Overview

overview

7

Static

static

1

f57892b0ef...a34.sh

ubuntu-18.04-amd64

7

f57892b0ef...a34.sh

debian-9-armhf

4

f57892b0ef...a34.sh

debian-9-mips

6

f57892b0ef...a34.sh

debian-9-mipsel

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f57892b0ef5678cf46a32964789fca7b2395527e05c98105bb4dd81d1da78a34.sh

  • Size

    816KB

  • Sample

    241121-ks31esvnbp

  • MD5

    0e1f041d4e0c23943e0b046520c9cd07

  • SHA1

    d7d93deda88b8c0615eb45861d80a4f48525ab3a

  • SHA256

    f57892b0ef5678cf46a32964789fca7b2395527e05c98105bb4dd81d1da78a34

  • SHA512

    677f6b1268c8ed8f8f62b2149ea41c44df741bd44ba8dbcb987732049d2889676c6610d823350ace5d13d9a93c9a1b47021dde3bc4e9645cbfb9714b7fd7866e

  • SSDEEP

    6144:aOtG23KlUK0LZqV8FxkZ5zPulEdHqZ7rhhVbGdQ3CPlHMpsgdce2Nkba/Jp5IsTj:WiLd5dawKnDTyw3psYEI

Score
7/10
antivmcredential_accessdefense_evasiondiscoveryexecutionlinuxprivilege_escalation

Malware Config

Targets

    • Target

      f57892b0ef5678cf46a32964789fca7b2395527e05c98105bb4dd81d1da78a34.sh

    • Size

      816KB

    • MD5

      0e1f041d4e0c23943e0b046520c9cd07

    • SHA1

      d7d93deda88b8c0615eb45861d80a4f48525ab3a

    • SHA256

      f57892b0ef5678cf46a32964789fca7b2395527e05c98105bb4dd81d1da78a34

    • SHA512

      677f6b1268c8ed8f8f62b2149ea41c44df741bd44ba8dbcb987732049d2889676c6610d823350ace5d13d9a93c9a1b47021dde3bc4e9645cbfb9714b7fd7866e

    • SSDEEP

      6144:aOtG23KlUK0LZqV8FxkZ5zPulEdHqZ7rhhVbGdQ3CPlHMpsgdce2Nkba/Jp5IsTj:WiLd5dawKnDTyw3psYEI

    Score
    7/10
    antivmcredential_accessdefense_evasiondiscoveryexecutionprivilege_escalation

    • Looks for SUID binaries

      Searches the filesystem for potential binaries to be used for privilege escalation (common during reconnaissance activity).

    • OS Credential Dumping

      Adversaries may attempt to dump credentials to use it in password cracking.

      credential_access

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Reads AppArmor ptrace settings

      Discovery of allowed ptrace capabilities by AppArmor.

      discovery

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads data from the clipboard

      Attempts to collect data stored in the clipboard using xclip tool.

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

      discovery

    • Reads network interface configuration

      Fetches information about one or more active network interfaces.

      discovery

    • Virtualization/Sandbox Evasion: Time Based Evasion

      Adversaries may detect and evade virtualized environments and sandboxes.

      defense_evasion
    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Software Deployment Tools

1
T1072

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Deobfuscate/Decode Files or Information

1
T1140

Virtualization/Sandbox Evasion

3
T1497

System Checks

2
T1497.001

Time Based Evasion

1
T1497.003

Credential Access

OS Credential Dumping

1
T1003

/etc/passwd and /etc/shadow

1
T1003.008

Discovery

System Information Discovery

4
T1082

System Network Configuration Discovery

3
T1016

Internet Connection Discovery

1
T1016.001

System Network Connections Discovery

1
T1049

Virtualization/Sandbox Evasion

3
T1497

System Checks

2
T1497.001

Time Based Evasion

1
T1497.003

Lateral Movement

Software Deployment Tools

1
T1072

Collection

Command and Control

Exfiltration

Impact

Tasks