Overview

overview

10

Static

static

10

PoshC2-mas...ker.sh

ubuntu-18.04-amd64

6

PoshC2-mas...ker.sh

debian-9-armhf

6

PoshC2-mas...ker.sh

debian-9-mips

7

PoshC2-mas...ker.sh

debian-9-mipsel

7

PoshC2-mas...all.sh

ubuntu-18.04-amd64

7

PoshC2-mas...all.sh

debian-9-armhf

4

PoshC2-mas...all.sh

debian-9-mips

3

PoshC2-mas...all.sh

debian-9-mipsel

7

PoshC2-mas...ter.py

ubuntu-18.04-amd64

3

PoshC2-mas...ter.py

debian-9-armhf

3

PoshC2-mas...ter.py

debian-9-mips

3

PoshC2-mas...ter.py

debian-9-mipsel

3

PoshC2-mas...ils.py

windows7-x64

3

PoshC2-mas...ils.py

windows10-2004-x64

3

PoshC2-mas...t__.py

windows7-x64

3

PoshC2-mas...t__.py

windows10-2004-x64

3

PoshC2-mas...ias.py

windows7-x64

3

PoshC2-mas...ias.py

windows10-2004-x64

3

PoshC2-mas...sec.py

windows7-x64

3

PoshC2-mas...sec.py

windows10-2004-x64

3

PoshC2-mas...t__.py

ubuntu-18.04-amd64

3

PoshC2-mas...t__.py

debian-9-armhf

3

PoshC2-mas...t__.py

debian-9-mips

3

PoshC2-mas...t__.py

debian-9-mipsel

3

PoshC2-mas...tor.py

windows7-x64

3

PoshC2-mas...tor.py

windows10-2004-x64

3

PoshC2-mas...ter.py

windows7-x64

3

PoshC2-mas...ter.py

windows10-2004-x64

3

PoshC2-mas...ons.py

windows7-x64

3

PoshC2-mas...ons.py

windows10-2004-x64

3

PoshC2-mas...ags.py

windows7-x64

3

PoshC2-mas...ags.py

windows10-2004-x64

3

Analysis

  • max time kernel
    82s
  • max time network
    130s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240226-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    02-12-2024 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PoshC2-master/Install-for-Docker.sh

  • Size

    6KB

  • MD5

    e9491135cfba0744d0914440a3abea51

  • SHA1

    01d1eeaec2d63dfcff7b2d8f0b905666648284d7

  • SHA256

    df058ab09ac2a11282ae0dab69a48dbfb9be73a1abb0c9820be7281b4c78c84f

  • SHA512

    0821f0eec3e59e94e80ba372d7e159dd6a4c513b200c1b59e34bac6282a5e808a5f0b3ccc2c970a0ba6c3df72fa7e34f75aab451594035dfa20c8b777d449334

  • SSDEEP

    192:BeCRfODs6lH2ouNZLwUsp3lTLGmU6y22Xox:TyGbIx

Score
7/10
defense_evasiondiscoverypersistence

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 13 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs
  • Write file to user bin folder 13 IoCs
    persistence
  • Reads runtime system information 16 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 7 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery

Processes

  • /tmp/PoshC2-master/Install-for-Docker.sh
    /tmp/PoshC2-master/Install-for-Docker.sh
    1⤵
      PID:732
      • /usr/bin/id
        id -u
        2⤵
        • Reads runtime system information
        PID:736
      • /bin/rm
        rm -f /usr/local/bin/_posh-common
        2⤵
          PID:737
        • /bin/rm
          rm -f /usr/local/bin/fpc
          2⤵
            PID:738
          • /bin/rm
            rm -f /usr/local/bin/posh
            2⤵
              PID:739
            • /bin/rm
              rm -f /usr/local/bin/posh-server
              2⤵
                PID:740
              • /bin/rm
                rm -f /usr/local/bin/posh-config
                2⤵
                  PID:741
                • /bin/rm
                  rm -f /usr/local/bin/posh-log
                  2⤵
                    PID:742
                  • /bin/rm
                    rm -f /usr/local/bin/posh-service
                    2⤵
                      PID:743
                    • /bin/rm
                      rm -f /usr/local/bin/posh-stop-service
                      2⤵
                        PID:744
                      • /bin/rm
                        rm -f /usr/local/bin/posh-project
                        2⤵
                          PID:745
                        • /bin/rm
                          rm -f /usr/local/bin/posh-docker-clean
                          2⤵
                            PID:746
                          • /bin/rm
                            rm -f /usr/local/bin/posh-stop-server
                            2⤵
                              PID:747
                            • /bin/rm
                              rm -f /usr/local/bin/posh-docker-debug
                              2⤵
                                PID:748
                              • /bin/rm
                                rm -f /usr/local/bin/sharpsocks
                                2⤵
                                  PID:749
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/_posh-common -o /usr/local/bin/_posh-common
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  • System Network Configuration Discovery
                                  PID:750
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/fpc -o /usr/local/bin/fpc
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  • System Network Configuration Discovery
                                  PID:758
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker -o /usr/local/bin/posh
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  PID:770
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker-server -o /usr/local/bin/posh-server
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  PID:781
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-config -o /usr/local/bin/posh-config
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  • System Network Configuration Discovery
                                  PID:797
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-log -o /usr/local/bin/posh-log
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  • System Network Configuration Discovery
                                  PID:805
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-service -o /usr/local/bin/posh-service
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  • System Network Configuration Discovery
                                  PID:807
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-stop-service -o /usr/local/bin/posh-stop-service
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  • System Network Configuration Discovery
                                  PID:820
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-project -o /usr/local/bin/posh-project
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  • System Network Configuration Discovery
                                  PID:833
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker-clean -o /usr/local/bin/posh-docker-clean
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  PID:843
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker-stop-server -o /usr/local/bin/posh-stop-server
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  PID:845
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker-debug -o /usr/local/bin/posh-docker-debug
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  PID:847
                                • /usr/bin/curl
                                  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/sharpsocks-docker -o /usr/local/bin/sharpsocks
                                  2⤵
                                  • Write file to user bin folder
                                  • Reads runtime system information
                                  PID:849
                                • /bin/chmod
                                  chmod +x /usr/local/bin/fpc
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:851
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:852
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-server
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:853
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-config
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:854
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-log
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:855
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-service
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:856
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-stop-service
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:857
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-project
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:858
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-docker-clean
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:859
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-stop-server
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:860
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-docker-debug
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:861
                                • /bin/chmod
                                  chmod +x /usr/local/bin/posh-docker-debug
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:862
                                • /bin/chmod
                                  chmod +x /usr/local/bin/sharpsocks
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:863
                                • /bin/uname
                                  uname
                                  2⤵
                                    PID:864
                                  • /bin/mkdir
                                    mkdir -p /var/poshc2
                                    2⤵
                                    • Reads runtime system information
                                    PID:865
                                  • /usr/bin/curl
                                    curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/config-template.yml -o /var/poshc2/config-template.yml
                                    2⤵
                                    • Reads runtime system information
                                    PID:866

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • /usr/local/bin/_posh-common
                                  Filesize

                                  1KB

                                  MD5

                                  b0f33a913ebbd431c8e05cf535c28cd5

                                  SHA1

                                  b5d7706044a817a92e41617061fb1a8a165dc041

                                  SHA256

                                  08035eaec5ebfa05e6422911293e64f167e5607dc22f9f0de03d183dcb1b53cb

                                  SHA512

                                  d271679ce6ee0d64bec1d0db9fa8c5671eec491ef41192f5b52228d161863836cc67ebf45ae3a3694256138a9a1d94761592eac459c5039c40e7e388adfb7ad8

                                  Download Submit

                                • /usr/local/bin/fpc
                                  Filesize

                                  594B

                                  MD5

                                  34243141b8ab301121579a9868e0de16

                                  SHA1

                                  9b943aaa3de2de98340dad5717ca35b93f905a21

                                  SHA256

                                  bd9af223cf49320d6365ec629eda1096ae41fed656b0d080dd9f183cd6070d0a

                                  SHA512

                                  4732e4d8357dac3136471a6ac5f80e16a49012c4345e5c04f6b22f02c1ef8e8156df8e39fc6bc883e95d6d2fb9fee46309b1a7f89eafb9c6bfc42b14cb6e7c6c

                                  Download Submit

                                • /usr/local/bin/posh
                                  Filesize

                                  957B

                                  MD5

                                  43c0f29eacb2d54c9a0b0ea17972a38a

                                  SHA1

                                  b43f98bc64d0314245ded2b6062bbf89a8c8849d

                                  SHA256

                                  0e678b49ac2c9c28bc1b750d1fe54310bd9e439152de5ce17601a536fd9ddd1b

                                  SHA512

                                  015b41c6e7a1fdc8968c9364c7026abaf6392e426e663346db7d0e94dc2432b1f5e7e3ebb6fd73a5cf3fa1a16c266c0cc100ea3e973735ca320998dc9613a0c9

                                  Download Submit

                                • /usr/local/bin/posh-config
                                  Filesize

                                  282B

                                  MD5

                                  6bdbb2af38a4f7394bf1095f4cfa111f

                                  SHA1

                                  617336a9db15becc72e759a0ee5eced0afceab8f

                                  SHA256

                                  96223f07585d1fa75820df17230323acb3f4abc1188249c1b1e7f6c78cc95ff4

                                  SHA512

                                  8f6f0bc3c5a7b43d6925201c1661683c78c0340708c831790208b137f507f282d7d251bd4a8005b38adec2fcf9c82c85120e5ad2ac7653f700ef8b4a6b0a07fb

                                  Download Submit

                                • /usr/local/bin/posh-docker-clean
                                  Filesize

                                  287B

                                  MD5

                                  b87844f50a1b518fcb2b2b929ad1a772

                                  SHA1

                                  87aeffa45e5e7a78b77a52c1d689f881e25c69bd

                                  SHA256

                                  1df022fb495a3dc6b5ac2f37108abe272855f0a607f1380b35aa37346a44dd22

                                  SHA512

                                  9412e9103cfc2f8686d22f372c42de8b7ce69c9500f58b44a6a5a099b305da97ae12b2183f4f916786eafba59f898c3d0ec3bfc1489a53c8997040b973a27ddf

                                  Download Submit

                                • /usr/local/bin/posh-docker-debug
                                  Filesize

                                  609B

                                  MD5

                                  d56caf291a44b9aea47e32f6829b224a

                                  SHA1

                                  c9f58c6605068783305330ea4795a3cc6e223bf2

                                  SHA256

                                  2e4a8760a44820b3f29524df4c96dab73ffb3dcead78c001aaba23377551b249

                                  SHA512

                                  17dc4aebcac4c4fc428e887702c39c3567a22ad6e0a1735e9aace80df0d40763b1e93810ba4b1f9c8e3681b109da4dc653518f2800152e59eb938dd6dbb1ed99

                                  Download Submit

                                • /usr/local/bin/posh-log
                                  Filesize

                                  232B

                                  MD5

                                  b957152be180d99c2ce38ac96a80c8f6

                                  SHA1

                                  92a7e4533eaf27764e8857978702809cd2795f4f

                                  SHA256

                                  d50e16838cbd535dfb75aafdc857a12ff65c90d07ecdd4c18e5354da20c30761

                                  SHA512

                                  85857704caf8fe9d047a5f64efd14b4aa9546391175d7575218c9d14a7c45fe32975d04236a22106188d06a3674653bdfed243ef2ae5c0f1045f8eb296b434dc

                                  Download Submit

                                • /usr/local/bin/posh-project
                                  Filesize

                                  3KB

                                  MD5

                                  0595bb6a3f35b414b82ce18b19925807

                                  SHA1

                                  72a2885056b3a75f4fb4f9b4402a228d8a25f3c2

                                  SHA256

                                  13c87cb932c1086330e689e40b9e11fc699104befb2d42c73a3af12f3ce66e23

                                  SHA512

                                  4acb11e109d48c7bc340c78eab57ccd0e99bbfaed16f742a89d14ce7f77eb15d545864a06e59e7db023fd9232be90c1435fddb848d0afb6e4a3d58e6a43f99cd

                                  Download Submit

                                • /usr/local/bin/posh-server
                                  Filesize

                                  871B

                                  MD5

                                  0cfa56ee6e7c6b48fbcbc91edaeaafe1

                                  SHA1

                                  45047ec9ef11fa4caa58799ff57a9d114dc4cbac

                                  SHA256

                                  6c39f5d86fd5efde1163f1af381b5a58830a4e733978bf62f4e44fe9306a2db3

                                  SHA512

                                  7c28252616dc947f5028ee9f76d5935366fad3328da76a2f87b85d9a378f996bcbac76921bc2cce150b44446a8f874b45d507d487ad8dce0f031abc0a4faa8cd

                                  Download Submit

                                • /usr/local/bin/posh-service
                                  Filesize

                                  590B

                                  MD5

                                  faa13ba5770f4b8e86b0e5ae3cd50928

                                  SHA1

                                  4d56e4160769425d43456450c58eb488b252a9e1

                                  SHA256

                                  14ce5f9be0b3d2568d14e9ce82bd2922556da5bd3e929c8805ef04b3047393d0

                                  SHA512

                                  8e7c5df1cee3bade268644b09f4d3df17045a30a4116adc94c049dca717bc096d868fa57d11fa78b3de8c6a3da5392c72fda0048c0ce6048537cbe22f8d0fd4f

                                  Download Submit

                                • /usr/local/bin/posh-stop-server
                                  Filesize

                                  371B

                                  MD5

                                  97e8449d917b1a103093228d98a04ea7

                                  SHA1

                                  eb68d043a3c1d0aeab7c117b4efd8dd6bc23d883

                                  SHA256

                                  3924b16618ae75b67497b08245a25ca90df685fcc658d917b5d87141bbe42d81

                                  SHA512

                                  ad22693166cf4beb248ad4b708e0e6eb981d750e24d28abd4c4159ad7a831cb8a3b46610b96066a911e117d6a9fa97cb0aa6e5bfa94890c3f4d7a19d889f1d8e

                                  Download Submit

                                • /usr/local/bin/posh-stop-service
                                  Filesize

                                  213B

                                  MD5

                                  ecd21fe2f01b8990c8d1128860b1ef60

                                  SHA1

                                  ca4c3f427d6411157442a2280d54f6a1195b889d

                                  SHA256

                                  bfbca87ac6fba67a05bac2b9a919eb465f11e90b45805dbb599ce2b87f08afcb

                                  SHA512

                                  a043cf59d0f3281edf7f1427190706acd5185ba74045f246c967731e5b83909d46ed515f66de044c7c9f0aa21888c249d3ae0759a1f4778eec6ebf867c01b8b3

                                  Download Submit

                                • /usr/local/bin/sharpsocks
                                  Filesize

                                  14B

                                  MD5

                                  3be7b8b182ccd96e48989b4e57311193

                                  SHA1

                                  78fb38f212fa49029aff24c669a39648d9b4e68b

                                  SHA256

                                  d5558cd419c8d46bdc958064cb97f963d1ea793866414c025906ec15033512ed

                                  SHA512

                                  f3781cbb4e9e190df38c3fe7fa80ba69bf6f9dbafb158e0426dd4604f2f1ba794450679005a38d0f9f1dad0696e2f22b8b086b2d7d08a0f99bb4fd3b0f7ed5d8

                                  Download Submit

                                • /var/poshc2/config-template.yml
                                  Filesize

                                  2KB

                                  MD5

                                  3f43af2baced27aa1618e876f2584558

                                  SHA1

                                  7f89b3433d39ee6996b0544d215419d519525d61

                                  SHA256

                                  53ae3df962ec2838250c838c69647c656d01008927a68fff121ec1e0a525c03c

                                  SHA512

                                  b6eca79206766057f16f269db8514ba3d1bd564d567faf51225730dda92cde958849ddbd6bb5417d3c71886f44ee9f65b51253d75d9e2aabd8d726c0c845d4b9

                                  Download Submit