30c07969150109f3907de1171e3dc55303f660a3e430c072aae07058dca42ffc

Analysis

max time kernel
6s
platform
debian-9_mipsel
resource
debian9-mipsel-20240418-en
resource tags

arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
05/03/2025, 03:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sqldeveloper/sqldeveloper/bin/sdcli
Size

675B
MD5

189681346250dbc93a25eb0d50b82bd4
SHA1

afa4e31516ba458b8f2074478655308c41d038fe
SHA256

2090a149f83a6fe3a99c1aa55d4d27a6f8e51b4d870547205b8917e8f1d22e5f
SHA512

808ea71a5ffa9ee42a571bf10b09b4d9f34eed1e46e2b2c49394920c035bff4276a1be55be5a210a7b32ff3734392cb35d6e09e612fcb877f94ed08426bd7089

Score

3^/10

discovery

Malware Config

Signatures

Reads runtime system information 45 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/filesystems	sed

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sh-thd.kfDaM2	sdcli

/tmp/sqldeveloper/sqldeveloper/bin/sdcli
/tmp/sqldeveloper/sqldeveloper/bin/sdcli
1⤵
- Writes file to tmp directory
PID:806
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:807
- /usr/bin/expr
  expr /tmp/sqldeveloper/sqldeveloper/bin/sdcli : "\$/\$.*"
  2⤵
  PID:812
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:815
- /usr/bin/basename
  basename /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:817
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:826
- /usr/bin/expr
  expr /tmp/sqldeveloper/sqldeveloper/bin/sdcli : "\$/\$.*"
  2⤵
  PID:828
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:831
- /usr/bin/basename
  basename /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:833
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:836
- /bin/cat
  cat
  2⤵
  PID:837
- /bin/mkdir
  mkdir -p /.sqldeveloper/23.1.1
  2⤵
  - Reads runtime system information
  PID:860
- /usr/bin/touch
  touch /.sqldeveloper/23.1.1/product.conf
  2⤵
  PID:861
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:866
- /bin/sed
  sed "s/@@ADDVMOPTION_INITIAL_JAVA_MEMORY@@/# AddVMOption -Xms128m/"
  2⤵
  - Reads runtime system information
  PID:869
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:873
- /bin/sed
  sed "s/@@ADD32VMOPTION_INITIAL_JAVA_MEMORY@@/# Add32VMOption -Xms128m/"
  2⤵
  - Reads runtime system information
  PID:876
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:880
- /bin/sed
  sed "s/@@ADD64VMOPTION_INITIAL_JAVA_MEMORY@@/# Add64VMOption -Xms128m/"
  2⤵
  - Reads runtime system information
  PID:883
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:887
- /bin/sed
  sed "s/@@ADDVMOPTION_MAXIMUM_JAVA_MEMORY@@/# AddVMOption -Xmx800m/"
  2⤵
  - Reads runtime system information
  PID:890
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:894
- /bin/sed
  sed "s/@@ADD32VMOPTION_MAXIMUM_JAVA_MEMORY@@/# Add32VMOption -Xmx800m/"
  2⤵
  - Reads runtime system information
  PID:897
- /bin/sed
  sed "s/[\\&/]/\\\\&/g"
  2⤵
  - Reads runtime system information
  PID:901
- /bin/sed
  sed "s/@@ADD64VMOPTION_MAXIMUM_JAVA_MEMORY@@/# Add64VMOption -Xmx2g/"
  2⤵
  - Reads runtime system information
  PID:904
- /usr/bin/dirname
  dirname /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:907
- /usr/bin/basename
  basename /tmp/sqldeveloper/sqldeveloper/bin/sdcli
  2⤵
  PID:909
- /bin/uname
  uname
  2⤵
  PID:920
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:925
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:928
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:932
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:935
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:958
- /bin/uname
  uname
  2⤵
  PID:960
- /usr/bin/dirname
  dirname sqldeveloper.conf
  2⤵
  PID:963
- /usr/bin/basename
  basename sqldeveloper.conf
  2⤵
  PID:965
- /usr/bin/dirname
  dirname ../../ide/bin/ide.conf
  2⤵
  PID:968
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:973
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:976
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:980
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:983
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:1006
- /usr/bin/basename
  basename ../../ide/bin/ide.conf
  2⤵
  PID:1008
- /usr/bin/dirname
  dirname ../../ide/bin/jdk.conf
  2⤵
  PID:1011
- /usr/bin/basename
  basename ../../ide/bin/jdk.conf
  2⤵
  PID:1013
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1097
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1101
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1105
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1109
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1113
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1117
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1121
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1124
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1129
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1142
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1145
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1152
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1157
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1161
- /bin/sed
  sed -e "s|^[.][.]/|../../ide/bin/../|; s|^[.]/|../../ide/bin/|; s|\$[^-./\$\\w]\$[.][.]/|\\1../../ide/bin/../|g; s|\$[^-./\$\\w]\$[.]/|\\1../../ide/bin/|g"
  2⤵
  - Reads runtime system information
  PID:1167
- /usr/bin/dirname
  dirname java11.conf
  2⤵
  PID:1192
- /usr/bin/basename
  basename java11.conf
  2⤵
  PID:1194
- /usr/bin/dirname
  dirname sqldeveloper-nondebug.conf
  2⤵
  PID:1206
- /usr/bin/basename
  basename sqldeveloper-nondebug.conf
  2⤵
  PID:1208
- /usr/bin/dirname
  dirname /.sqldeveloper/23.1.1/product.conf
  2⤵
  PID:1220
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:1225
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:1228
- /bin/sed
  sed -e "s|\\n||g"
  2⤵
  - Reads runtime system information
  PID:1232
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:1235
- /bin/sed
  sed -e "s|/\$||g"
  2⤵
  - Reads runtime system information
  PID:1250
- /usr/bin/basename
  basename /.sqldeveloper/23.1.1/product.conf
  2⤵
  PID:1252
- /bin/uname
  uname
  2⤵
  PID:1258
- /usr/bin/tr
  tr "[:upper:]" "[:lower:]"
  2⤵
  PID:1259
- /usr/bin/head
  head -1
  2⤵
  PID:1264
- /usr/bin/sort
  sort -r
  2⤵
  PID:1263
- /bin/ls
  ls /usr/java
  2⤵
  - Reads runtime system information
  PID:1261
- /bin/grep
  grep jdk8
  2⤵
  PID:1262
- /bin/grep
  grep java8
  2⤵
  PID:1267
- /usr/bin/sort
  sort -r
  2⤵
  PID:1268
- /usr/bin/head
  head -1
  2⤵
  PID:1269
- /bin/ls
  ls /usr
  2⤵
  - Reads runtime system information
  PID:1266
- /usr/bin/which
  which java
  2⤵
  PID:1271
- /bin/grep
  grep "[0-9]"
  2⤵
  PID:1275
- /bin/grep
  grep "[0-9]"
  2⤵
  PID:1277

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/.sqldeveloper/23.1.1/product.conf

Filesize
2KB

MD5
57a08cb624498fffdc03d5b96600b2c8

SHA1
ed47ee24f67bf683430a572bb89f5a758564bb38

SHA256
cd4a2c02bcf7cafe376e13b39122cba2c76f4af09897b2005899d59271dcb9bf

SHA512
153822911bdec91d7817e17db31b0c5f89c29bf502c271396e425ab707f1ed882a05be304bec0860896b1226c5833710b9b2717d98b180181d12ca1347dacc5b

Download Submit
/.sqldeveloper/23.1.1/product.conf

Filesize
2KB

MD5
700de3633f495706c115c6819c90832e

SHA1
c4282c51986a65892b185738407fc99dafd7b089

SHA256
b6dc1e1865d6ceda6b32af26a2bed6ff231483e87e7d6975058f407438ce0762

SHA512
144c69167679f2a810e19a5034cbe59c578676875b2d17a21a0abadb7b171d9a8c087223cd73e24dab3d12cb8d8abc97df7aa973343e13329d2d138b1b898eb9

Download Submit
/tmp/sh-thd.kfDaM2

Filesize
100B

MD5
f6cc7fad8e79da4c7b423a6143a0deab

SHA1
e94fad3a50b223f23ccd591994a3c1d9015446ab

SHA256
52d8728550c7e4ed4c3cc9b1a5e1fc30e24c1760613b6052d31a8ca27e3072e9

SHA512
31fd115d72be0d932bd04639e066ecc824e53811faae633da8440f32376b5c19e54759071c1e949e0759bfe4be3d94b73ace368065f6465ab2dca4a319f1a60f

Download Submit