30c07969150109f3907de1171e3dc55303f660a3e430c072aae07058dca42ffc

Analysis

max time kernel
6s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
05/03/2025, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sqldeveloper/sqldeveloper/bin/sdcli
Size

675B
MD5

189681346250dbc93a25eb0d50b82bd4
SHA1

afa4e31516ba458b8f2074478655308c41d038fe
SHA256

2090a149f83a6fe3a99c1aa55d4d27a6f8e51b4d870547205b8917e8f1d22e5f
SHA512

808ea71a5ffa9ee42a571bf10b09b4d9f34eed1e46e2b2c49394920c035bff4276a1be55be5a210a7b32ff3734392cb35d6e09e612fcb877f94ed08426bd7089

Score

3^/10

discovery

Malware Config

Signatures

Reads runtime system information 45 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sh-thd.hOl4MU	sdcli

/tmp/sqldeveloper/sqldeveloper/bin/sdcli
/tmp/sqldeveloper/sqldeveloper/bin/sdcli
1⤵
- Writes file to tmp directory
PID:784
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:785
- /usr/bin/expr
  expr /tmp/sqldeveloper/sqldeveloper/bin/sdcli : "\$/\$.*"
  2⤵
  PID:790
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:793
- /usr/bin/basename
  basename /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:798
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:803
- /usr/bin/expr
  expr /tmp/sqldeveloper/sqldeveloper/bin/sdcli : "\$/\$.*"
  2⤵
  PID:805
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:808
- /usr/bin/basename
  basename /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:810
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:813
- /bin/cat
  cat
  2⤵
  PID:814
- /bin/mkdir
  mkdir -p /.sqldeveloper/23.1.1
  2⤵
  - Reads runtime system information
  PID:837
- /usr/bin/touch
  touch /.sqldeveloper/23.1.1/product.conf
  2⤵
  PID:838
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:843
- /bin/sed
  sed "s/@@ADDVMOPTION_INITIAL_JAVA_MEMORY@@/# AddVMOption -Xms128m/"
  2⤵
  - Reads runtime system information
  PID:846
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:850
- /bin/sed
  sed "s/@@ADD32VMOPTION_INITIAL_JAVA_MEMORY@@/# Add32VMOption -Xms128m/"
  2⤵
  - Reads runtime system information
  PID:853
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:857
- /bin/sed
  sed "s/@@ADD64VMOPTION_INITIAL_JAVA_MEMORY@@/# Add64VMOption -Xms128m/"
  2⤵
  - Reads runtime system information
  PID:860
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:864
- /bin/sed
  sed "s/@@ADDVMOPTION_MAXIMUM_JAVA_MEMORY@@/# AddVMOption -Xmx800m/"
  2⤵
  - Reads runtime system information
  PID:867
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:871
- /bin/sed
  sed "s/@@ADD32VMOPTION_MAXIMUM_JAVA_MEMORY@@/# Add32VMOption -Xmx800m/"
  2⤵
  - Reads runtime system information
  PID:874
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:878
- /bin/sed
  sed "s/@@ADD64VMOPTION_MAXIMUM_JAVA_MEMORY@@/# Add64VMOption -Xmx2g/"
  2⤵
  - Reads runtime system information
  PID:881
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:884
- /usr/bin/basename
  basename /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:886
- /bin/uname
  uname
  2⤵
  PID:897
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:902
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:905
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:909
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:912
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:935
- /bin/uname
  uname
  2⤵
  PID:937
- /usr/bin/dirname
  dirname sqldeveloper.conf
  2⤵
  PID:940
- /usr/bin/basename
  basename sqldeveloper.conf
  2⤵
  PID:942
- /usr/bin/dirname
  dirname ../../ide/bin/ide.conf
  2⤵
  PID:945
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:950
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:953
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:957
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:960
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:983
- /usr/bin/basename
  basename ../../ide/bin/ide.conf
  2⤵
  PID:985
- /usr/bin/dirname
  dirname ../../ide/bin/jdk.conf
  2⤵
  PID:988
- /usr/bin/basename
  basename ../../ide/bin/jdk.conf
  2⤵
  PID:990
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1074
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1078
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1082
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1086
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1090
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1094
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1098
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1101
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1106
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1119
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1122
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1129
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1134
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1138
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1144
- /usr/bin/dirname
  dirname java11.conf
  2⤵
  PID:1169
- /usr/bin/basename
  basename java11.conf
  2⤵
  PID:1171
- /usr/bin/dirname
  dirname sqldeveloper-nondebug.conf
  2⤵
  PID:1183
- /usr/bin/basename
  basename sqldeveloper-nondebug.conf
  2⤵
  PID:1185
- /usr/bin/dirname
  dirname /.sqldeveloper/23.1.1/product.conf
  2⤵
  PID:1197
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:1202
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:1205
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:1209
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:1212
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:1227
- /usr/bin/basename
  basename /.sqldeveloper/23.1.1/product.conf
  2⤵
  PID:1229
- /bin/uname
  uname
  2⤵
  PID:1235
- /usr/bin/tr
  tr "[:upper:]" "[:lower:]"
  2⤵
  PID:1236
- /bin/grep
  grep jdk8
  2⤵
  PID:1239
- /bin/ls
  ls /usr/java
  2⤵
  - Reads runtime system information
  PID:1238
- /usr/bin/head
  head -1
  2⤵
  PID:1241
- /usr/bin/sort
  sort -r
  2⤵
  PID:1240
- /bin/ls
  ls /usr
  2⤵
  - Reads runtime system information
  PID:1243
- /usr/bin/head
  head -1
  2⤵
  PID:1246
- /bin/grep
  grep java8
  2⤵
  PID:1244
- /usr/bin/sort
  sort -r
  2⤵
  PID:1245
- /usr/bin/which
  which java
  2⤵
  PID:1248
- /bin/grep
  grep "[0-9]"
  2⤵
  PID:1252
- /bin/grep
  grep "[0-9]"
  2⤵
  PID:1254

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/.sqldeveloper/23.1.1/product.conf

Filesize
2KB

MD5
57a08cb624498fffdc03d5b96600b2c8

SHA1
ed47ee24f67bf683430a572bb89f5a758564bb38

SHA256
cd4a2c02bcf7cafe376e13b39122cba2c76f4af09897b2005899d59271dcb9bf

SHA512
153822911bdec91d7817e17db31b0c5f89c29bf502c271396e425ab707f1ed882a05be304bec0860896b1226c5833710b9b2717d98b180181d12ca1347dacc5b

Download Submit
/.sqldeveloper/23.1.1/product.conf

Filesize
2KB

MD5
700de3633f495706c115c6819c90832e

SHA1
c4282c51986a65892b185738407fc99dafd7b089

SHA256
b6dc1e1865d6ceda6b32af26a2bed6ff231483e87e7d6975058f407438ce0762

SHA512
144c69167679f2a810e19a5034cbe59c578676875b2d17a21a0abadb7b171d9a8c087223cd73e24dab3d12cb8d8abc97df7aa973343e13329d2d138b1b898eb9

Download Submit
/tmp/sh-thd.hOl4MU

Filesize
100B

MD5
f6cc7fad8e79da4c7b423a6143a0deab

SHA1
e94fad3a50b223f23ccd591994a3c1d9015446ab

SHA256
52d8728550c7e4ed4c3cc9b1a5e1fc30e24c1760613b6052d31a8ca27e3072e9

SHA512
31fd115d72be0d932bd04639e066ecc824e53811faae633da8440f32376b5c19e54759071c1e949e0759bfe4be3d94b73ace368065f6465ab2dca4a319f1a60f

Download Submit