963b06d98c115aa44fff216ee477e49d66072df33838be1bb1f141dedf6c4d02

Analysis

max time kernel
150s
max time network
437s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
28/03/2025, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resources/app/bin/lpm_install.sh
Size

17KB
MD5

268a75c87d71b06cf53eed811aed5734
SHA1

4d508c3294ce3036c295a326c0ada14f202dae0b
SHA256

414ef99b1dcc687d3f2ad9139fb7c9e6ca3c52f55b31026c9759108fc1545729
SHA512

eda3866fd978f6b93582d212458f79bad6e8664c63ebae2db53128f333d49b6615cdf6a67596138b84271ac5c32a7c70000f529f1b8fc7415f9df22143f3abc7
SSDEEP

384:ZKuygbT00MJ8SR+azqfs+3VXfTaiA9DEWMZNAR2J0+GttpBWUepPsdti7:ZKCbW8mfiBfTaPIWMZNAR2J0+GjpBWvl

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
913	curl
865	chmod

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Reads runtime system information 16 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/filesystems	mkdir
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log	bash

/tmp/resources/app/bin/lpm_install.sh
/tmp/resources/app/bin/lpm_install.sh
1⤵
PID:811

/usr/local/sbin/bash
bash /tmp/resources/app/bin/lpm_install.sh
1⤵
PID:811

/usr/local/bin/bash
bash /tmp/resources/app/bin/lpm_install.sh
1⤵
PID:811

/usr/sbin/bash
bash /tmp/resources/app/bin/lpm_install.sh
1⤵
PID:811

/usr/bin/bash
bash /tmp/resources/app/bin/lpm_install.sh
1⤵
PID:811

/sbin/bash
bash /tmp/resources/app/bin/lpm_install.sh
1⤵
PID:811

/bin/bash
bash /tmp/resources/app/bin/lpm_install.sh
1⤵
- Writes file to tmp directory
PID:811
- /usr/bin/id
  id -u
  2⤵
  - Reads runtime system information
  PID:812
- /usr/bin/tr
  tr -dc a-zA-Z0-9
  2⤵
  PID:815
- /usr/bin/fold
  fold -w 32
  2⤵
  PID:816
- /usr/bin/head
  head -n 1
  2⤵
  PID:817
- /bin/cat
  cat /dev/urandom
  2⤵
  PID:814
- /bin/date
  date "+%s000"
  2⤵
  PID:821
- /bin/uname
  uname -r
  2⤵
  PID:822
- /bin/uname
  uname -s
  2⤵
  PID:823
- /bin/sed
  sed -e "s/PRETTY_NAME=//g" -e "s/\"//g"
  2⤵
  - Reads runtime system information
  PID:826
- /bin/grep
  grep -m1 PRETTY_NAME /etc/os-release
  2⤵
  PID:825
- /bin/date
  date "+%s"
  2⤵
  PID:827
- /usr/bin/curl
  curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_sh_start" --data "{\"uuid\": \"755thoUmOcnUfJ6U1KIY40SJQFB5W2fP\", \"timestamp\": \"1743162190\", \"ver\": \"1.519.10\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743162190\", \"c_up_ts\": \"1743162190000\", \"note\": \"\", \"lum\": 0, \"root\":1, \"os_release\":\"4.9.0-13-4kc-malta\"}}" -H "Content-Type: application/json"
  2⤵
  - Reads runtime system information
  PID:828
- /usr/bin/head
  head -n 1
  2⤵
  PID:832
- /usr/bin/curl
  curl --version
  2⤵
  - Reads runtime system information
  PID:831
- /bin/date
  date "+%s"
  2⤵
  PID:833
- /usr/bin/curl
  curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_sh_check_no_node" --data "{\"uuid\": \"755thoUmOcnUfJ6U1KIY40SJQFB5W2fP\", \"timestamp\": \"1743162192\", \"ver\": \"1.519.10\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743162192\", \"c_up_ts\": \"1743162190000\", \"note\": \"\", \"lum\": 0, \"root\":1, \"os_release\":\"4.9.0-13-4kc-malta\"}}" -H "Content-Type: application/json"
  2⤵
  - Reads runtime system information
  PID:834
- /bin/date
  date "+%s"
  2⤵
  PID:836
- /usr/bin/curl
  curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_sh_install_nave" --data "{\"uuid\": \"755thoUmOcnUfJ6U1KIY40SJQFB5W2fP\", \"timestamp\": \"1743162194\", \"ver\": \"1.519.10\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743162194\", \"c_up_ts\": \"1743162190000\", \"note\": \"\", \"lum\": 0, \"root\":1, \"os_release\":\"4.9.0-13-4kc-malta\"}}" -H "Content-Type: application/json"
  2⤵
  - Reads runtime system information
  PID:837
- /bin/mkdir
  mkdir -p /root/.nave
  2⤵
  - Reads runtime system information
  PID:839
- /usr/bin/base64
  base64
  2⤵
  PID:842
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:841
- /bin/rm
  rm /.nave/nave.sh
  2⤵
  PID:843
- /usr/bin/curl
  curl -fsSL http://github.com/isaacs/nave/raw/main/nave.sh -o /.nave/nave.sh
  2⤵
  - Reads runtime system information
  PID:844
- /usr/bin/base64
  base64
  2⤵
  PID:850
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:849
- /usr/bin/curl
  curl -fsSL http://github.com/isaacs/nave/raw/main/nave.sh -o /.nave/nave.sh
  2⤵
  - Reads runtime system information
  PID:851
- /usr/bin/base64
  base64
  2⤵
  PID:857
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:856
- /usr/bin/curl
  curl -fsSL http://github.com/isaacs/nave/raw/main/nave.sh -o /.nave/nave.sh
  2⤵
  - Reads runtime system information
  PID:858
- /usr/bin/base64
  base64
  2⤵
  PID:864
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:863
- /bin/chmod
  chmod +x /.nave/nave.sh
  2⤵
  - File and Directory Permissions Modification
  PID:865
- /usr/bin/base64
  base64
  2⤵
  PID:868
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:867
- /bin/ln
  ln -s /.nave/nave.sh /usr/local/bin/nave
  2⤵
  PID:869
- /usr/bin/base64
  base64
  2⤵
  PID:872
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:871
- /bin/mkdir
  mkdir -p /usr/local/share/man /usr/local/bin /usr/local/lib/node /usr/local/include/node
  2⤵
  - Reads runtime system information
  PID:873
- /usr/bin/base64
  base64
  2⤵
  PID:876
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:875
- /bin/date
  date "+%s"
  2⤵
  PID:877
- /usr/bin/curl
  curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_sh_install_nave_node" --data "{\"uuid\": \"755thoUmOcnUfJ6U1KIY40SJQFB5W2fP\", \"timestamp\": \"1743162207\", \"ver\": \"1.519.10\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743162207\", \"c_up_ts\": \"1743162190000\", \"note\": \"\", \"lum\": 0, \"root\":1, \"os_release\":\"4.9.0-13-4kc-malta\"}}" -H "Content-Type: application/json"
  2⤵
  - Reads runtime system information
  PID:878
- /bin/rm
  rm -rf /root/.nave/cache/20.12.1
  2⤵
  PID:880
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:882
- /usr/bin/base64
  base64
  2⤵
  PID:883
- /bin/rm
  rm -rf /root/.nave/cache/v20.12.1
  2⤵
  PID:884
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:886
- /usr/bin/base64
  base64
  2⤵
  PID:887
- /usr/bin/base64
  base64
  2⤵
  PID:891
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:890
- /usr/bin/base64
  base64
  2⤵
  PID:895
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:894
- /usr/bin/base64
  base64
  2⤵
  PID:899
- /usr/bin/tail
  tail -n 10 /tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log
  2⤵
  PID:898
- /bin/date
  date "+%s"
  2⤵
  PID:900
- /usr/bin/curl
  curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_sh_install_error_node" --data "{\"uuid\": \"755thoUmOcnUfJ6U1KIY40SJQFB5W2fP\", \"timestamp\": \"1743162210\", \"ver\": \"1.519.10\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743162210\", \"c_up_ts\": \"1743162190000\", \"note\": \"\", \"lum\": 0, \"root\":1, \"os_release\":\"4.9.0-13-4kc-malta\"}}" -H "Content-Type: application/json"
  2⤵
  - Reads runtime system information
  PID:901
- /bin/date
  date "+%s"
  2⤵
  PID:904
- /usr/bin/curl
  curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_sh_exit_error" --data "{\"uuid\": \"755thoUmOcnUfJ6U1KIY40SJQFB5W2fP\", \"timestamp\": \"1743162212\", \"ver\": \"1.519.10\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743162212\", \"c_up_ts\": \"1743162190000\", \"note\": \"1\", \"lum\": 0, \"root\":1, \"os_release\":\"4.9.0-13-4kc-malta\"}}" -H "Content-Type: application/json"
  2⤵
  - Reads runtime system information
  PID:905
- /bin/date
  date "+%s"
  2⤵
  PID:908
- /usr/bin/curl
  curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_sh_exit_error_network" --data "{\"uuid\": \"755thoUmOcnUfJ6U1KIY40SJQFB5W2fP\", \"timestamp\": \"1743162214\", \"ver\": \"1.519.10\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743162214\", \"c_up_ts\": \"1743162190000\", \"note\": \"\", \"lum\": 0, \"root\":1, \"os_release\":\"4.9.0-13-4kc-malta\"}}" -H "Content-Type: application/json"
  2⤵
  - Reads runtime system information
  PID:909
- /bin/date
  date "+%s"
  2⤵
  PID:912
- /usr/bin/curl
  curl -s -X POST "https://perr.lum-lpm.com/client_cgi/perr/?id=lpm_sh_exit_error_report" --data "{\"uuid\": \"755thoUmOcnUfJ6U1KIY40SJQFB5W2fP\", \"timestamp\": \"1743162216\", \"ver\": \"1.519.10\", \"info\": {\"platform\": \"linux\", \"c_ts\": \"1743162216\", \"c_up_ts\": \"1743162190000\", \"note\": \"linux distr: Debian GNU/Linux 9 (stretch)\\nPERR start\\ncheck_curl: curl 7.52.1 (mips-unknown-linux-gnu) libcurl/7.52.1 OpenSSL/1.0.2u zlib/1.2.8 libidn2/0.16 libpsl/0.17.0 (+libidn2/0.16) libssh2/1.7.0 nghttp2/1.18.1 librtmp/2.3\\nPERR check_no_node\\ndeps_install\\nPERR install_nave\\nCMD mkdir -p ~/.nave: OK \\ndownload_script http://github.com/isaacs/nave/raw/main/nave.sh retry: 0\\nCMD curl -fsSL http://github.com/isaacs/nave/raw/main/nave.sh -o /.nave/nave.sh: FAIL(23) Y3VybDogKDIzKSBGYWlsZWQgd3JpdGluZyBib2R5ICgwICE9IDEzMDcpCg==\\ndownload_script http://github.com/isaacs/nave/raw/main/nave.sh retry: 1\\nCMD curl -fsSL http://github.com/isaacs/nave/raw/main/nave.sh -o /.nave/nave.sh: FAIL(23) Y3VybDogKDIzKSBGYWlsZWQgd3JpdGluZyBib2R5ICgwICE9IDEzMDcpCg==\\ndownload_script http://github.com/isaacs/nave/raw/main/nave.sh retry: 2\\nCMD curl -fsSL http://github.com/isaacs/nave/raw/main/nave.sh -o /.nave/nave.sh: FAIL(23) Y3VybDogKDIzKSBGYWlsZWQgd3JpdGluZyBib2R5ICgwICE9IDEzMDcpCg==\\nCMD chmod +x /.nave/nave.sh: FAIL(1) Y2htb2Q6IGNhbm5vdCBhY2Nlc3MgJy8ubmF2ZS9uYXZlLnNoJzogTm8gc3VjaCBmaWxlIG9yIGRp cmVjdG9yeQo=\\nCMD ln -s /.nave/nave.sh /usr/local/bin/nave: OK \\nCMD mkdir -p /usr/local/{share/man,bin,lib/node,include/node}: OK \\nPERR install_nave_node\\nCMD rm -rf ~/.nave/cache/20.12.1: OK \\nCMD rm -rf /root/.nave/cache/v20.12.1: OK \\nretry_sudo_cmd nave usemain 20.12.1 0\\nCMD nave usemain 20.12.1: FAIL(127) L3RtcC9yZXNvdXJjZXMvYXBwL2Jpbi9scG1faW5zdGFsbC5zaDogbGluZSAxNjU6IG5hdmU6IGNv bW1hbmQgbm90IGZvdW5kCg==\\nretry_sudo_cmd nave usemain 20.12.1 1\\nCMD nave usemain 20.12.1: FAIL(127) L3RtcC9yZXNvdXJjZXMvYXBwL2Jpbi9scG1faW5zdGFsbC5zaDogbGluZSAxNjU6IG5hdmU6IGNv bW1hbmQgbm90IGZvdW5kCg==\\nretry_sudo_cmd nave usemain 20.12.1 2\\nCMD nave usemain 20.12.1: FAIL(127) L3RtcC9yZXNvdXJjZXMvYXBwL2Jpbi9scG1faW5zdGFsbC5zaDogbGluZSAxNjU6IG5hdmU6IGNv bW1hbmQgbm90IGZvdW5kCg==\\nPERR install_error_node\\nPERR exit_error\\nPERR exit_error_network\\n\", \"lum\": 0, \"root\":1, \"os_release\":\"4.9.0-13-4kc-malta\"}}" -H "Content-Type: application/json"
  2⤵
  - File and Directory Permissions Modification
  - Reads runtime system information
  PID:913

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log

Filesize
43B

MD5
5882986deacca8f49560e36f12bcebf0

SHA1
b6d392ad99ea20437983d9521b3f5a4e3f9bcfcf

SHA256
64816ec948c04f16e60ddffee3874369091abd729f3a64403ae7868d6339097e

SHA512
d3d7bd0cf26684cb3bb49975e5c98a1a285cefc43eaa10bd9db587d3550e4b99610e43883a77c171a0a7b096f3413578c850d94722f1d9ca65cc7dd681ca04ae

Download Submit
/tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log

Filesize
65B

MD5
6ca9e9b963c2a651b535783f080c8f02

SHA1
67c8b8fec79f63097c5cb644d7a5e4abbaf44864

SHA256
884b397b82c95ea542a9387be0a0bab7e0aaf89306822640015f02227a066a3d

SHA512
f368ec779d76e1fd7613961e07a9a7e4b0d38a97401a505990a30514b3d8b0ac3b6632a015fe26e11f7bc7e483a39ea03482958bd96de7e2fe4fd03119b99b9a

Download Submit
/tmp/lpm_install_755thoUmOcnUfJ6U1KIY40SJQFB5W2fP.log

Filesize
73B

MD5
3534f09e13e57508ad2e07b9fabc8713

SHA1
cca0ea19f0a548df072dfda94998a133fa77c6d7

SHA256
364e4b4f32872faa1f00d9643422e32ec64ddd220672f73e754c4d8b2500c213

SHA512
aea607f61fd099aa043113773a219736a8ec74173a58b5701f67f0e653625d1443e928ba2c7c1ada1e2e2527f9b5a6258f5d022333f41ebbda996c46cb1397b9

Download Submit