Overview
overview
10Static
static
10sqldevelop.../sdcli
ubuntu-18.04-amd64
3sqldevelop.../sdcli
debian-9-armhf
3sqldevelop.../sdcli
debian-9-mips
3sqldevelop.../sdcli
debian-9-mipsel
3sqldevelop...li.exe
windows7-x64
3sqldevelop...li.exe
windows10-2004-x64
3sqldevelop...64.exe
windows7-x64
1sqldevelop...64.exe
windows10-2004-x64
1sqldevelop...in/sql
ubuntu-18.04-amd64
3sqldevelop...in/sql
debian-9-armhf
3sqldevelop...in/sql
debian-9-mips
3sqldevelop...in/sql
debian-9-mipsel
3sqldevelop...ql.exe
windows7-x64
3sqldevelop...ql.exe
windows10-2004-x64
3sqldevelop...eloper
ubuntu-18.04-amd64
3sqldevelop...eloper
debian-9-armhf
3sqldevelop...eloper
debian-9-mips
3sqldevelop...eloper
debian-9-mipsel
3sqldevelop...er.exe
windows7-x64
3sqldevelop...er.exe
windows10-2004-x64
3sqldevelop...64.exe
windows7-x64
1sqldevelop...64.exe
windows10-2004-x64
1sqldevelop...4W.exe
windows7-x64
1sqldevelop...4W.exe
windows10-2004-x64
1sqldevelop...rW.exe
windows7-x64
3sqldevelop...rW.exe
windows10-2004-x64
3sqldevelop...lp.jar
windows7-x64
1sqldevelop...lp.jar
windows10-2004-x64
1sqldevelop...lp.jar
windows7-x64
1sqldevelop...lp.jar
windows10-2004-x64
1sqldevelop...g.html
windows7-x64
3sqldevelop...g.html
windows10-2004-x64
3Analysis
-
max time kernel
6s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
05/03/2025, 03:34
Behavioral task
behavioral1
Sample
sqldeveloper/sqldeveloper/bin/sdcli
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
sqldeveloper/sqldeveloper/bin/sdcli
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
sqldeveloper/sqldeveloper/bin/sdcli
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
sqldeveloper/sqldeveloper/bin/sdcli
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral5
Sample
sqldeveloper/sqldeveloper/bin/sdcli.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
sqldeveloper/sqldeveloper/bin/sdcli.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
sqldeveloper/sqldeveloper/bin/sdcli64.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
sqldeveloper/sqldeveloper/bin/sdcli64.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
sqldeveloper/sqldeveloper/bin/sql
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral10
Sample
sqldeveloper/sqldeveloper/bin/sql
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral11
Sample
sqldeveloper/sqldeveloper/bin/sql
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral12
Sample
sqldeveloper/sqldeveloper/bin/sql
Resource
debian9-mipsel-20240418-en
Behavioral task
behavioral13
Sample
sqldeveloper/sqldeveloper/bin/sql.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
sqldeveloper/sqldeveloper/bin/sql.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral15
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral16
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral17
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral18
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral19
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper.exe
Resource
win7-20241023-en
Behavioral task
behavioral20
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral21
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper64.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper64.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral23
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper64W.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloper64W.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral25
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloperW.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
sqldeveloper/sqldeveloper/bin/sqldeveloperW.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral27
Sample
sqldeveloper/sqldeveloper/doc/dataminer_help.jar
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
sqldeveloper/sqldeveloper/doc/dataminer_help.jar
Resource
win10v2004-20250217-en
Behavioral task
behavioral29
Sample
sqldeveloper/sqldeveloper/doc/sqldeveloper_help.jar
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
sqldeveloper/sqldeveloper/doc/sqldeveloper_help.jar
Resource
win10v2004-20250217-en
Behavioral task
behavioral31
Sample
sqldeveloper/sqldeveloper/doc/welcome/de/Training.html
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
sqldeveloper/sqldeveloper/doc/welcome/de/Training.html
Resource
win10v2004-20250217-en
General
-
Target
sqldeveloper/sqldeveloper/bin/sdcli
-
Size
675B
-
MD5
189681346250dbc93a25eb0d50b82bd4
-
SHA1
afa4e31516ba458b8f2074478655308c41d038fe
-
SHA256
2090a149f83a6fe3a99c1aa55d4d27a6f8e51b4d870547205b8917e8f1d22e5f
-
SHA512
808ea71a5ffa9ee42a571bf10b09b4d9f34eed1e46e2b2c49394920c035bff4276a1be55be5a210a7b32ff3734392cb35d6e09e612fcb877f94ed08426bd7089
Malware Config
Signatures
-
description ioc Process File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems mkdir File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems ls File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed File opened for reading /proc/filesystems sed -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sh-thd.hOl4MU sdcli
Processes
-
/tmp/sqldeveloper/sqldeveloper/bin/sdcli/tmp/sqldeveloper/sqldeveloper/bin/sdcli1⤵
- Writes file to tmp directory
PID:784 -
/usr/bin/dirnamedirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli2⤵PID:785
-
-
/usr/bin/exprexpr /tmp/sqldeveloper/sqldeveloper/bin/sdcli : "\\(/\\).*"2⤵PID:790
-
-
/usr/bin/dirnamedirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli2⤵PID:793
-
-
/usr/bin/basenamebasename /tmp/sqldeveloper/sqldeveloper/bin/sdcli2⤵PID:798
-
-
/usr/bin/dirnamedirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli2⤵PID:803
-
-
/usr/bin/exprexpr /tmp/sqldeveloper/sqldeveloper/bin/sdcli : "\\(/\\).*"2⤵PID:805
-
-
/usr/bin/dirnamedirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli2⤵PID:808
-
-
/usr/bin/basenamebasename /tmp/sqldeveloper/sqldeveloper/bin/sdcli2⤵PID:810
-
-
/usr/bin/dirnamedirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli2⤵PID:813
-
-
/bin/catcat2⤵PID:814
-
-
/bin/mkdirmkdir -p /.sqldeveloper/23.1.12⤵
- Reads runtime system information
PID:837
-
-
/usr/bin/touchtouch /.sqldeveloper/23.1.1/product.conf2⤵PID:838
-
-
/bin/sedsed "s/[\\&/]/\\\\&/g"2⤵
- Reads runtime system information
PID:843
-
-
/bin/sedsed "s/@@ADDVMOPTION_INITIAL_JAVA_MEMORY@@/# AddVMOption -Xms128m/"2⤵
- Reads runtime system information
PID:846
-
-
/bin/sedsed "s/[\\&/]/\\\\&/g"2⤵
- Reads runtime system information
PID:850
-
-
/bin/sedsed "s/@@ADD32VMOPTION_INITIAL_JAVA_MEMORY@@/# Add32VMOption -Xms128m/"2⤵
- Reads runtime system information
PID:853
-
-
/bin/sedsed "s/[\\&/]/\\\\&/g"2⤵
- Reads runtime system information
PID:857
-
-
/bin/sedsed "s/@@ADD64VMOPTION_INITIAL_JAVA_MEMORY@@/# Add64VMOption -Xms128m/"2⤵
- Reads runtime system information
PID:860
-
-
/bin/sedsed "s/[\\&/]/\\\\&/g"2⤵
- Reads runtime system information
PID:864
-
-
/bin/sedsed "s/@@ADDVMOPTION_MAXIMUM_JAVA_MEMORY@@/# AddVMOption -Xmx800m/"2⤵
- Reads runtime system information
PID:867
-
-
/bin/sedsed "s/[\\&/]/\\\\&/g"2⤵
- Reads runtime system information
PID:871
-
-
/bin/sedsed "s/@@ADD32VMOPTION_MAXIMUM_JAVA_MEMORY@@/# Add32VMOption -Xmx800m/"2⤵
- Reads runtime system information
PID:874
-
-
/bin/sedsed "s/[\\&/]/\\\\&/g"2⤵
- Reads runtime system information
PID:878
-
-
/bin/sedsed "s/@@ADD64VMOPTION_MAXIMUM_JAVA_MEMORY@@/# Add64VMOption -Xmx2g/"2⤵
- Reads runtime system information
PID:881
-
-
/usr/bin/dirnamedirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli2⤵PID:884
-
-
/usr/bin/basenamebasename /tmp/sqldeveloper/sqldeveloper/bin/sdcli2⤵PID:886
-
-
/bin/unameuname2⤵PID:897
-
-
/bin/sedsed -e "s|\\n||g"2⤵
- Reads runtime system information
PID:902
-
-
/bin/sedsed -e "s|/\$||g"2⤵
- Reads runtime system information
PID:905
-
-
/bin/sedsed -e "s|\\n||g"2⤵
- Reads runtime system information
PID:909
-
-
/bin/sedsed -e "s|/\$||g"2⤵
- Reads runtime system information
PID:912
-
-
/bin/sedsed -e "s|/\$||g"2⤵
- Reads runtime system information
PID:935
-
-
/bin/unameuname2⤵PID:937
-
-
/usr/bin/dirnamedirname sqldeveloper.conf2⤵PID:940
-
-
/usr/bin/basenamebasename sqldeveloper.conf2⤵PID:942
-
-
/usr/bin/dirnamedirname ../../ide/bin/ide.conf2⤵PID:945
-
-
/bin/sedsed -e "s|\\n||g"2⤵
- Reads runtime system information
PID:950
-
-
/bin/sedsed -e "s|/\$||g"2⤵
- Reads runtime system information
PID:953
-
-
/bin/sedsed -e "s|\\n||g"2⤵
- Reads runtime system information
PID:957
-
-
/bin/sedsed -e "s|/\$||g"2⤵
- Reads runtime system information
PID:960
-
-
/bin/sedsed -e "s|/\$||g"2⤵
- Reads runtime system information
PID:983
-
-
/usr/bin/basenamebasename ../../ide/bin/ide.conf2⤵PID:985
-
-
/usr/bin/dirnamedirname ../../ide/bin/jdk.conf2⤵PID:988
-
-
/usr/bin/basenamebasename ../../ide/bin/jdk.conf2⤵PID:990
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1074
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1078
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1082
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1086
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1090
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1094
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1098
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1101
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1106
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1119
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1122
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1129
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1134
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1138
-
-
/bin/sedsed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\\([^-./\$\\w]\\)[.][.]/|\\1../../ide/bin/../|g; s|\\([^-./\$\\w]\\)[.]/|\\1../../ide/bin/|g"2⤵
- Reads runtime system information
PID:1144
-
-
/usr/bin/dirnamedirname java11.conf2⤵PID:1169
-
-
/usr/bin/basenamebasename java11.conf2⤵PID:1171
-
-
/usr/bin/dirnamedirname sqldeveloper-nondebug.conf2⤵PID:1183
-
-
/usr/bin/basenamebasename sqldeveloper-nondebug.conf2⤵PID:1185
-
-
/usr/bin/dirnamedirname /.sqldeveloper/23.1.1/product.conf2⤵PID:1197
-
-
/bin/sedsed -e "s|\\n||g"2⤵
- Reads runtime system information
PID:1202
-
-
/bin/sedsed -e "s|/\$||g"2⤵
- Reads runtime system information
PID:1205
-
-
/bin/sedsed -e "s|\\n||g"2⤵
- Reads runtime system information
PID:1209
-
-
/bin/sedsed -e "s|/\$||g"2⤵
- Reads runtime system information
PID:1212
-
-
/bin/sedsed -e "s|/\$||g"2⤵
- Reads runtime system information
PID:1227
-
-
/usr/bin/basenamebasename /.sqldeveloper/23.1.1/product.conf2⤵PID:1229
-
-
/bin/unameuname2⤵PID:1235
-
-
/usr/bin/trtr "[:upper:]" "[:lower:]"2⤵PID:1236
-
-
/bin/grepgrep jdk82⤵PID:1239
-
-
/bin/lsls /usr/java2⤵
- Reads runtime system information
PID:1238
-
-
/usr/bin/headhead -12⤵PID:1241
-
-
/usr/bin/sortsort -r2⤵PID:1240
-
-
/bin/lsls /usr2⤵
- Reads runtime system information
PID:1243
-
-
/usr/bin/headhead -12⤵PID:1246
-
-
/bin/grepgrep java82⤵PID:1244
-
-
/usr/bin/sortsort -r2⤵PID:1245
-
-
/usr/bin/whichwhich java2⤵PID:1248
-
-
/bin/grepgrep "[0-9]"2⤵PID:1252
-
-
/bin/grepgrep "[0-9]"2⤵PID:1254
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD557a08cb624498fffdc03d5b96600b2c8
SHA1ed47ee24f67bf683430a572bb89f5a758564bb38
SHA256cd4a2c02bcf7cafe376e13b39122cba2c76f4af09897b2005899d59271dcb9bf
SHA512153822911bdec91d7817e17db31b0c5f89c29bf502c271396e425ab707f1ed882a05be304bec0860896b1226c5833710b9b2717d98b180181d12ca1347dacc5b
-
Filesize
2KB
MD5700de3633f495706c115c6819c90832e
SHA1c4282c51986a65892b185738407fc99dafd7b089
SHA256b6dc1e1865d6ceda6b32af26a2bed6ff231483e87e7d6975058f407438ce0762
SHA512144c69167679f2a810e19a5034cbe59c578676875b2d17a21a0abadb7b171d9a8c087223cd73e24dab3d12cb8d8abc97df7aa973343e13329d2d138b1b898eb9
-
Filesize
100B
MD5f6cc7fad8e79da4c7b423a6143a0deab
SHA1e94fad3a50b223f23ccd591994a3c1d9015446ab
SHA25652d8728550c7e4ed4c3cc9b1a5e1fc30e24c1760613b6052d31a8ca27e3072e9
SHA51231fd115d72be0d932bd04639e066ecc824e53811faae633da8440f32376b5c19e54759071c1e949e0759bfe4be3d94b73ace368065f6465ab2dca4a319f1a60f