a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51

Analysis

max time kernel
4s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
21-11-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
Size

24KB
MD5

583c626e8ba30e2c920358b3b1c28519
SHA1

3b96052208c8a976ddc930a91ed7d507f31bc868
SHA256

a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51
SHA512

fd4b8f91a161f3086290e92a2f9502f7005bd83e00535f3376c2827b20ec40754b31250908242311f7f756644a25262794c80b898533dea698e86611274b7fbd
SSDEEP

768:32xRI1YH38QoMfzBIef2Wcu/J5L/J5+15BKll:0IXWcmjAmz

Score

6^/10

antivm discovery execution

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 3 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

awkawkawk

description	ioc	Process
File opened for reading	/proc/cpuinfo	awk
File opened for reading	/proc/cpuinfo	awk
File opened for reading	/proc/cpuinfo	awk

Reads CPU attributes 1 TTPs 3 IoCs

discovery

System Information Discovery

T1082

Processes:

freefreew

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	w

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

wfreefreeawkdpkgsystemctl

description	ioc	Process
File opened for reading	/proc/12/stat	w
File opened for reading	/proc/27/cmdline	w
File opened for reading	/proc/160/cmdline	w
File opened for reading	/proc/311/cmdline	w
File opened for reading	/proc/452/stat	w
File opened for reading	/proc/1299/stat	w
File opened for reading	/proc/sys/kernel/osrelease	free
File opened for reading	/proc/meminfo	free
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/268/stat	w
File opened for reading	/proc/1564/stat	w
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/14/cmdline	w
File opened for reading	/proc/35/cmdline	w
File opened for reading	/proc/1113/cmdline	w
File opened for reading	/proc/1172/cmdline	w
File opened for reading	/proc/1522/cmdline	w
File opened for reading	/proc/1524/cmdline	w
File opened for reading	/proc/311/stat	w
File opened for reading	/proc/972/cmdline	w
File opened for reading	/proc/1080/stat	w
File opened for reading	/proc/1148/cmdline	w
File opened for reading	/proc/1189/cmdline	w
File opened for reading	/proc/1328/cmdline	w
File opened for reading	/proc/4/cmdline	w
File opened for reading	/proc/82/stat	w
File opened for reading	/proc/167/cmdline	w
File opened for reading	/proc/203/stat	w
File opened for reading	/proc/418/cmdline	w
File opened for reading	/proc/486/stat	w
File opened for reading	/proc/693/cmdline	w
File opened for reading	/proc/730/stat	w
File opened for reading	/proc/sys/kernel/osrelease	free
File opened for reading	/proc/166/stat	w
File opened for reading	/proc/1566/cmdline	w
File opened for reading	/proc/163/cmdline	w
File opened for reading	/proc/680/cmdline	w
File opened for reading	/proc/965/cmdline	w
File opened for reading	/proc/1129/cmdline	w
File opened for reading	/proc/1331/cmdline	w
File opened for reading	/proc/meminfo	free
File opened for reading	/proc/10/cmdline	w
File opened for reading	/proc/440/cmdline	w
File opened for reading	/proc/1275/cmdline	w
File opened for reading	/proc/1331/stat	w
File opened for reading	/proc/4/stat	w
File opened for reading	/proc/171/stat	w
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/sys/kernel/osrelease	systemctl
File opened for reading	/proc/80/cmdline	w
File opened for reading	/proc/1204/cmdline	w
File opened for reading	/proc/542/cmdline	w
File opened for reading	/proc/585/stat	w
File opened for reading	/proc/1246/stat	w
File opened for reading	/proc/1568/stat	w
File opened for reading	/proc/173/cmdline	w
File opened for reading	/proc/416/cmdline	w
File opened for reading	/proc/417/cmdline	w
File opened for reading	/proc/1161/cmdline	w
File opened for reading	/proc/1274/cmdline	w
File opened for reading	/proc/1521/stat	w
File opened for reading	/proc/2/stat	w
File opened for reading	/proc/175/stat	w
File opened for reading	/proc/27/stat	w

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

ipwget

pid	Process
1539	ip
1543	wget

Writes file to tmp directory 64 IoCs

Malware often drops required files in the /tmp directory.

Processes:

apt-getapt-getapt-getapt-gettee

description	ioc	Process
File opened for modification	/tmp/fileutl.message.abvxHl	apt-get
File opened for modification	/tmp/fileutl.message.yVSuD9	apt-get
File opened for modification	/tmp/fileutl.message.xyfPnu	apt-get
File opened for modification	/tmp/fileutl.message.kV0WLz	apt-get
File opened for modification	/tmp/fileutl.message.VH8Z6g	apt-get
File opened for modification	/tmp/fileutl.message.bLVWJn	apt-get
File opened for modification	/tmp/fileutl.message.E8zhCc	apt-get
File opened for modification	/tmp/fileutl.message.dj5xML	apt-get
File opened for modification	/tmp/fileutl.message.a4RFk7	apt-get
File opened for modification	/tmp/fileutl.message.kOZpWD	apt-get
File opened for modification	/tmp/fileutl.message.pUEvwt	apt-get
File opened for modification	/tmp/fileutl.message.yDY3rg	apt-get
File opened for modification	/tmp/fileutl.message.RBcQcc	apt-get
File opened for modification	/tmp/fileutl.message.8hQ3oj	apt-get
File opened for modification	/tmp/fileutl.message.SRWihZ	apt-get
File opened for modification	/tmp/fileutl.message.RbMBRD	apt-get
File opened for modification	/tmp/fileutl.message.RSe0Mm	apt-get
File opened for modification	/tmp/fileutl.message.7KRL9L	apt-get
File opened for modification	/tmp/fileutl.message.gRIjlu	apt-get
File opened for modification	/tmp/fileutl.message.oallab	apt-get
File opened for modification	/tmp/fileutl.message.xxjqhP	apt-get
File opened for modification	/tmp/fileutl.message.8CaGVL	apt-get
File opened for modification	/tmp/fileutl.message.Zbdzkr	apt-get
File opened for modification	/tmp/fileutl.message.0cjZ0R	apt-get
File opened for modification	/tmp/fileutl.message.gzRBRe	apt-get
File opened for modification	/tmp/fileutl.message.ixC67g	apt-get
File opened for modification	/tmp/fileutl.message.qXzW87	apt-get
File opened for modification	/tmp/fileutl.message.ktdDKk	apt-get
File opened for modification	/tmp/fileutl.message.YncsA1	apt-get
File opened for modification	/tmp/fileutl.message.24JWrI	apt-get
File opened for modification	/tmp/fileutl.message.2eXRjq	apt-get
File opened for modification	/tmp/fileutl.message.kFMsEs	apt-get
File opened for modification	/tmp/fileutl.message.uouwrM	apt-get
File opened for modification	/tmp/fileutl.message.zxaTSr	apt-get
File opened for modification	/tmp/fileutl.message.fAvXgU	apt-get
File opened for modification	/tmp/fileutl.message.GFWmui	apt-get
File opened for modification	/tmp/fileutl.message.IEYs0n	apt-get
File opened for modification	/tmp/fileutl.message.eba4t1	apt-get
File opened for modification	/tmp/l2tp.log	tee
File opened for modification	/tmp/fileutl.message.cDOUJ6	apt-get
File opened for modification	/tmp/fileutl.message.IxiEaX	apt-get
File opened for modification	/tmp/fileutl.message.jWzPXh	apt-get
File opened for modification	/tmp/fileutl.message.24TeJL	apt-get
File opened for modification	/tmp/fileutl.message.g1SMN6	apt-get
File opened for modification	/tmp/fileutl.message.sjEXxN	apt-get
File opened for modification	/tmp/fileutl.message.RnRWZU	apt-get
File opened for modification	/tmp/fileutl.message.pdHFp6	apt-get
File opened for modification	/tmp/fileutl.message.aCfkTy	apt-get
File opened for modification	/tmp/fileutl.message.D7gM7E	apt-get
File opened for modification	/tmp/fileutl.message.lWPSI0	apt-get
File opened for modification	/tmp/fileutl.message.aPyTU5	apt-get
File opened for modification	/tmp/fileutl.message.kEgmq6	apt-get
File opened for modification	/tmp/fileutl.message.7aG9w6	apt-get
File opened for modification	/tmp/fileutl.message.6sQ9iH	apt-get
File opened for modification	/tmp/fileutl.message.Hyjxjz	apt-get
File opened for modification	/tmp/fileutl.message.Fh9A4q	apt-get
File opened for modification	/tmp/fileutl.message.pTais6	apt-get
File opened for modification	/tmp/fileutl.message.Cfapna	apt-get
File opened for modification	/tmp/fileutl.message.SPegH3	apt-get
File opened for modification	/tmp/fileutl.message.oJ3Xzr	apt-get
File opened for modification	/tmp/fileutl.message.pd0qts	apt-get
File opened for modification	/tmp/fileutl.message.CQDZ4W	apt-get
File opened for modification	/tmp/fileutl.message.o7rQtJ	apt-get
File opened for modification	/tmp/fileutl.message.abcM6p	apt-get

Software Deployment Tools 1 TTPs 3 IoCs

Use software deployment tools to execute code.

execution

Software Deployment Tools

T1072

Processes:

apt-getapt-getapt-get

pid	Process
1589	apt-get
1626	apt-get
1634	apt-get

/tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
/tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:1527

/usr/local/sbin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:1527

/usr/local/bin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:1527

/usr/sbin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:1527

/usr/bin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:1527

/sbin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:1527

/bin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:1527
- /usr/bin/basename
  basename /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
  2⤵
  PID:1529
- /usr/bin/tee
  tee /tmp/l2tp.log
  2⤵
  - Writes file to tmp directory
  PID:1531
- /usr/bin/clear
  clear
  2⤵
  PID:1532
- /bin/grep
  grep "SELINUX=enforcing" /etc/selinux/config
  2⤵
  PID:1533
- /bin/grep
  grep -Eqi debian
  2⤵
  PID:1535
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1534
- /bin/grep
  grep -Eqi ubuntu
  2⤵
  PID:1537
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1536
- /usr/bin/head
  head -n 1
  2⤵
  PID:1542
- /bin/egrep
  egrep -v "^192\\.168|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-2]\\.|^10\\.|^127\\.|^255\\.|^0\\."
  2⤵
  PID:1541
- /bin/egrep
  egrep -o "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
  2⤵
  PID:1540
- /bin/grep
  grep -E -v "^192\\.168|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-2]\\.|^10\\.|^127\\.|^255\\.|^0\\."
  2⤵
  PID:1541
- /bin/grep
  grep -E -o "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
  2⤵
  PID:1540
- /bin/ip
  ip addr
  2⤵
  - System Network Configuration Discovery
  PID:1539
- /usr/bin/wget
  wget -qO- -t1 -T2 ipv4.icanhazip.com
  2⤵
  - System Network Configuration Discovery
  PID:1543
- /bin/sed
  sed "s/^[ \\t]*//;s/[ \\t]*\$//"
  2⤵
  PID:1552
- /usr/bin/awk
  awk -F: "/model name/ {name=\$2} END {print name}" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:1551
- /usr/bin/awk
  awk -F: "/model name/ {core++} END {print core}" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:1553
- /bin/sed
  sed "s/^[ \\t]*//;s/[ \\t]*\$//"
  2⤵
  PID:1556
- /usr/bin/awk
  awk -F: "/cpu MHz/ {freq=\$2} END {print freq}" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:1555
- /usr/bin/awk
  awk "/Mem/ {print \$2}"
  2⤵
  PID:1559
- /usr/bin/free
  free -m
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1558
- /usr/bin/awk
  awk "/Swap/ {print \$2}"
  2⤵
  PID:1562
- /usr/bin/free
  free -m
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1561
- /usr/bin/awk
  awk "{a=\$1/86400;b=(\$1%86400)/3600;c=(\$1%3600)/60;d=\$1%60} {printf(\"%ddays, %d:%d:%d\\n\",a,b,c,d)}" /proc/uptime
  2⤵
  PID:1563
- /bin/sed
  sed "s/^[ \\t]*//;s/[ \\t]*\$//"
  2⤵
  PID:1568
- /usr/bin/awk
  awk "-Fload average:" "{print \$2}"
  2⤵
  PID:1567
- /usr/bin/head
  head -1
  2⤵
  PID:1566
- /usr/bin/w
  w
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1565
- /usr/bin/awk
  awk "-F[= \"]" "/PRETTY_NAME/{print \$3,\$4,\$5}" /etc/os-release
  2⤵
  - Reads runtime system information
  PID:1570
- /bin/uname
  uname -m
  2⤵
  PID:1571
- /usr/bin/getconf
  getconf LONG_BIT
  2⤵
  PID:1572
- /bin/hostname
  hostname
  2⤵
  PID:1573
- /bin/uname
  uname -r
  2⤵
  PID:1574
- /bin/stty
  stty -g
  2⤵
  PID:1577
- /bin/stty
  stty -echo
  2⤵
  PID:1578
- /bin/stty
  stty cbreak
  2⤵
  PID:1579
- /bin/dd
  dd "if=/dev/tty" "bs=1" "count=1"
  2⤵
  PID:1580
- /bin/stty
  stty -raw
  2⤵
  PID:1581
- /bin/stty
  stty echo
  2⤵
  PID:1582
- /bin/stty
  stty
  2⤵
  PID:1583
- /bin/mknod
  mknod /dev/random c 1 9
  2⤵
  PID:1584
- /bin/grep
  grep -Eqi debian
  2⤵
  PID:1586
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1585
- /bin/grep
  grep -Eqi ubuntu
  2⤵
  PID:1588
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1587
- /usr/bin/apt-get
  apt-get -y update
  2⤵
  - Writes file to tmp directory
  - Software Deployment Tools
  PID:1589
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1590
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1591
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:1592
- - /bin/sh
    sh -c "[ ! -e /run/systemd/system ] || [ \$(id -u) -ne 0 ] || systemctl start --no-block apt-news.service esm-cache.service || true"
    3⤵
    PID:1594
  - - /usr/bin/id
      id -u
      4⤵
      PID:1595
  - - /bin/systemctl
      systemctl start --no-block apt-news.service esm-cache.service
      4⤵
      Reads runtime system information
      PID:1596
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:1603
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1604
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1605
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1612
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1613
- /bin/grep
  grep -Eqi debian
  2⤵
  PID:1615
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1614
- /bin/grep
  grep -Eqi ubuntu
  2⤵
  PID:1617
- /bin/cat
  cat /etc/issue
  2⤵
  PID:1616
- /usr/bin/apt-get
  apt-get -y install wget gcc ppp flex bison make python libnss3-dev libnss3-tools libselinux-dev iptables libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libunbound-dev libevent-dev libcurl4-nss-dev libsystemd-dev
  2⤵
  - Writes file to tmp directory
  PID:1618
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1619
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1620
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1621
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1622
- /usr/bin/apt-get
  apt-get -y --no-install-recommends install xmlto
  2⤵
  - Writes file to tmp directory
  - Software Deployment Tools
  PID:1626
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:1627
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1628
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1629
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1630
- /usr/bin/apt-get
  apt-get -y install xl2tpd
  2⤵
  - Writes file to tmp directory
  - Software Deployment Tools
  PID:1634
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1635
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:1636
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1637
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:1638
- /bin/rm
  rm -rf /tmp/l2tp
  2⤵
  PID:1642
- /bin/mkdir
  mkdir -p /tmp/l2tp
  2⤵
  PID:1643
- /usr/bin/wget
  wget -c -t3 -T60 https://dl.lamp.sh/files/libreswan-3.27.tar.gz
  2⤵
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Software Deployment Tools

T1072

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Software Deployment Tools

T1072

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/fileutl.message.pdHFp6

Filesize
235KB

MD5
373fe2f2ef99005d2550a482f09a3e51

SHA1
68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

SHA256
7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

SHA512
def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Download Submit
/tmp/l2tp.log

Filesize
4KB

MD5
e32af2c5f3725e422ba815255642f599

SHA1
3607977a023a2740608caa53105783954ff4e2ff

SHA256
cf119da5393f59c30f2448299e6820ee75a4d5f6c420d59100dac620a393ada9

SHA512
da0145de9299564d7965f57aa65e9d203bbe2e41ca4ee0eeaa18a790d0655b0a1c311d341e91d6bfe6deee4d8c339e7769923416f2e8e613cb858f426cf7e69c

Download Submit