717d574ab49230cd228c2c0fa25ca5f818bf894f2eae16c68d7843d7f81f6cc0

Analysis

max time kernel
149s
max time network
57s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
02-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PoshC2-master/Install-for-Docker.sh
Size

6KB
MD5

e9491135cfba0744d0914440a3abea51
SHA1

01d1eeaec2d63dfcff7b2d8f0b905666648284d7
SHA256

df058ab09ac2a11282ae0dab69a48dbfb9be73a1abb0c9820be7281b4c78c84f
SHA512

0821f0eec3e59e94e80ba372d7e159dd6a4c513b200c1b59e34bac6282a5e808a5f0b3ccc2c970a0ba6c3df72fa7e34f75aab451594035dfa20c8b777d449334
SSDEEP

192:BeCRfODs6lH2ouNZLwUsp3lTLGmU6y22Xox:TyGbIx

Score

6^/10

antivm discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

Processes:

flow	ioc
1	raw.githubusercontent.com

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curl

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 3 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

idcurl

description	ioc	Process
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

curl

pid	Process
776	curl

/tmp/PoshC2-master/Install-for-Docker.sh
/tmp/PoshC2-master/Install-for-Docker.sh
1⤵
PID:751
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:754
- /bin/rm
  rm -f /usr/local/bin/_posh-common
  2⤵
  PID:758
- /bin/rm
  rm -f /usr/local/bin/fpc
  2⤵
  PID:759
- /bin/rm
  rm -f /usr/local/bin/posh
  2⤵
  PID:760
- /bin/rm
  rm -f /usr/local/bin/posh-server
  2⤵
  PID:762
- /bin/rm
  rm -f /usr/local/bin/posh-config
  2⤵
  PID:764
- /bin/rm
  rm -f /usr/local/bin/posh-log
  2⤵
  PID:765
- /bin/rm
  rm -f /usr/local/bin/posh-service
  2⤵
  PID:766
- /bin/rm
  rm -f /usr/local/bin/posh-stop-service
  2⤵
  PID:767
- /bin/rm
  rm -f /usr/local/bin/posh-project
  2⤵
  PID:769
- /bin/rm
  rm -f /usr/local/bin/posh-docker-clean
  2⤵
  PID:770
- /bin/rm
  rm -f /usr/local/bin/posh-stop-server
  2⤵
  PID:772
- /bin/rm
  rm -f /usr/local/bin/posh-docker-debug
  2⤵
  PID:773
- /bin/rm
  rm -f /usr/local/bin/sharpsocks
  2⤵
  PID:774
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/_posh-common -o /usr/local/bin/_posh-common
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads