Overview

overview

10

Static

static

10

sqldevelop.../sdcli

ubuntu-18.04-amd64

3

sqldevelop.../sdcli

debian-9-armhf

3

sqldevelop.../sdcli

debian-9-mips

3

sqldevelop.../sdcli

debian-9-mipsel

3

sqldevelop...li.exe

windows7-x64

3

sqldevelop...li.exe

windows10-2004-x64

3

sqldevelop...64.exe

windows7-x64

1

sqldevelop...64.exe

windows10-2004-x64

1

sqldevelop...in/sql

ubuntu-18.04-amd64

3

sqldevelop...in/sql

debian-9-armhf

3

sqldevelop...in/sql

debian-9-mips

3

sqldevelop...in/sql

debian-9-mipsel

3

sqldevelop...ql.exe

windows7-x64

3

sqldevelop...ql.exe

windows10-2004-x64

3

sqldevelop...eloper

ubuntu-18.04-amd64

3

sqldevelop...eloper

debian-9-armhf

3

sqldevelop...eloper

debian-9-mips

3

sqldevelop...eloper

debian-9-mipsel

3

sqldevelop...er.exe

windows7-x64

3

sqldevelop...er.exe

windows10-2004-x64

3

sqldevelop...64.exe

windows7-x64

1

sqldevelop...64.exe

windows10-2004-x64

1

sqldevelop...4W.exe

windows7-x64

1

sqldevelop...4W.exe

windows10-2004-x64

1

sqldevelop...rW.exe

windows7-x64

3

sqldevelop...rW.exe

windows10-2004-x64

3

sqldevelop...lp.jar

windows7-x64

1

sqldevelop...lp.jar

windows10-2004-x64

1

sqldevelop...lp.jar

windows7-x64

1

sqldevelop...lp.jar

windows10-2004-x64

1

sqldevelop...g.html

windows7-x64

3

sqldevelop...g.html

windows10-2004-x64

3

Analysis

  • max time kernel
    0s
  • max time network
    99s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    05/03/2025, 03:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sqldeveloper/sqldeveloper/bin/sdcli

  • Size

    675B

  • MD5

    189681346250dbc93a25eb0d50b82bd4

  • SHA1

    afa4e31516ba458b8f2074478655308c41d038fe

  • SHA256

    2090a149f83a6fe3a99c1aa55d4d27a6f8e51b4d870547205b8917e8f1d22e5f

  • SHA512

    808ea71a5ffa9ee42a571bf10b09b4d9f34eed1e46e2b2c49394920c035bff4276a1be55be5a210a7b32ff3734392cb35d6e09e612fcb877f94ed08426bd7089

Score
3/10
discovery

Malware Config

Signatures

  • Reads runtime system information 45 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/sqldeveloper/sqldeveloper/bin/sdcli
    /tmp/sqldeveloper/sqldeveloper/bin/sdcli
    1⤵
    • Writes file to tmp directory
    PID:1499
    • /usr/bin/dirname
      dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
      2⤵
        PID:1500
      • /usr/bin/expr
        expr /tmp/sqldeveloper/sqldeveloper/bin/sdcli : "\\(/\\).*"
        2⤵
          PID:1505
        • /usr/bin/dirname
          dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
          2⤵
            PID:1508
          • /usr/bin/basename
            basename /tmp/sqldeveloper/sqldeveloper/bin/sdcli
            2⤵
              PID:1510
            • /usr/bin/dirname
              dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
              2⤵
                PID:1515
              • /usr/bin/expr
                expr /tmp/sqldeveloper/sqldeveloper/bin/sdcli : "\\(/\\).*"
                2⤵
                  PID:1517
                • /usr/bin/dirname
                  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
                  2⤵
                    PID:1520
                  • /usr/bin/basename
                    basename /tmp/sqldeveloper/sqldeveloper/bin/sdcli
                    2⤵
                      PID:1522
                    • /usr/bin/dirname
                      dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
                      2⤵
                        PID:1525
                      • /bin/cat
                        cat
                        2⤵
                          PID:1526
                        • /bin/mkdir
                          mkdir -p /.sqldeveloper/23.1.1
                          2⤵
                          • Reads runtime system information
                          PID:1553
                        • /usr/bin/touch
                          touch /.sqldeveloper/23.1.1/product.conf
                          2⤵
                            PID:1554
                          • /bin/sed
                            sed "s/[\\&/]/\\\\&/g"
                            2⤵
                            • Reads runtime system information
                            PID:1559
                          • /bin/sed
                            sed "s/@@ADDVMOPTION_INITIAL_JAVA_MEMORY@@/# AddVMOption -Xms128m/"
                            2⤵
                            • Reads runtime system information
                            PID:1562
                          • /bin/sed
                            sed "s/[\\&/]/\\\\&/g"
                            2⤵
                            • Reads runtime system information
                            PID:1566
                          • /bin/sed
                            sed "s/@@ADD32VMOPTION_INITIAL_JAVA_MEMORY@@/# Add32VMOption -Xms128m/"
                            2⤵
                            • Reads runtime system information
                            PID:1569
                          • /bin/sed
                            sed "s/[\\&/]/\\\\&/g"
                            2⤵
                            • Reads runtime system information
                            PID:1573
                          • /bin/sed
                            sed "s/@@ADD64VMOPTION_INITIAL_JAVA_MEMORY@@/# Add64VMOption -Xms128m/"
                            2⤵
                            • Reads runtime system information
                            PID:1576
                          • /bin/sed
                            sed "s/[\\&/]/\\\\&/g"
                            2⤵
                            • Reads runtime system information
                            PID:1580
                          • /bin/sed
                            sed "s/@@ADDVMOPTION_MAXIMUM_JAVA_MEMORY@@/# AddVMOption -Xmx800m/"
                            2⤵
                            • Reads runtime system information
                            PID:1583
                          • /bin/sed
                            sed "s/[\\&/]/\\\\&/g"
                            2⤵
                            • Reads runtime system information
                            PID:1587
                          • /bin/sed
                            sed "s/@@ADD32VMOPTION_MAXIMUM_JAVA_MEMORY@@/# Add32VMOption -Xmx800m/"
                            2⤵
                            • Reads runtime system information
                            PID:1590
                          • /bin/sed
                            sed "s/[\\&/]/\\\\&/g"
                            2⤵
                            • Reads runtime system information
                            PID:1594
                          • /bin/sed
                            sed "s/@@ADD64VMOPTION_MAXIMUM_JAVA_MEMORY@@/# Add64VMOption -Xmx2g/"
                            2⤵
                            • Reads runtime system information
                            PID:1597
                          • /usr/bin/dirname
                            dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
                            2⤵
                              PID:1600
                            • /usr/bin/basename
                              basename /tmp/sqldeveloper/sqldeveloper/bin/sdcli
                              2⤵
                                PID:1602
                              • /bin/uname
                                uname
                                2⤵
                                  PID:1613
                                • /bin/sed
                                  sed -e "s|\\n||g"
                                  2⤵
                                  • Reads runtime system information
                                  PID:1618
                                • /bin/sed
                                  sed -e "s|/\$||g"
                                  2⤵
                                  • Reads runtime system information
                                  PID:1621
                                • /bin/sed
                                  sed -e "s|\\n||g"
                                  2⤵
                                  • Reads runtime system information
                                  PID:1625
                                • /bin/sed
                                  sed -e "s|/\$||g"
                                  2⤵
                                  • Reads runtime system information
                                  PID:1628
                                • /bin/sed
                                  sed -e "s|/\$||g"
                                  2⤵
                                  • Reads runtime system information
                                  PID:1651
                                • /bin/uname
                                  uname
                                  2⤵
                                    PID:1653
                                  • /usr/bin/dirname
                                    dirname sqldeveloper.conf
                                    2⤵
                                      PID:1656
                                    • /usr/bin/basename
                                      basename sqldeveloper.conf
                                      2⤵
                                        PID:1658
                                      • /usr/bin/dirname
                                        dirname ../../ide/bin/ide.conf
                                        2⤵
                                          PID:1661
                                        • /bin/sed
                                          sed -e "s|\\n||g"
                                          2⤵
                                          • Reads runtime system information
                                          PID:1666
                                        • /bin/sed
                                          sed -e "s|/\$||g"
                                          2⤵
                                          • Reads runtime system information
                                          PID:1669
                                        • /bin/sed
                                          sed -e "s|\\n||g"
                                          2⤵
                                          • Reads runtime system information
                                          PID:1673
                                        • /bin/sed
                                          sed -e "s|/\$||g"
                                          2⤵
                                          • Reads runtime system information
                                          PID:1676
                                        • /bin/sed
                                          sed -e "s|/\$||g"
                                          2⤵
                                          • Reads runtime system information
                                          PID:1699
                                        • /usr/bin/basename
                                          basename ../../ide/bin/ide.conf
                                          2⤵
                                            PID:1701
                                          • /usr/bin/dirname
                                            dirname ../../ide/bin/jdk.conf
                                            2⤵
                                              PID:1704
                                            • /usr/bin/basename
                                              basename ../../ide/bin/jdk.conf
                                              2⤵
                                                PID:1706
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1790
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1794
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1798
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1802
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1806
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1810
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1814
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1817
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1822
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1835
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1838
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1845
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1850
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1854
                                              • /bin/sed
                                                sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"
                                                2⤵
                                                • Reads runtime system information
                                                PID:1860
                                              • /usr/bin/dirname
                                                dirname java11.conf
                                                2⤵
                                                  PID:1885
                                                • /usr/bin/basename
                                                  basename java11.conf
                                                  2⤵
                                                    PID:1887
                                                  • /usr/bin/dirname
                                                    dirname sqldeveloper-nondebug.conf
                                                    2⤵
                                                      PID:1899
                                                    • /usr/bin/basename
                                                      basename sqldeveloper-nondebug.conf
                                                      2⤵
                                                        PID:1901
                                                      • /usr/bin/dirname
                                                        dirname /.sqldeveloper/23.1.1/product.conf
                                                        2⤵
                                                          PID:1913
                                                        • /bin/sed
                                                          sed -e "s|\\n||g"
                                                          2⤵
                                                          • Reads runtime system information
                                                          PID:1918
                                                        • /bin/sed
                                                          sed -e "s|/\$||g"
                                                          2⤵
                                                          • Reads runtime system information
                                                          PID:1921
                                                        • /bin/sed
                                                          sed -e "s|\\n||g"
                                                          2⤵
                                                          • Reads runtime system information
                                                          PID:1925
                                                        • /bin/sed
                                                          sed -e "s|/\$||g"
                                                          2⤵
                                                          • Reads runtime system information
                                                          PID:1928
                                                        • /bin/sed
                                                          sed -e "s|/\$||g"
                                                          2⤵
                                                          • Reads runtime system information
                                                          PID:1943
                                                        • /usr/bin/basename
                                                          basename /.sqldeveloper/23.1.1/product.conf
                                                          2⤵
                                                            PID:1945
                                                          • /usr/bin/tr
                                                            tr "[:upper:]" "[:lower:]"
                                                            2⤵
                                                              PID:1952
                                                            • /bin/uname
                                                              uname
                                                              2⤵
                                                                PID:1951
                                                              • /usr/bin/head
                                                                head -1
                                                                2⤵
                                                                  PID:1957
                                                                • /usr/bin/sort
                                                                  sort -r
                                                                  2⤵
                                                                    PID:1956
                                                                  • /bin/grep
                                                                    grep jdk8
                                                                    2⤵
                                                                      PID:1955
                                                                    • /bin/ls
                                                                      ls /usr/java
                                                                      2⤵
                                                                      • Reads runtime system information
                                                                      PID:1954
                                                                    • /usr/bin/head
                                                                      head -1
                                                                      2⤵
                                                                        PID:1962
                                                                      • /usr/bin/sort
                                                                        sort -r
                                                                        2⤵
                                                                          PID:1961
                                                                        • /bin/grep
                                                                          grep java8
                                                                          2⤵
                                                                            PID:1960
                                                                          • /bin/ls
                                                                            ls /usr
                                                                            2⤵
                                                                            • Reads runtime system information
                                                                            PID:1959
                                                                          • /usr/bin/which
                                                                            which java
                                                                            2⤵
                                                                              PID:1964
                                                                            • /bin/grep
                                                                              grep "[0-9]"
                                                                              2⤵
                                                                                PID:1968
                                                                              • /bin/grep
                                                                                grep "[0-9]"
                                                                                2⤵
                                                                                  PID:1970

                                                                              Network

                                                                              MITRE ATT&CK Matrix

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • /.sqldeveloper/23.1.1/product.conf
                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                57a08cb624498fffdc03d5b96600b2c8

                                                                                SHA1

                                                                                ed47ee24f67bf683430a572bb89f5a758564bb38

                                                                                SHA256

                                                                                cd4a2c02bcf7cafe376e13b39122cba2c76f4af09897b2005899d59271dcb9bf

                                                                                SHA512

                                                                                153822911bdec91d7817e17db31b0c5f89c29bf502c271396e425ab707f1ed882a05be304bec0860896b1226c5833710b9b2717d98b180181d12ca1347dacc5b

                                                                                Download Submit

                                                                              • /.sqldeveloper/23.1.1/product.conf
                                                                                Filesize

                                                                                2KB

                                                                                MD5

                                                                                700de3633f495706c115c6819c90832e

                                                                                SHA1

                                                                                c4282c51986a65892b185738407fc99dafd7b089

                                                                                SHA256

                                                                                b6dc1e1865d6ceda6b32af26a2bed6ff231483e87e7d6975058f407438ce0762

                                                                                SHA512

                                                                                144c69167679f2a810e19a5034cbe59c578676875b2d17a21a0abadb7b171d9a8c087223cd73e24dab3d12cb8d8abc97df7aa973343e13329d2d138b1b898eb9

                                                                                Download Submit

                                                                              • /tmp/sh-thd.XSRYnG
                                                                                Filesize

                                                                                100B

                                                                                MD5

                                                                                f6cc7fad8e79da4c7b423a6143a0deab

                                                                                SHA1

                                                                                e94fad3a50b223f23ccd591994a3c1d9015446ab

                                                                                SHA256

                                                                                52d8728550c7e4ed4c3cc9b1a5e1fc30e24c1760613b6052d31a8ca27e3072e9

                                                                                SHA512

                                                                                31fd115d72be0d932bd04639e066ecc824e53811faae633da8440f32376b5c19e54759071c1e949e0759bfe4be3d94b73ace368065f6465ab2dca4a319f1a60f

                                                                                Download Submit