717d574ab49230cd228c2c0fa25ca5f818bf894f2eae16c68d7843d7f81f6cc0

Analysis

max time kernel
82s
max time network
130s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
02-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PoshC2-master/Install-for-Docker.sh
Size

6KB
MD5

e9491135cfba0744d0914440a3abea51
SHA1

01d1eeaec2d63dfcff7b2d8f0b905666648284d7
SHA256

df058ab09ac2a11282ae0dab69a48dbfb9be73a1abb0c9820be7281b4c78c84f
SHA512

0821f0eec3e59e94e80ba372d7e159dd6a4c513b200c1b59e34bac6282a5e808a5f0b3ccc2c970a0ba6c3df72fa7e34f75aab451594035dfa20c8b777d449334
SSDEEP

192:BeCRfODs6lH2ouNZLwUsp3lTLGmU6y22Xox:TyGbIx

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
851	chmod
852	chmod
853	chmod
857	chmod
858	chmod
859	chmod
863	chmod
854	chmod
855	chmod
856	chmod
860	chmod
861	chmod
862	chmod

Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
28	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
5	raw.githubusercontent.com
18	raw.githubusercontent.com
26	raw.githubusercontent.com
2	raw.githubusercontent.com
6	raw.githubusercontent.com
20	raw.githubusercontent.com
21	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
8	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
24	raw.githubusercontent.com
25	raw.githubusercontent.com
7	raw.githubusercontent.com
3	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
9	raw.githubusercontent.com
14	raw.githubusercontent.com
17	raw.githubusercontent.com
1	raw.githubusercontent.com

Write file to user bin folder 13 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/local/bin/_posh-common	curl
File opened for modification	/usr/local/bin/fpc	curl
File opened for modification	/usr/local/bin/posh	curl
File opened for modification	/usr/local/bin/posh-service	curl
File opened for modification	/usr/local/bin/posh-stop-server	curl
File opened for modification	/usr/local/bin/posh-docker-debug	curl
File opened for modification	/usr/local/bin/posh-server	curl
File opened for modification	/usr/local/bin/posh-config	curl
File opened for modification	/usr/local/bin/posh-log	curl
File opened for modification	/usr/local/bin/posh-stop-service	curl
File opened for modification	/usr/local/bin/posh-project	curl
File opened for modification	/usr/local/bin/posh-docker-clean	curl
File opened for modification	/usr/local/bin/sharpsocks	curl

Reads runtime system information 16 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

System Network Configuration Discovery 1 TTPs 7 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
833	curl
750	curl
758	curl
797	curl
805	curl
807	curl
820	curl

/tmp/PoshC2-master/Install-for-Docker.sh
/tmp/PoshC2-master/Install-for-Docker.sh
1⤵
PID:732
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:736
- /bin/rm
  rm -f /usr/local/bin/_posh-common
  2⤵
  PID:737
- /bin/rm
  rm -f /usr/local/bin/fpc
  2⤵
  PID:738
- /bin/rm
  rm -f /usr/local/bin/posh
  2⤵
  PID:739
- /bin/rm
  rm -f /usr/local/bin/posh-server
  2⤵
  PID:740
- /bin/rm
  rm -f /usr/local/bin/posh-config
  2⤵
  PID:741
- /bin/rm
  rm -f /usr/local/bin/posh-log
  2⤵
  PID:742
- /bin/rm
  rm -f /usr/local/bin/posh-service
  2⤵
  PID:743
- /bin/rm
  rm -f /usr/local/bin/posh-stop-service
  2⤵
  PID:744
- /bin/rm
  rm -f /usr/local/bin/posh-project
  2⤵
  PID:745
- /bin/rm
  rm -f /usr/local/bin/posh-docker-clean
  2⤵
  PID:746
- /bin/rm
  rm -f /usr/local/bin/posh-stop-server
  2⤵
  PID:747
- /bin/rm
  rm -f /usr/local/bin/posh-docker-debug
  2⤵
  PID:748
- /bin/rm
  rm -f /usr/local/bin/sharpsocks
  2⤵
  PID:749
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/_posh-common -o /usr/local/bin/_posh-common
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:750
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/fpc -o /usr/local/bin/fpc
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:758
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker -o /usr/local/bin/posh
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:770
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker-server -o /usr/local/bin/posh-server
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:781
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-config -o /usr/local/bin/posh-config
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:797
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-log -o /usr/local/bin/posh-log
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:805
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-service -o /usr/local/bin/posh-service
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:807
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-stop-service -o /usr/local/bin/posh-stop-service
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:820
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-project -o /usr/local/bin/posh-project
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:833
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker-clean -o /usr/local/bin/posh-docker-clean
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:843
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker-stop-server -o /usr/local/bin/posh-stop-server
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:845
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/posh-docker-debug -o /usr/local/bin/posh-docker-debug
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:847
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/scripts/sharpsocks-docker -o /usr/local/bin/sharpsocks
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:849
- /bin/chmod
  chmod +x /usr/local/bin/fpc
  2⤵
  - File and Directory Permissions Modification
  PID:851
- /bin/chmod
  chmod +x /usr/local/bin/posh
  2⤵
  - File and Directory Permissions Modification
  PID:852
- /bin/chmod
  chmod +x /usr/local/bin/posh-server
  2⤵
  - File and Directory Permissions Modification
  PID:853
- /bin/chmod
  chmod +x /usr/local/bin/posh-config
  2⤵
  - File and Directory Permissions Modification
  PID:854
- /bin/chmod
  chmod +x /usr/local/bin/posh-log
  2⤵
  - File and Directory Permissions Modification
  PID:855
- /bin/chmod
  chmod +x /usr/local/bin/posh-service
  2⤵
  - File and Directory Permissions Modification
  PID:856
- /bin/chmod
  chmod +x /usr/local/bin/posh-stop-service
  2⤵
  - File and Directory Permissions Modification
  PID:857
- /bin/chmod
  chmod +x /usr/local/bin/posh-project
  2⤵
  - File and Directory Permissions Modification
  PID:858
- /bin/chmod
  chmod +x /usr/local/bin/posh-docker-clean
  2⤵
  - File and Directory Permissions Modification
  PID:859
- /bin/chmod
  chmod +x /usr/local/bin/posh-stop-server
  2⤵
  - File and Directory Permissions Modification
  PID:860
- /bin/chmod
  chmod +x /usr/local/bin/posh-docker-debug
  2⤵
  - File and Directory Permissions Modification
  PID:861
- /bin/chmod
  chmod +x /usr/local/bin/posh-docker-debug
  2⤵
  - File and Directory Permissions Modification
  PID:862
- /bin/chmod
  chmod +x /usr/local/bin/sharpsocks
  2⤵
  - File and Directory Permissions Modification
  PID:863
- /bin/uname
  uname
  2⤵
  PID:864
- /bin/mkdir
  mkdir -p /var/poshc2
  2⤵
  - Reads runtime system information
  PID:865
- /usr/bin/curl
  curl https://raw.githubusercontent.com/nettitude/PoshC2/master/resources/config-template.yml -o /var/poshc2/config-template.yml
  2⤵
  - Reads runtime system information
  PID:866

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/usr/local/bin/_posh-common

Filesize
1KB

MD5
b0f33a913ebbd431c8e05cf535c28cd5

SHA1
b5d7706044a817a92e41617061fb1a8a165dc041

SHA256
08035eaec5ebfa05e6422911293e64f167e5607dc22f9f0de03d183dcb1b53cb

SHA512
d271679ce6ee0d64bec1d0db9fa8c5671eec491ef41192f5b52228d161863836cc67ebf45ae3a3694256138a9a1d94761592eac459c5039c40e7e388adfb7ad8

Download Submit
/usr/local/bin/fpc

Filesize
594B

MD5
34243141b8ab301121579a9868e0de16

SHA1
9b943aaa3de2de98340dad5717ca35b93f905a21

SHA256
bd9af223cf49320d6365ec629eda1096ae41fed656b0d080dd9f183cd6070d0a

SHA512
4732e4d8357dac3136471a6ac5f80e16a49012c4345e5c04f6b22f02c1ef8e8156df8e39fc6bc883e95d6d2fb9fee46309b1a7f89eafb9c6bfc42b14cb6e7c6c

Download Submit
/usr/local/bin/posh

Filesize
957B

MD5
43c0f29eacb2d54c9a0b0ea17972a38a

SHA1
b43f98bc64d0314245ded2b6062bbf89a8c8849d

SHA256
0e678b49ac2c9c28bc1b750d1fe54310bd9e439152de5ce17601a536fd9ddd1b

SHA512
015b41c6e7a1fdc8968c9364c7026abaf6392e426e663346db7d0e94dc2432b1f5e7e3ebb6fd73a5cf3fa1a16c266c0cc100ea3e973735ca320998dc9613a0c9

Download Submit
/usr/local/bin/posh-config

Filesize
282B

MD5
6bdbb2af38a4f7394bf1095f4cfa111f

SHA1
617336a9db15becc72e759a0ee5eced0afceab8f

SHA256
96223f07585d1fa75820df17230323acb3f4abc1188249c1b1e7f6c78cc95ff4

SHA512
8f6f0bc3c5a7b43d6925201c1661683c78c0340708c831790208b137f507f282d7d251bd4a8005b38adec2fcf9c82c85120e5ad2ac7653f700ef8b4a6b0a07fb

Download Submit
/usr/local/bin/posh-docker-clean

Filesize
287B

MD5
b87844f50a1b518fcb2b2b929ad1a772

SHA1
87aeffa45e5e7a78b77a52c1d689f881e25c69bd

SHA256
1df022fb495a3dc6b5ac2f37108abe272855f0a607f1380b35aa37346a44dd22

SHA512
9412e9103cfc2f8686d22f372c42de8b7ce69c9500f58b44a6a5a099b305da97ae12b2183f4f916786eafba59f898c3d0ec3bfc1489a53c8997040b973a27ddf

Download Submit
/usr/local/bin/posh-docker-debug

Filesize
609B

MD5
d56caf291a44b9aea47e32f6829b224a

SHA1
c9f58c6605068783305330ea4795a3cc6e223bf2

SHA256
2e4a8760a44820b3f29524df4c96dab73ffb3dcead78c001aaba23377551b249

SHA512
17dc4aebcac4c4fc428e887702c39c3567a22ad6e0a1735e9aace80df0d40763b1e93810ba4b1f9c8e3681b109da4dc653518f2800152e59eb938dd6dbb1ed99

Download Submit
/usr/local/bin/posh-log

Filesize
232B

MD5
b957152be180d99c2ce38ac96a80c8f6

SHA1
92a7e4533eaf27764e8857978702809cd2795f4f

SHA256
d50e16838cbd535dfb75aafdc857a12ff65c90d07ecdd4c18e5354da20c30761

SHA512
85857704caf8fe9d047a5f64efd14b4aa9546391175d7575218c9d14a7c45fe32975d04236a22106188d06a3674653bdfed243ef2ae5c0f1045f8eb296b434dc

Download Submit
/usr/local/bin/posh-project

Filesize
3KB

MD5
0595bb6a3f35b414b82ce18b19925807

SHA1
72a2885056b3a75f4fb4f9b4402a228d8a25f3c2

SHA256
13c87cb932c1086330e689e40b9e11fc699104befb2d42c73a3af12f3ce66e23

SHA512
4acb11e109d48c7bc340c78eab57ccd0e99bbfaed16f742a89d14ce7f77eb15d545864a06e59e7db023fd9232be90c1435fddb848d0afb6e4a3d58e6a43f99cd

Download Submit
/usr/local/bin/posh-server

Filesize
871B

MD5
0cfa56ee6e7c6b48fbcbc91edaeaafe1

SHA1
45047ec9ef11fa4caa58799ff57a9d114dc4cbac

SHA256
6c39f5d86fd5efde1163f1af381b5a58830a4e733978bf62f4e44fe9306a2db3

SHA512
7c28252616dc947f5028ee9f76d5935366fad3328da76a2f87b85d9a378f996bcbac76921bc2cce150b44446a8f874b45d507d487ad8dce0f031abc0a4faa8cd

Download Submit
/usr/local/bin/posh-service

Filesize
590B

MD5
faa13ba5770f4b8e86b0e5ae3cd50928

SHA1
4d56e4160769425d43456450c58eb488b252a9e1

SHA256
14ce5f9be0b3d2568d14e9ce82bd2922556da5bd3e929c8805ef04b3047393d0

SHA512
8e7c5df1cee3bade268644b09f4d3df17045a30a4116adc94c049dca717bc096d868fa57d11fa78b3de8c6a3da5392c72fda0048c0ce6048537cbe22f8d0fd4f

Download Submit
/usr/local/bin/posh-stop-server

Filesize
371B

MD5
97e8449d917b1a103093228d98a04ea7

SHA1
eb68d043a3c1d0aeab7c117b4efd8dd6bc23d883

SHA256
3924b16618ae75b67497b08245a25ca90df685fcc658d917b5d87141bbe42d81

SHA512
ad22693166cf4beb248ad4b708e0e6eb981d750e24d28abd4c4159ad7a831cb8a3b46610b96066a911e117d6a9fa97cb0aa6e5bfa94890c3f4d7a19d889f1d8e

Download Submit
/usr/local/bin/posh-stop-service

Filesize
213B

MD5
ecd21fe2f01b8990c8d1128860b1ef60

SHA1
ca4c3f427d6411157442a2280d54f6a1195b889d

SHA256
bfbca87ac6fba67a05bac2b9a919eb465f11e90b45805dbb599ce2b87f08afcb

SHA512
a043cf59d0f3281edf7f1427190706acd5185ba74045f246c967731e5b83909d46ed515f66de044c7c9f0aa21888c249d3ae0759a1f4778eec6ebf867c01b8b3

Download Submit
/usr/local/bin/sharpsocks

Filesize
14B

MD5
3be7b8b182ccd96e48989b4e57311193

SHA1
78fb38f212fa49029aff24c669a39648d9b4e68b

SHA256
d5558cd419c8d46bdc958064cb97f963d1ea793866414c025906ec15033512ed

SHA512
f3781cbb4e9e190df38c3fe7fa80ba69bf6f9dbafb158e0426dd4604f2f1ba794450679005a38d0f9f1dad0696e2f22b8b086b2d7d08a0f99bb4fd3b0f7ed5d8

Download Submit
/var/poshc2/config-template.yml

Filesize
2KB

MD5
3f43af2baced27aa1618e876f2584558

SHA1
7f89b3433d39ee6996b0544d215419d519525d61

SHA256
53ae3df962ec2838250c838c69647c656d01008927a68fff121ec1e0a525c03c

SHA512
b6eca79206766057f16f269db8514ba3d1bd564d567faf51225730dda92cde958849ddbd6bb5417d3c71886f44ee9f65b51253d75d9e2aabd8d726c0c845d4b9

Download Submit