
AE 40.126.212.197:80 d0156ec4609dbee6a6882262be561cc5.clo.footprintdns.com tcp
CA 52.242.31.149:80 227f493878441593bcefb7f53b3ae1a2.clo.footprintdns.com tcp
CA 52.242.31.149:80 227f493878441593bcefb7f53b3ae1a2.clo.footprintdns.com tcp
SE 20.91.200.215:80 b6ca8797abd8efd47c972d8eab570eef.clo.footprintdns.com tcp
SE 20.91.200.215:80 b6ca8797abd8efd47c972d8eab570eef.clo.footprintdns.com tcp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
US 1.1.1.1:53 a-0019.standard.a-msedge.net udp
US 204.79.197.222:80 fp.msedge.net tcp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
US 1.1.1.1:53 e11290.dspg.akamaiedge.net udp
US 1.1.1.1:53 e11290.dspg.akamaiedge.net udp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
GB 92.123.128.178:80 www-www.bing.com.trafficmanager.net tcp
GB 95.100.104.23:80 e86303.dsca.akamaiedge.net tcp
US 1.1.1.1:53 ideas.mozilla.org udp
US 1.1.1.1:53 ideas.mozilla.org udp
US 1.1.1.1:53 prod.refractr.mozit.cloud udp
US 1.1.1.1:53 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com udp
US 1.1.1.1:53 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com udp
US 44.235.246.155:443 ideas.mozilla.org tcp
HK 20.187.64.58:80 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com tcp
HK 20.187.64.58:80 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com tcp
US 1.1.1.1:53 connect.mozilla.org udp
US 1.1.1.1:53 connect.mozilla.org udp
US 1.1.1.1:53 d3rxjeenbqqyxw.cloudfront.net udp
GB 18.245.162.78:443 connect.mozilla.org tcp
US 1.1.1.1:53 6e5e297e7711088344d576739978e850.clo.footprintdns.com udp
US 1.1.1.1:53 6e5e297e7711088344d576739978e850.clo.footprintdns.com udp
US 204.79.197.222:80 6e5e297e7711088344d576739978e850.clo.footprintdns.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 028af56ff53d716b024e10526a652244.clo.footprintdns.com udp
US 1.1.1.1:53 028af56ff53d716b024e10526a652244.clo.footprintdns.com udp
US 204.79.197.222:80 028af56ff53d716b024e10526a652244.clo.footprintdns.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
US 1.1.1.1:53 www.thesun.co.uk udp
US 1.1.1.1:53 www.thesun.co.uk udp
US 1.1.1.1:53 hackaday.com udp
US 1.1.1.1:53 hackaday.com udp
US 1.1.1.1:53 www.computing.co.uk udp
US 1.1.1.1:53 www.computing.co.uk udp
US 1.1.1.1:53 www.zeebiz.com udp
US 1.1.1.1:53 www.gulftoday.ae udp
US 1.1.1.1:53 www.gulftoday.ae udp
US 1.1.1.1:53 www.zeebiz.com udp
US 1.1.1.1:53 www-www.bing.com.trafficmanager.net udp
US 1.1.1.1:53 www-www.bing.com.trafficmanager.net udp
HK 20.187.64.58:80 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com tcp
HK 20.187.64.58:80 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com tcp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
US 1.1.1.1:53 e86303.dscx.akamaiedge.net udp
US 1.1.1.1:53 e86303.dsca.akamaiedge.net udp
US 1.1.1.1:53 e86303.dsca.akamaiedge.net udp
US 1.1.1.1:53 contile.services.mozilla.com udp
HK 20.187.64.58:80 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com tcp
US 1.1.1.1:53 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com udp
US 1.1.1.1:53 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com udp
HK 20.187.64.58:80 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com tcp
HK 20.187.64.58:80 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com tcp
HK 20.187.64.58:80 372e40f9210e3e4695db20db18335cd1.clo.footprintdns.com tcp
US 1.1.1.1:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 1.1.1.1:53 content-signature-chains.prod.autograph.services.mozaws.net udp
US 1.1.1.1:53 content-signature-chains.prod.autograph.services.mozaws.net udp
US 1.1.1.1:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-chains.prod.autograph.services.mozaws.net tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.17:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.18:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 91.189.91.96:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.98:80 connectivity-check.ubuntu.com tcp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
GB 185.125.190.97:80 connectivity-check.ubuntu.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 15:18

Reported

2024-07-18 15:50

Platform

debian9-armhf-20240611-en

Max time kernel

301s

Max time network

1679s

Command Line

[/tmp/start.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tmp.8Kgir5Xxij /bin/mktemp N/A

Processes

/tmp/start.sh

[/tmp/start.sh]

/bin/mktemp

[mktemp]

/usr/bin/curl

[curl -fsL https://github.com/ChrisTitusTech/linutil/releases/latest/download/linutil -o /tmp/tmp.8Kgir5Xxij]

Network

Country Destination Domain Proto
US 1.1.1.1:53 github.com udp
US 1.1.1.1:53 debian9-armhf-20240611-en-2 udp
US 1.1.1.1:53 debian9-armhf-20240611-en-2 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-18 15:18

Reported

2024-07-18 15:51

Platform

debian9-mipsbe-20240611-en

Max time kernel

17s

Max time network

1679s

Command Line

[/tmp/start.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tmp.iEV51FJuvS /tmp/tmp.iEV51FJuvS N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tmp.iEV51FJuvS /bin/mktemp N/A
File opened for modification /tmp/tmp.iEV51FJuvS /usr/bin/curl N/A

Processes

/tmp/start.sh

[/tmp/start.sh]

/bin/mktemp

[mktemp]

/usr/bin/curl

[curl -fsL https://github.com/ChrisTitusTech/linutil/releases/latest/download/linutil -o /tmp/tmp.iEV51FJuvS]

/bin/chmod

[chmod +x /tmp/tmp.iEV51FJuvS]

/tmp/tmp.iEV51FJuvS

[/tmp/tmp.iEV51FJuvS]

Network

Country Destination Domain Proto
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-4 udp
US 1.1.1.1:53 debian9-mipsbe-20240611-en-4 udp

Files

/tmp/tmp.iEV51FJuvS

MD5 404905475587f3b3f125d1276638555f
SHA1 233fb19f74f1871d0080ac78d8de8e63e02dd982
SHA256 e804077aa0dfa5df16b797f99465159b0d465f17f1518604bd53c51b3221ee20
SHA512 a64c2828932100e9426673b12a21626070161a3d7d263d47320e9813c4795a808256b6338d663dbf50cd8c4616cca4fa38d29594d60e1ea88182d2e222d7131a

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-18 15:18

Reported

2024-07-18 15:51

Platform

debian9-mipsel-20240226-en

Max time kernel

9s

Max time network

1679s

Command Line

[/tmp/start.sh]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tmp.up5cLej9Cx /tmp/tmp.up5cLej9Cx N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tmp.up5cLej9Cx /bin/mktemp N/A
File opened for modification /tmp/tmp.up5cLej9Cx /usr/bin/curl N/A

Processes

/tmp/start.sh

[/tmp/start.sh]

/bin/mktemp

[mktemp]

/usr/bin/curl

[curl -fsL https://github.com/ChrisTitusTech/linutil/releases/latest/download/linutil -o /tmp/tmp.up5cLej9Cx]

/bin/chmod

[chmod +x /tmp/tmp.up5cLej9Cx]

/tmp/tmp.up5cLej9Cx

[/tmp/tmp.up5cLej9Cx]

Network

Country Destination Domain Proto
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 1.1.1.1:53 debian9-mipsel-20240226-en-1 udp
US 1.1.1.1:53 debian9-mipsel-20240226-en-1 udp

Files

/tmp/tmp.up5cLej9Cx

MD5 404905475587f3b3f125d1276638555f
SHA1 233fb19f74f1871d0080ac78d8de8e63e02dd982
SHA256 e804077aa0dfa5df16b797f99465159b0d465f17f1518604bd53c51b3221ee20
SHA512 a64c2828932100e9426673b12a21626070161a3d7d263d47320e9813c4795a808256b6338d663dbf50cd8c4616cca4fa38d29594d60e1ea88182d2e222d7131a