Overview

overview

8

Static

static

8

binsh.sh

debian-9-mips

8

Analysis

  • max time kernel
    17s
  • max time network
    22s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20221111-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20221111-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    04-07-2023 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    binsh.sh

  • Size

    300KB

  • MD5

    106a736477f5e6efc07bdea0249986f9

  • SHA1

    b8cb63180aad940b1356e310e9bcbfee30a028b5

  • SHA256

    e629334def73be9e166ecdd9d5d73d6be97ef7f7d16f05383892332acb324b73

  • SHA512

    85892182987a55f12a295c6bca9a4eb104b0a1c6c42670fa1b3ba274bfc7a3f2d522daea0022c09181c57cc1024ea21812300f189ef707e2dd66f775adbf3576

  • SSDEEP

    6144:p3lOYoaja8xzx/0wsxzSigabE5wKSDP99zBa77oNsKqqfPqOJ:p1CG/jsxzXgabEDSDP99zBa/HKqoPqOJ

Score
8/10
discovery

Malware Config

Signatures

  • Contacts a large (534) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Changes its process name 1 IoCs
  • Modifies Watchdog functionality 1 TTPs 2 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Reads system routing table 1 TTPs 1 IoCs

    Gets active network interfaces from /proc virtual filesystem.

  • Writes file to system bin folder 1 TTPs 2 IoCs
  • Reads system network configuration 1 TTPs 3 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Reads runtime system information 1 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/binsh.sh
    /tmp/binsh.sh
    1⤵
    • Enumerates active TCP sockets
    • Reads system network configuration
    • Reads runtime system information
    • Writes file to tmp directory
    PID:333
  • /bin/sh
    sh -c "killall -9 telnetd utelnetd scfgmgr"
    1⤵
      PID:336
    • /bin/sh
      sh -c "iptables -I INPUT -p tcp --destination-port 47679 -j ACCEPT"
      1⤵
      • Changes its process name
      PID:347
      • /sbin/iptables
        iptables -I INPUT -p tcp --destination-port 47679 -j ACCEPT
        2⤵
          PID:348

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Hijack Execution Flow

      1
      T1574

      Privilege Escalation

      Hijack Execution Flow

      1
      T1574

      Defense Evasion

      Impair Defenses

      1
      T1562

      Hijack Execution Flow

      1
      T1574

      Credential Access

      Discovery

      Network Service Scanning

      1
      T1046

      System Network Connections Discovery

      1
      T1049

      System Network Configuration Discovery

      2
      T1016

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/333-1-0x00400000-0x004c2fd8-memory.dmp
        Download