a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51

Analysis

max time kernel
22s
max time network
24s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21-11-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
Size

24KB
MD5

583c626e8ba30e2c920358b3b1c28519
SHA1

3b96052208c8a976ddc930a91ed7d507f31bc868
SHA256

a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51
SHA512

fd4b8f91a161f3086290e92a2f9502f7005bd83e00535f3376c2827b20ec40754b31250908242311f7f756644a25262794c80b898533dea698e86611274b7fbd
SSDEEP

768:32xRI1YH38QoMfzBIef2Wcu/J5L/J5+15BKll:0IXWcmjAmz

Score

6^/10

antivm discovery execution

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

awkawkawkhttps

description	ioc	Process
File opened for reading	/proc/cpuinfo	awk
File opened for reading	/proc/cpuinfo	awk
File opened for reading	/proc/cpuinfo	awk
File opened for reading	/proc/cpuinfo	https

Reads CPU attributes 1 TTPs 3 IoCs

discovery

System Information Discovery

T1082

Processes:

freefreew

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	free
File opened for reading	/sys/devices/system/cpu/online	w

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

freewmknodfreeseddpkgapt-getawk

description	ioc	Process
File opened for reading	/proc/sys/kernel/osrelease	free
File opened for reading	/proc/2/cmdline	w
File opened for reading	/proc/4/stat	w
File opened for reading	/proc/270/stat	w
File opened for reading	/proc/278/stat	w
File opened for reading	/proc/647/cmdline	w
File opened for reading	/proc/4/cmdline	w
File opened for reading	/proc/27/cmdline	w
File opened for reading	/proc/303/cmdline	w
File opened for reading	/proc/647/stat	w
File opened for reading	/proc/filesystems	mknod
File opened for reading	/proc/sys/kernel/osrelease	free
File opened for reading	/proc/7/stat	w
File opened for reading	/proc/13/cmdline	w
File opened for reading	/proc/14/stat	w
File opened for reading	/proc/16/cmdline	w
File opened for reading	/proc/143/cmdline	w
File opened for reading	/proc/9/stat	w
File opened for reading	/proc/18/cmdline	w
File opened for reading	/proc/41/stat	w
File opened for reading	/proc/41/cmdline	w
File opened for reading	/proc/75/stat	w
File opened for reading	/proc/6/stat	w
File opened for reading	/proc/43/stat	w
File opened for reading	/proc/104/cmdline	w
File opened for reading	/proc/300/cmdline	w
File opened for reading	/proc/578/cmdline	w
File opened for reading	/proc/1/stat	w
File opened for reading	/proc/315/cmdline	w
File opened for reading	/proc/581/cmdline	w
File opened for reading	/proc/639/cmdline	w
File opened for reading	/proc/640/stat	w
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/29/cmdline	w
File opened for reading	/proc/600/stat	w
File opened for reading	/proc/702/stat	w
File opened for reading	/proc/13/stat	w
File opened for reading	/proc/22/stat	w
File opened for reading	/proc/152/stat	w
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/42/cmdline	w
File opened for reading	/proc/104/stat	w
File opened for reading	/proc/164/stat	w
File opened for reading	/proc/278/cmdline	w
File opened for reading	/proc/705/stat	w
File opened for reading	/proc/12/stat	w
File opened for reading	/proc/21/stat	w
File opened for reading	/proc/29/stat	w
File opened for reading	/proc/315/stat	w
File opened for reading	/proc/650/cmdline	w
File opened for reading	/proc/658/stat	w
File opened for reading	/proc/6/cmdline	w
File opened for reading	/proc/9/cmdline	w
File opened for reading	/proc/26/cmdline	w
File opened for reading	/proc/43/cmdline	w
File opened for reading	/proc/279/cmdline	w
File opened for reading	/proc/579/stat	w
File opened for reading	/proc/591/stat	w
File opened for reading	/proc/701/cmdline	w
File opened for reading	/proc/704/cmdline	w
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/17/stat	w
File opened for reading	/proc/19/cmdline	w

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

ipwget

pid	Process
669	ip
678	wget

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

Processes:

apt-getapt-getapt-getapt-gettee

description	ioc	Process
File opened for modification	/tmp/fileutl.message.4OOGAW	apt-get
File opened for modification	/tmp/fileutl.message.gpHWWY	apt-get
File opened for modification	/tmp/fileutl.message.HiOBoi	apt-get
File opened for modification	/tmp/fileutl.message.0IAXs9	apt-get
File opened for modification	/tmp/fileutl.message.oDrfYY	apt-get
File opened for modification	/tmp/fileutl.message.KNJBhp	apt-get
File opened for modification	/tmp/fileutl.message.OLHCNk	apt-get
File opened for modification	/tmp/fileutl.message.HB2No1	apt-get
File opened for modification	/tmp/fileutl.message.mYJsYJ	apt-get
File opened for modification	/tmp/l2tp.log	tee
File opened for modification	/tmp/fileutl.message.aopHHT	apt-get
File opened for modification	/tmp/fileutl.message.2dJvct	apt-get
File opened for modification	/tmp/fileutl.message.lwjY5k	apt-get
File opened for modification	/tmp/fileutl.message.KgT7tW	apt-get
File opened for modification	/tmp/fileutl.message.0rXA0N	apt-get
File opened for modification	/tmp/fileutl.message.iHKc9a	apt-get
File opened for modification	/tmp/fileutl.message.mmsUaj	apt-get
File opened for modification	/tmp/fileutl.message.J1YtLF	apt-get
File opened for modification	/tmp/fileutl.message.2WSFkV	apt-get
File opened for modification	/tmp/fileutl.message.WgOR5q	apt-get

Software Deployment Tools 1 TTPs 3 IoCs

Use software deployment tools to execute code.

execution

Software Deployment Tools

T1072

Processes:

apt-getapt-getapt-get

pid	Process
792	apt-get
725	apt-get
790	apt-get

/tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
/tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:647

/usr/local/sbin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:647

/usr/local/bin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:647

/usr/sbin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:647

/usr/bin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:647

/sbin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:647

/bin/bash
bash /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
1⤵
PID:647
- /usr/bin/basename
  basename /tmp/a86b877e9e694a1f2b70a3a193fe135b751d78fa1ad4a795f11cbc34d4b78a51.sh
  2⤵
  PID:656
- /usr/bin/tee
  tee /tmp/l2tp.log
  2⤵
  - Writes file to tmp directory
  PID:659
- /usr/bin/clear
  clear
  2⤵
  PID:660
- /bin/grep
  grep "SELINUX=enforcing" /etc/selinux/config
  2⤵
  PID:662
- /bin/cat
  cat /etc/issue
  2⤵
  PID:665
- /bin/grep
  grep -Eqi debian
  2⤵
  PID:666
- /bin/ip
  ip addr
  2⤵
  - System Network Configuration Discovery
  PID:669
- /bin/egrep
  egrep -o "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
  2⤵
  PID:670
- /bin/egrep
  egrep -v "^192\\.168|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-2]\\.|^10\\.|^127\\.|^255\\.|^0\\."
  2⤵
  PID:672
- /usr/bin/head
  head -n 1
  2⤵
  PID:673
- /bin/grep
  grep -E -o "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
  2⤵
  PID:670
- /bin/grep
  grep -E -v "^192\\.168|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-2]\\.|^10\\.|^127\\.|^255\\.|^0\\."
  2⤵
  PID:672
- /usr/bin/wget
  wget -qO- -t1 -T2 ipv4.icanhazip.com
  2⤵
  - System Network Configuration Discovery
  PID:678
- /usr/bin/awk
  awk -F: "/model name/ {name=\$2} END {print name}" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:682
- /bin/sed
  sed "s/^[ \\t]*//;s/[ \\t]*\$//"
  2⤵
  PID:683
- /usr/bin/awk
  awk -F: "/model name/ {core++} END {print core}" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:685
- /usr/bin/awk
  awk -F: "/cpu MHz/ {freq=\$2} END {print freq}" /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:688
- /bin/sed
  sed "s/^[ \\t]*//;s/[ \\t]*\$//"
  2⤵
  - Reads runtime system information
  PID:689
- /usr/bin/free
  free -m
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:693
- /usr/bin/awk
  awk "/Mem/ {print \$2}"
  2⤵
  PID:694
- /usr/bin/free
  free -m
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:697
- /usr/bin/awk
  awk "/Swap/ {print \$2}"
  2⤵
  - Reads runtime system information
  PID:698
- /usr/bin/awk
  awk "{a=\$1/86400;b=(\$1%86400)/3600;c=(\$1%3600)/60;d=\$1%60} {printf(\"%ddays, %d:%d:%d\\n\",a,b,c,d)}" /proc/uptime
  2⤵
  PID:700
- /usr/bin/w
  w
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:702
- /usr/bin/head
  head -1
  2⤵
  PID:703
- /bin/sed
  sed "s/^[ \\t]*//;s/[ \\t]*\$//"
  2⤵
  PID:705
- /usr/bin/awk
  awk "-Fload average:" "{print \$2}"
  2⤵
  PID:704
- /usr/bin/awk
  awk "-F[= \"]" "/PRETTY_NAME/{print \$3,\$4,\$5}" /etc/os-release
  2⤵
  PID:708
- /bin/uname
  uname -m
  2⤵
  PID:709
- /usr/bin/getconf
  getconf LONG_BIT
  2⤵
  PID:710
- /bin/hostname
  hostname
  2⤵
  PID:711
- /bin/uname
  uname -r
  2⤵
  PID:712
- /bin/stty
  stty -g
  2⤵
  PID:715
- /bin/stty
  stty -echo
  2⤵
  PID:716
- /bin/stty
  stty cbreak
  2⤵
  PID:717
- /bin/dd
  dd "if=/dev/tty" "bs=1" "count=1"
  2⤵
  PID:718
- /bin/stty
  stty -raw
  2⤵
  PID:719
- /bin/stty
  stty echo
  2⤵
  PID:720
- /bin/stty
  stty
  2⤵
  PID:721
- /bin/mknod
  mknod /dev/random c 1 9
  2⤵
  - Reads runtime system information
  PID:722
- /bin/cat
  cat /etc/issue
  2⤵
  PID:723
- /bin/grep
  grep -Eqi debian
  2⤵
  PID:724
- /usr/bin/apt-get
  apt-get -y update
  2⤵
  - Writes file to tmp directory
  - Software Deployment Tools
  PID:725
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:726
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:728
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:730
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    - Checks CPU configuration
    PID:731
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:732
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:740
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:780
- /bin/grep
  grep -Eqi debian
  2⤵
  PID:782
- /bin/cat
  cat /etc/issue
  2⤵
  PID:781
- /usr/bin/awk
  awk "-F[= \"]" "/PRETTY_NAME/{print \$3,\$4,\$5}" /etc/os-release
  2⤵
  PID:784
- /bin/sed
  sed "s/[^0-9]//g"
  2⤵
  PID:787
- /usr/bin/apt-get
  apt-get -y install wget gcc ppp flex bison make python libnss3-dev libnss3-tools libselinux-dev iptables libnspr4-dev pkg-config libpam0g-dev libcap-ng-dev libcap-ng-utils libunbound-dev libevent-dev libcurl4-nss-dev libsystemd-dev
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:788
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:789
- /usr/bin/apt-get
  apt-get -y --no-install-recommends install xmlto
  2⤵
  - Writes file to tmp directory
  - Software Deployment Tools
  PID:790
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:791
- /usr/bin/apt-get
  apt-get -y install xl2tpd
  2⤵
  - Writes file to tmp directory
  - Software Deployment Tools
  PID:792
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    PID:793
- /bin/rm
  rm -rf /tmp/l2tp
  2⤵
  PID:796
- /bin/mkdir
  mkdir -p /tmp/l2tp
  2⤵
  PID:797
- /usr/bin/wget
  wget -c -t3 -T60 https://dl.lamp.sh/files/libreswan-3.27.tar.gz
  2⤵
  PID:798

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Software Deployment Tools

T1072

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Software Deployment Tools

T1072

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/l2tp.log

Filesize
2KB

MD5
ca42063c163a6c0bba74e4c1c44b2365

SHA1
d710e1a228acdab78ab2c985502ac8c550cb00b5

SHA256
bb9cd8ba408c5160c9124a36e978f5029e7ece443783f86a536d159a3863a3be

SHA512
11369c2b323a48cbaa027759b6ba18ffb1c76b669f75943a3e0452b933f132df45561de38900ff5706c8fb445e6ddf86163f3e2b9f668d7dfce856bb11addb99

Download Submit