717d574ab49230cd228c2c0fa25ca5f818bf894f2eae16c68d7843d7f81f6cc0

Analysis

max time kernel
27s
max time network
62s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
02-12-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PoshC2-master/Install.sh
Size

7KB
MD5

3aef055d6c7f1ea3df272ab04a3d1c30
SHA1

1678f0ce8c4255907863b6dc2001af9c8dda9cab
SHA256

2f58503876d531099611322e32df8c7cb2ed7ac64af667903563a5bef902d490
SHA512

97ef4cef9d08c9c09743363f929b9c9488c5ab753e360fc782c6bcd3a31843c55e25e99c59b0b514b1dcdc99088d6eff82e48e2d129e9d73f1b2671487b2a865
SSDEEP

192:BVfPntboZecs6lH2uL7t5r9+AmwWVrGfuEbU6j8e2op:LPn8L1TUEfp

Score

4^/10

antivm discovery execution

Malware Config

Signatures

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

https

description	ioc	Process
File opened for reading	/proc/cpuinfo	https

Reads runtime system information 12 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

dpkgdpkgapt-getapt-gethttpsdpkgdpkgiddpkg

description	ioc	Process
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/sys/crypto/fips_enabled	https
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt-get
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt-get
File opened for reading	/proc/self/auxv	https

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

Processes:

apt-getapt-get

description	ioc	Process
File opened for modification	/tmp/fileutl.message.bAhAFI	apt-get
File opened for modification	/tmp/fileutl.message.QNw7tG	apt-get
File opened for modification	/tmp/fileutl.message.5jWowY	apt-get
File opened for modification	/tmp/fileutl.message.qwyKOb	apt-get
File opened for modification	/tmp/fileutl.message.dy9jmB	apt-get
File opened for modification	/tmp/fileutl.message.7LxPOm	apt-get
File opened for modification	/tmp/fileutl.message.i1gunY	apt-get
File opened for modification	/tmp/fileutl.message.ilfu8L	apt-get
File opened for modification	/tmp/fileutl.message.Sv3IM4	apt-get
File opened for modification	/tmp/fileutl.message.ensHzr	apt-get
File opened for modification	/tmp/fileutl.message.XDPHZU	apt-get

Software Deployment Tools 1 TTPs 2 IoCs

Use software deployment tools to execute code.

execution

Software Deployment Tools

T1072

Processes:

apt-getapt-get

pid	Process
749	apt-get
781	apt-get

/tmp/PoshC2-master/Install.sh
/tmp/PoshC2-master/Install.sh
1⤵
PID:737
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:743
- /usr/bin/dirname
  dirname /tmp/PoshC2-master/Install.sh
  2⤵
  PID:747
- /usr/bin/apt-get
  apt-get update
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  - Software Deployment Tools
  PID:749
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:751
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:755
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    PID:758
- - /usr/lib/apt/methods/https
    /usr/lib/apt/methods/https
    3⤵
    - Checks CPU configuration
    - Reads runtime system information
    PID:760
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:762
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:768
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:780
- /usr/bin/apt-get
  apt-get install -y git
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  - Software Deployment Tools
  PID:781
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:782
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:783
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:784
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:785

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Software Deployment Tools

T1072

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Software Deployment Tools

T1072

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads