6a955c1c8cf439187b32439f76bc55ad96e9586a2cf6c251d4c8755a5672f9f6

Analysis

max time kernel
0s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
01-09-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

smartsynchronize/bin/add-menuitem.sh
Size

2KB
MD5

292bd8c7442f367735bb0f567ff7e666
SHA1

b7f83667d6941e5ea50e8b095a2ab22d4116dc6c
SHA256

d2fd430b5ad553e4e57cc88e437d2f4a3e24ea9c437801164da424702d4765d1
SHA512

ee6352caabf672ccad06cde2e0cf40d1929cea99b64ccdb3dfb809fb9c16436117bfa07a1f1a928477cc42295b47e36980e51ecc3ddd5257468fad382a5135d4

Score

4^/10

persistence

Malware Config

Signatures

Creates .desktop file 1 TTPs 2 IoCs

Linux desktops like GNOME require .desktop files to register applications. Sometimes abused by malware for persistence.

persistence

User Execution

T1204

description	ioc	Process
File opened for modification	/usr/share/applications/syntevo-smartsynchronize.desktop	cp
File opened for modification	/tmp/tmp.vnNKqFRPCq/syntevo-smartsynchronize.desktop	add-menuitem.sh

Reads runtime system information 34 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	gtk-update-icon-cache
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	gtk-update-icon-cache
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	gtk-update-icon-cache
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	gtk-update-icon-cache
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sh-thd.ar1kTT	add-menuitem.sh
File opened for modification	/tmp/tmp.vnNKqFRPCq/syntevo-smartsynchronize.desktop	add-menuitem.sh

/tmp/smartsynchronize/bin/add-menuitem.sh
/tmp/smartsynchronize/bin/add-menuitem.sh
1⤵
- Creates .desktop file
- Writes file to tmp directory
PID:1512
- /usr/bin/dirname
  dirname /tmp/smartsynchronize/bin/add-menuitem.sh
  2⤵
  PID:1513
- /bin/mktemp
  mktemp --directory
  2⤵
  PID:1516
- /bin/cat
  cat
  2⤵
  PID:1517
- /bin/chmod
  chmod 644 /tmp/tmp.vnNKqFRPCq/syntevo-smartsynchronize.desktop
  2⤵
  PID:1518
- /usr/bin/xdg-icon-resource
  xdg-icon-resource install --size 32 /tmp/smartsynchronize/bin/smartsynchronize-32.png syntevo-smartsynchronize
  2⤵
  PID:1519
- - /bin/grep
    grep "[^0-9]"
    3⤵
    PID:1521
- - /usr/bin/whoami
    whoami
    3⤵
    PID:1522
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1525
- - /bin/readlink
    readlink -f /usr/share//icons
    3⤵
    PID:1526
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1529
- - /usr/bin/basename
    basename syntevo-smartsynchronize
    3⤵
    PID:1530
- - /bin/sed
    sed "s/\\.[a-z][a-z][a-z]\$/.icon/"
    3⤵
    - Reads runtime system information
    PID:1533
- - /bin/mkdir
    mkdir -p /usr/share//icons/hicolor/32x32/apps
    3⤵
    - Reads runtime system information
    PID:1535
- - /bin/cp
    cp /tmp/smartsynchronize/bin/smartsynchronize-32.png /usr/share//icons/hicolor/32x32/apps/syntevo-smartsynchronize.png
    3⤵
    - Reads runtime system information
    PID:1536
- - /usr/bin/touch
    touch /usr/share//icons/hicolor/.xdg-icon-resource-dummy
    3⤵
    PID:1537
- - /bin/rm
    rm -f /usr/share//icons/hicolor/.xdg-icon-resource-dummy
    3⤵
    PID:1538
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1541
- - /usr/bin/gtk-update-icon-cache
    /usr/bin/gtk-update-icon-cache -f -t /usr/share//icons/hicolor
    3⤵
    - Reads runtime system information
    PID:1542
- /usr/bin/xdg-icon-resource
  xdg-icon-resource install --size 48 /tmp/smartsynchronize/bin/smartsynchronize-48.png syntevo-smartsynchronize
  2⤵
  PID:1543
- - /bin/grep
    grep "[^0-9]"
    3⤵
    PID:1545
- - /usr/bin/whoami
    whoami
    3⤵
    PID:1546
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1549
- - /bin/readlink
    readlink -f /usr/share//icons
    3⤵
    PID:1550
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1553
- - /usr/bin/basename
    basename syntevo-smartsynchronize
    3⤵
    PID:1554
- - /bin/sed
    sed "s/\\.[a-z][a-z][a-z]\$/.icon/"
    3⤵
    - Reads runtime system information
    PID:1557
- - /bin/mkdir
    mkdir -p /usr/share//icons/hicolor/48x48/apps
    3⤵
    - Reads runtime system information
    PID:1559
- - /bin/cp
    cp /tmp/smartsynchronize/bin/smartsynchronize-48.png /usr/share//icons/hicolor/48x48/apps/syntevo-smartsynchronize.png
    3⤵
    - Reads runtime system information
    PID:1560
- - /usr/bin/touch
    touch /usr/share//icons/hicolor/.xdg-icon-resource-dummy
    3⤵
    PID:1561
- - /bin/rm
    rm -f /usr/share//icons/hicolor/.xdg-icon-resource-dummy
    3⤵
    PID:1562
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1565
- - /usr/bin/gtk-update-icon-cache
    /usr/bin/gtk-update-icon-cache -f -t /usr/share//icons/hicolor
    3⤵
    - Reads runtime system information
    PID:1566
- /usr/bin/xdg-icon-resource
  xdg-icon-resource install --size 64 /tmp/smartsynchronize/bin/smartsynchronize-64.png syntevo-smartsynchronize
  2⤵
  PID:1570
- - /bin/grep
    grep "[^0-9]"
    3⤵
    PID:1572
- - /usr/bin/whoami
    whoami
    3⤵
    PID:1573
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1576
- - /bin/readlink
    readlink -f /usr/share//icons
    3⤵
    PID:1577
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1580
- - /usr/bin/basename
    basename syntevo-smartsynchronize
    3⤵
    PID:1581
- - /bin/sed
    sed "s/\\.[a-z][a-z][a-z]\$/.icon/"
    3⤵
    - Reads runtime system information
    PID:1584
- - /bin/mkdir
    mkdir -p /usr/share//icons/hicolor/64x64/apps
    3⤵
    - Reads runtime system information
    PID:1586
- - /bin/cp
    cp /tmp/smartsynchronize/bin/smartsynchronize-64.png /usr/share//icons/hicolor/64x64/apps/syntevo-smartsynchronize.png
    3⤵
    - Reads runtime system information
    PID:1587
- - /usr/bin/touch
    touch /usr/share//icons/hicolor/.xdg-icon-resource-dummy
    3⤵
    PID:1588
- - /bin/rm
    rm -f /usr/share//icons/hicolor/.xdg-icon-resource-dummy
    3⤵
    PID:1589
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1592
- - /usr/bin/gtk-update-icon-cache
    /usr/bin/gtk-update-icon-cache -f -t /usr/share//icons/hicolor
    3⤵
    - Reads runtime system information
    PID:1593
- /usr/bin/xdg-icon-resource
  xdg-icon-resource install --size 128 /tmp/smartsynchronize/bin/smartsynchronize-128.png syntevo-smartsynchronize
  2⤵
  PID:1594
- - /bin/grep
    grep "[^0-9]"
    3⤵
    PID:1596
- - /usr/bin/whoami
    whoami
    3⤵
    PID:1597
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1600
- - /bin/readlink
    readlink -f /usr/share//icons
    3⤵
    PID:1601
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1604
- - /usr/bin/basename
    basename syntevo-smartsynchronize
    3⤵
    PID:1605
- - /bin/sed
    sed "s/\\.[a-z][a-z][a-z]\$/.icon/"
    3⤵
    - Reads runtime system information
    PID:1608
- - /bin/mkdir
    mkdir -p /usr/share//icons/hicolor/128x128/apps
    3⤵
    - Reads runtime system information
    PID:1610
- - /bin/cp
    cp /tmp/smartsynchronize/bin/smartsynchronize-128.png /usr/share//icons/hicolor/128x128/apps/syntevo-smartsynchronize.png
    3⤵
    - Reads runtime system information
    PID:1611
- - /usr/bin/touch
    touch /usr/share//icons/hicolor/.xdg-icon-resource-dummy
    3⤵
    PID:1612
- - /bin/rm
    rm -f /usr/share//icons/hicolor/.xdg-icon-resource-dummy
    3⤵
    PID:1613
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1616
- - /usr/bin/gtk-update-icon-cache
    /usr/bin/gtk-update-icon-cache -f -t /usr/share//icons/hicolor
    3⤵
    - Reads runtime system information
    PID:1617
- /usr/bin/xdg-desktop-menu
  xdg-desktop-menu install /tmp/tmp.vnNKqFRPCq/syntevo-smartsynchronize.desktop
  2⤵
  PID:1618
- - /usr/bin/whoami
    whoami
    3⤵
    PID:1619
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1622
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1625
- - /usr/bin/cut
    cut -d : -f 1
    3⤵
    PID:1628
- - /usr/bin/cut
    cut -d : -f 2
    3⤵
    PID:1631
- - /usr/bin/basename
    basename /tmp/tmp.vnNKqFRPCq/syntevo-smartsynchronize.desktop
    3⤵
    PID:1632
- - /usr/bin/basename
    basename /tmp/tmp.vnNKqFRPCq/syntevo-smartsynchronize.desktop
    3⤵
    PID:1633
- - /bin/mkdir
    mkdir -p /usr/share//applications
    3⤵
    - Reads runtime system information
    PID:1635
- - /bin/cp
    cp /tmp/tmp.vnNKqFRPCq/syntevo-smartsynchronize.desktop /usr/share//applications/syntevo-smartsynchronize.desktop
    3⤵
    - Creates .desktop file
    - Reads runtime system information
    PID:1636
- - /usr/bin/awk
    awk " { if (match(\$0,/MimeType=/)) { split(substr(\$0,RSTART+9),mimetypes,\";\") for (n in mimetypes) { if (mimetypes[n]) print mimetypes[n] } } }" /usr/share//applications/syntevo-smartsynchronize.desktop
    3⤵
    - Reads runtime system information
    PID:1637
- - /bin/sed
    sed "s/:/ /g"
    3⤵
    - Reads runtime system information
    PID:1640
- - /usr/bin/update-desktop-database
    /usr/bin/update-desktop-database
    3⤵
    PID:1641
- /bin/rm
  rm /tmp/tmp.vnNKqFRPCq/syntevo-smartsynchronize.desktop
  2⤵
  PID:1642
- /bin/rm
  rm -R /tmp/tmp.vnNKqFRPCq
  2⤵
  PID:1643

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

User Execution

T1204

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/sh-thd.ar1kTT

Filesize
301B

MD5
fb53516c34ab5225b8d4e45a06969b6b

SHA1
b3cad45de9d8326d25c1195a06c7554c2f85aee4

SHA256
b8c77d52ca9ed1281426ee7569040d4e606cb8a0914d25f28817ff6234c199ac

SHA512
f5c6d0c7d2353e98a3b20cc2cf08003e3467379791ae11d135379f3a486b7aad13696e1ad9d811aedc016988ad8b086e9e6bbd2e958d74042add5fd9d65cabf1

Download Submit
/usr/share/applications/.mimeinfo.cache.AN6CT2

Filesize
24KB

MD5
076fde864bb9ed2665eabd0d044babc0

SHA1
47111d03ada97075e419b4d992054de2726f124d

SHA256
06c17a40aeaca87da293bb52f73b54168f691fbff71522a5515c85e09222151d

SHA512
b0bf72380617b2db66bc3e30b61cd543a486831292be6c1e05ca40ae63c08bba3a9362b30c05efe7b2b2ee5326b6f7d4731527fbf363d219b541f0c780b0df16

Download Submit
/usr/share/icons/hicolor/.icon-theme.cache

Filesize
18KB

MD5
8524d0de9eb3f60d8806016ea6d24026

SHA1
e890bf7b2adb4b016236ef1eae58ae3603acb673

SHA256
5b6d6dfa9c8f04ebfe3f519ddccc943541cadf41a593b7d51512f1b3ae9dcfc4

SHA512
39ab652e3d865e4c9ab6eb31470b34a0240d7f706ae2b92c3c5c0d72fd9b51df99d3c73edf72dfec6dda7c3396fc9e15214a13c179ecb6986162b72bd0c8952c

Download Submit
/usr/share/icons/hicolor/.icon-theme.cache

Filesize
18KB

MD5
ab383c1f45a152b5712fc460d8b070ad

SHA1
9431e565531e554101d84ce5aed6e3d711557c2b

SHA256
13726785bb973c6b6715a9c27f7b942e0044030cca369c4966a91375e89c2a75

SHA512
ca1a13cfd7322357b11213b64c7b39456580854a8c0788b33562ca88e0ea29a6bfdb3e00392d530bd1c955b831e25c7aa10bb92e3a253da30422d6261ff2e244

Download Submit
/usr/share/icons/hicolor/.icon-theme.cache

Filesize
18KB

MD5
8104eaadd4ec825087caf962106c5baa

SHA1
689683a02495d3b620cc8388931aced5f0a96e12

SHA256
fd5108e82a5aabd7e8cb78c7034ee71b278d27f122ec08308983bc849b022963

SHA512
a91cc4823f69e5879a70a8e42c22181c96aed759811337db095f086be7868413695680dc5bbbc22b5c7af5dc05e36e6b740137cf5edc738f414e948488a0cd98

Download Submit
/usr/share/icons/hicolor/.icon-theme.cache

Filesize
18KB

MD5
fe9d2a3bd30dddf705b3f5bc153ce936

SHA1
9b769aec4002cc8c93602468d565617c8acc3ed0

SHA256
de1b71947d259001f0dd4f7699e1eedc5b82d050bb511fce4eee5770d465126d

SHA512
7d17226606f8d7a945bdc516d6cc868ee37b947300fc7962930995adb97716ce300965f3e9b004a91ef3f65557fed3d1f11d93917c24a247b52b6b564c41de18

Download Submit
/usr/share/icons/hicolor/128x128/apps/syntevo-smartsynchronize.png

Filesize
2KB

MD5
88d7a9e149941ccd1706bdd81b62e79e

SHA1
3dd1dde1f8ebd72419463e802a59bc7760c64095

SHA256
af50e02c177ba2f89b963c431d823b1a6761cb42949ab80bf3d42d9ed5990e91

SHA512
ecc81eebc297491915f251af514923638d24e84d1cbad20ebaf7048ba3c557682f394f7576fcb5ac515d2b5b820efe41daf5ffeacdf7418c3ff7f1d88ff7ef6f

Download Submit
/usr/share/icons/hicolor/32x32/apps/syntevo-smartsynchronize.png

Filesize
927B

MD5
1104e1bd2ec487200d1d5a35bf734cc4

SHA1
adf3bb7906546ba4917212507bfcda6f981dee47

SHA256
3bc6d6841f53f6554509381f2a841719f3e2c74f65ffb8c2169fad31c33611ca

SHA512
00241214bdeba4fbf4e9695b65a4c27404573da37d94c31f85163a94eb9427f790cfebdbb190231ad1619bd381fb8ed4502c08359c4437c5defad6cdd7594dba

Download Submit
/usr/share/icons/hicolor/48x48/apps/syntevo-smartsynchronize.png

Filesize
1KB

MD5
df3f9e84bd9e0c50a2ab3662ce0ccc1c

SHA1
b0b59ae95a576441964f7911a169ecdb6b1d205d

SHA256
a6fd073b65aa9fcd46313450608c422cc2bf760193b9ecfe7ec0c76ecd575f0a

SHA512
926f9d2d1678f3e114246cbd3cff71c72e84aea901ae32352d06ba7baf8eef948cb27615a53cbf53dd11450ca89fd9624d7febc9c347b25ebebe3000f60050cf

Download Submit
/usr/share/icons/hicolor/64x64/apps/syntevo-smartsynchronize.png

Filesize
1KB

MD5
e827c5d6ea0bbd7f4538d800306f47b6

SHA1
491cd7e9233d2ae37c9ae88fe97e34f9834af30d

SHA256
f212dc06f106d4e6fd57e941d2cb1c918525caf6044d3b7d21fe1d50073d4c39

SHA512
60156e306b83ac66d5551aa40931cf82b2144c9983e2a0a5595718564e5446e78231fe573e4eab4584b0f4157c213a49d7e4c8f102b0b131b585ed4c645c4702

Download Submit